From 73c9f72561e1956f43ba93fde259bfd3cc372a5c Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Wed, 12 May 2021 15:58:19 +0200 Subject: [PATCH] python include fix, web service finder: osticket --- __init__.py | 7 ++++++- fileserver.py | 9 ++++++--- genRevShell.py | 2 +- git-dumper.py | 4 ++-- subdomainFuzz.sh | 2 +- web_service_finder.py | 23 +++++++++++++++++++++-- 6 files changed, 37 insertions(+), 10 deletions(-) diff --git a/__init__.py b/__init__.py index c5b1f09..4585272 100644 --- a/__init__.py +++ b/__init__.py @@ -1,3 +1,8 @@ -__doc__ = __doc__ or "" +import os +import sys +__doc__ = __doc__ or "" __all__ = ["util","fileserver","xss_handler","genRevShell"] + +inc_dir = os.path.dirname(os.path.realpath(__file__)) +sys.path.append(inc_dir) diff --git a/fileserver.py b/fileserver.py index 81d29bf..51964bd 100755 --- a/fileserver.py +++ b/fileserver.py @@ -1,19 +1,22 @@ #!/usr/bin/env python -from hackingscripts import util, xss_handler from http.server import BaseHTTPRequestHandler, HTTPServer import threading import requests import sys import os import ssl -# import xss_handler +import util +import xss_handler class FileServerRequestHandler(BaseHTTPRequestHandler): def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) + def do_HEAD(self): + self.do_GET() + def do_POST(self): self.do_GET() @@ -35,7 +38,7 @@ class FileServerRequestHandler(BaseHTTPRequestHandler): self.send_response(code) self.end_headers() - if data: + if data and self.command != "HEAD": self.wfile.write(data) else: self.send_response(404) diff --git a/genRevShell.py b/genRevShell.py index 1681b79..934a595 100755 --- a/genRevShell.py +++ b/genRevShell.py @@ -2,8 +2,8 @@ import socket import sys -import util import pty +import util def generatePayload(type, local_address, port): diff --git a/git-dumper.py b/git-dumper.py index d36606e..c0ed82e 100755 --- a/git-dumper.py +++ b/git-dumper.py @@ -171,13 +171,13 @@ def process_tasks(initial_tasks, worker, jobs, args=(), tasks_done=None): class DownloadWorker(Worker): ''' Download a list of files ''' - def init(self, url, directory, retry, timeout, module): + def init(self, url, directory, retry, timeout, module=None): self.session = requests.Session() self.session.verify = False self.session.mount(url, requests.adapters.HTTPAdapter(max_retries=retry)) self.module = module - def do_task(self, filepath, url, directory, retry, timeout, module): + def do_task(self, filepath, url, directory, retry, timeout, module=None): with closing(self.session.get('%s/%s' % (url, filepath), allow_redirects=False, stream=True, diff --git a/subdomainFuzz.sh b/subdomainFuzz.sh index 63af175..7d553bf 100755 --- a/subdomainFuzz.sh +++ b/subdomainFuzz.sh @@ -31,6 +31,6 @@ charcountIpAddress=$(curl -s -L "${PROTOCOL}://${IP_ADDRESS}" -k | wc -m) echo "[+] Chars: ${charcountDomain} and ${charcountIpAddress}" echo "[ ] Fuzzing…" -ffuf --fs ${charcountDomain},${charcountIpAddress} --fc 400,500 --mc all \ +ffuf --fs ${charcountDomain},${charcountIpAddress} --fc 400 --mc all \ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-words-lowercase.txt \ -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" diff --git a/web_service_finder.py b/web_service_finder.py index 0e59da9..f2864a1 100755 --- a/web_service_finder.py +++ b/web_service_finder.py @@ -2,10 +2,11 @@ import re import sys +import json import argparse import requests import urllib.parse -from hackingscripts import util +import util from bs4 import BeautifulSoup requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) @@ -98,6 +99,18 @@ class WebServiceFinder: self.analyseSitemap() self.analyseChangelog() self.checkJoomlaVersion() + self.checkManifest() + + def checkManifest(self): + url = "/static/manifest.json" + res = self.do_get(url) + if res.status_code == 200: + try: + manifest = json.loads(res.text) + if "name" in manifest: + print("[+] Found manifest name:", manifest["name"]) + except: + pass def checkJoomlaVersion(self): url = "/administrator/manifests/files/joomla.xml" @@ -120,7 +133,7 @@ class WebServiceFinder: def printMatch(self, title, match, group=1, version_func=str): if match: - version = "Unknown version" if group is None else version_func(match.group(group)) + version = "Unknown version" if group is None or len(match.groups()) <= group else version_func(match.group(group)) print("[+] Found %s: %s" % (title, version)) return True return False @@ -183,6 +196,12 @@ class WebServiceFinder: cacti_pattern = re.compile(r"Version ([0-9.]*) .* The Cacti Group") self.printMatch("Cacti", cacti_pattern.search(content), 1) + poweredBy = soup.find(id="poweredBy") + if poweredBy: + content = poweredBy.text.strip() + + osticket_pattern = re.compile(r"powered by osTicket") + self.printMatch("OsTicket", osticket_pattern.search(content)) moodle_pattern_1 = re.compile(r"^https://download.moodle.org/mobile\?version=(\d+)(&|$)") moodle_pattern_2 = re.compile(r"^https://docs.moodle.org/(\d+)/")