python include fix, web service finder: osticket

2021-05-12 15:58:19 +02:00 · 2021-05-12 15:58:19 +02:00 · 73c9f72561
commit 73c9f72561
parent e0e5ce3228
6 changed files with 37 additions and 10 deletions
--- a/init.py
+++ b/init.py
@ -1,3 +1,8 @@
-__doc__ = __doc__ or ""
+import os
+import sys

+__doc__ = __doc__ or ""
 __all__ = ["util","fileserver","xss_handler","genRevShell"]
+
+inc_dir = os.path.dirname(os.path.realpath(__file__))
+sys.path.append(inc_dir)
--- a/fileserver.py
+++ b/fileserver.py
@ -1,19 +1,22 @@
 #!/usr/bin/env python

-from hackingscripts import util, xss_handler
 from http.server import BaseHTTPRequestHandler, HTTPServer
 import threading
 import requests
 import sys
 import os
 import ssl
-# import xss_handler
+import util
+import xss_handler

 class FileServerRequestHandler(BaseHTTPRequestHandler):

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

+    def do_HEAD(self):
+        self.do_GET()
+
    def do_POST(self):
        self.do_GET()

@ -35,7 +38,7 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
            self.send_response(code)
            self.end_headers()

-            if data:
+            if data and self.command != "HEAD":
                self.wfile.write(data)
        else:
            self.send_response(404)
--- a/genRevShell.py
+++ b/genRevShell.py
@ -2,8 +2,8 @@

 import socket
 import sys
-import util
 import pty
+import util

 def generatePayload(type, local_address, port):

--- a/git-dumper.py
+++ b/git-dumper.py
@ -171,13 +171,13 @@ def process_tasks(initial_tasks, worker, jobs, args=(), tasks_done=None):
 class DownloadWorker(Worker):
    ''' Download a list of files '''

-    def init(self, url, directory, retry, timeout, module):
+    def init(self, url, directory, retry, timeout, module=None):
        self.session = requests.Session()
        self.session.verify = False
        self.session.mount(url, requests.adapters.HTTPAdapter(max_retries=retry))
        self.module = module

-    def do_task(self, filepath, url, directory, retry, timeout, module):
+    def do_task(self, filepath, url, directory, retry, timeout, module=None):
        with closing(self.session.get('%s/%s' % (url, filepath),
                                      allow_redirects=False,
                                      stream=True,
--- a/subdomainFuzz.sh
+++ b/subdomainFuzz.sh
@ -31,6 +31,6 @@ charcountIpAddress=$(curl -s -L "${PROTOCOL}://${IP_ADDRESS}" -k | wc -m)
 echo "[+] Chars: ${charcountDomain} and ${charcountIpAddress}"
 echo "[ ] Fuzzing…"

-ffuf --fs ${charcountDomain},${charcountIpAddress} --fc 400,500 --mc all \
+ffuf --fs ${charcountDomain},${charcountIpAddress} --fc 400 --mc all \
  -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-words-lowercase.txt \
  -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}"
--- a/web_service_finder.py
+++ b/web_service_finder.py
@ -2,10 +2,11 @@

 import re
 import sys
+import json
 import argparse
 import requests
 import urllib.parse
-from hackingscripts import util
+import util
 from bs4 import BeautifulSoup

 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
@ -98,6 +99,18 @@ class WebServiceFinder:
        self.analyseSitemap()
        self.analyseChangelog()
        self.checkJoomlaVersion()
+        self.checkManifest()
+
+    def checkManifest(self):
+        url = "/static/manifest.json"
+        res = self.do_get(url)
+        if res.status_code == 200:
+            try:
+                manifest = json.loads(res.text)
+                if "name" in manifest:
+                    print("[+] Found manifest name:", manifest["name"])
+            except:
+                pass

    def checkJoomlaVersion(self):
        url = "/administrator/manifests/files/joomla.xml"
@ -120,7 +133,7 @@ class WebServiceFinder:

    def printMatch(self, title, match, group=1, version_func=str):
        if match:
-            version = "Unknown version" if group is None else version_func(match.group(group))
+            version = "Unknown version" if group is None or len(match.groups()) <= group else version_func(match.group(group))
            print("[+] Found %s: %s" % (title, version))
            return True
        return False
@ -183,6 +196,12 @@ class WebServiceFinder:
            cacti_pattern = re.compile(r"Version ([0-9.]*) .* The Cacti Group")
            self.printMatch("Cacti", cacti_pattern.search(content), 1)

+        poweredBy = soup.find(id="poweredBy")
+        if poweredBy:
+            content = poweredBy.text.strip()
+
+            osticket_pattern = re.compile(r"powered by osTicket")
+            self.printMatch("OsTicket", osticket_pattern.search(content))

        moodle_pattern_1 = re.compile(r"^https://download.moodle.org/mobile\?version=(\d+)(&|$)")
        moodle_pattern_2 = re.compile(r"^https://docs.moodle.org/(\d+)/")