Home Explore Help
Register Sign In
Roman
/
HackingScripts
1
0
Fork 0
Files Issues 0 Pull Requests 0
Browse Source

python include fix, web service finder: osticket

Roman Hergenreder 3 years ago
parent
e0e5ce3228
commit
73c9f72561
6 changed files with 37 additions and 10 deletions
Unified View Show Diff Stats
  1. 6 1
      __init__.py
  2. 6 3
      fileserver.py
  3. 1 1
      genRevShell.py
  4. 2 2
      git-dumper.py
  5. 1 1
      subdomainFuzz.sh
  6. 21 2
      web_service_finder.py

+ 6 - 1
__init__.py
View File 

@@ -1,3 +1,8 @@
 
-__doc__ = __doc__ or ""
 
+import os
 
+import sys
 
 
 
+__doc__ = __doc__ or ""
 
 __all__ = ["util","fileserver","xss_handler","genRevShell"]
 
 __all__ = ["util","fileserver","xss_handler","genRevShell"]
 
+
 
+inc_dir = os.path.dirname(os.path.realpath(__file__))
 
+sys.path.append(inc_dir)

+ 6 - 3
fileserver.py
View File 

@@ -1,19 +1,22 @@
 
 #!/usr/bin/env python
 
 #!/usr/bin/env python
 
 
 
-from hackingscripts import util, xss_handler
 
 from http.server import BaseHTTPRequestHandler, HTTPServer
 
 from http.server import BaseHTTPRequestHandler, HTTPServer
 
 import threading
 
 import threading
 
 import requests
 
 import requests
 
 import sys
 
 import sys
 
 import os
 
 import os
 
 import ssl
 
 import ssl
 
-# import xss_handler
 
+import util
 
+import xss_handler
 
 
 
 class FileServerRequestHandler(BaseHTTPRequestHandler):
 
 class FileServerRequestHandler(BaseHTTPRequestHandler):
 
 
 
     def __init__(self, *args, **kwargs):
 
     def __init__(self, *args, **kwargs):
 
         super().__init__(*args, **kwargs)
 
         super().__init__(*args, **kwargs)
 
 
 
+    def do_HEAD(self):
 
+        self.do_GET()
 
+
 
     def do_POST(self):
 
     def do_POST(self):
 
         self.do_GET()
 
         self.do_GET()
 
 
 
@@ -35,7 +38,7 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
 
             self.send_response(code)
 
             self.send_response(code)
 
             self.end_headers()
 
             self.end_headers()
 
 
 
-            if data:
 
+            if data and self.command != "HEAD":
 
                 self.wfile.write(data)
 
                 self.wfile.write(data)
 
         else:
 
         else:
 
             self.send_response(404)
 
             self.send_response(404)

+ 1 - 1
genRevShell.py
View File 

@@ -2,8 +2,8 @@
 
 
 
 import socket
 
 import socket
 
 import sys
 
 import sys
 
-import util
 
 import pty
 
 import pty
 
+import util
 
 
 
 def generatePayload(type, local_address, port):
 
 def generatePayload(type, local_address, port):

+ 2 - 2
git-dumper.py
View File 

@@ -171,13 +171,13 @@ def process_tasks(initial_tasks, worker, jobs, args=(), tasks_done=None):
 
 class DownloadWorker(Worker):
 
 class DownloadWorker(Worker):
 
     ''' Download a list of files '''
 
     ''' Download a list of files '''
 
 
 
-    def init(self, url, directory, retry, timeout, module):
 
+    def init(self, url, directory, retry, timeout, module=None):
 
         self.session = requests.Session()
 
         self.session = requests.Session()
 
         self.session.verify = False
 
         self.session.verify = False
 
         self.session.mount(url, requests.adapters.HTTPAdapter(max_retries=retry))
 
         self.session.mount(url, requests.adapters.HTTPAdapter(max_retries=retry))
 
         self.module = module
 
         self.module = module
 
 
 
-    def do_task(self, filepath, url, directory, retry, timeout, module):
 
+    def do_task(self, filepath, url, directory, retry, timeout, module=None):
 
         with closing(self.session.get('%s/%s' % (url, filepath),
 
         with closing(self.session.get('%s/%s' % (url, filepath),
 
                                       allow_redirects=False,
 
                                       allow_redirects=False,
 
                                       stream=True,
 
                                       stream=True,

+ 1 - 1
subdomainFuzz.sh
View File 

@@ -31,6 +31,6 @@ charcountIpAddress=$(curl -s -L "${PROTOCOL}://${IP_ADDRESS}" -k | wc -m)
 
 echo "[+] Chars: ${charcountDomain} and ${charcountIpAddress}"
 
 echo "[+] Chars: ${charcountDomain} and ${charcountIpAddress}"
 
 echo "[ ] Fuzzing…"
 
 echo "[ ] Fuzzing…"
 
 
 
-ffuf --fs ${charcountDomain},${charcountIpAddress} --fc 400,500 --mc all \
 
+ffuf --fs ${charcountDomain},${charcountIpAddress} --fc 400 --mc all \
 
   -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-words-lowercase.txt \
 
   -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-words-lowercase.txt \
 
   -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}"
 
   -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}"

+ 21 - 2
web_service_finder.py
View File 

@@ -2,10 +2,11 @@
 
 
 
 import re
 
 import re
 
 import sys
 
 import sys
 
+import json
 
 import argparse
 
 import argparse
 
 import requests
 
 import requests
 
 import urllib.parse
 
 import urllib.parse
 
-from hackingscripts import util
 
+import util
 
 from bs4 import BeautifulSoup
 
 from bs4 import BeautifulSoup
 
 
 
 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
 
 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
 
@@ -98,6 +99,18 @@ class WebServiceFinder:
 
         self.analyseSitemap()
 
         self.analyseSitemap()
 
         self.analyseChangelog()
 
         self.analyseChangelog()
 
         self.checkJoomlaVersion()
 
         self.checkJoomlaVersion()
 
+        self.checkManifest()
 
+
 
+    def checkManifest(self):
 
+        url = "/static/manifest.json"
 
+        res = self.do_get(url)
 
+        if res.status_code == 200:
 
+            try:
 
+                manifest = json.loads(res.text)
 
+                if "name" in manifest:
 
+                    print("[+] Found manifest name:", manifest["name"])
 
+            except:
 
+                pass
 
 
 
     def checkJoomlaVersion(self):
 
     def checkJoomlaVersion(self):
 
         url = "/administrator/manifests/files/joomla.xml"
 
         url = "/administrator/manifests/files/joomla.xml"
 
@@ -120,7 +133,7 @@ class WebServiceFinder:
 
 
 
     def printMatch(self, title, match, group=1, version_func=str):
 
     def printMatch(self, title, match, group=1, version_func=str):
 
         if match:
 
         if match:
 
-            version = "Unknown version" if group is None else version_func(match.group(group))
 
+            version = "Unknown version" if group is None or len(match.groups()) <= group else version_func(match.group(group))
 
             print("[+] Found %s: %s" % (title, version))
 
             print("[+] Found %s: %s" % (title, version))
 
             return True
 
             return True
 
         return False
 
         return False
 
@@ -183,6 +196,12 @@ class WebServiceFinder:
 
             cacti_pattern = re.compile(r"Version ([0-9.]*) .* The Cacti Group")
 
             cacti_pattern = re.compile(r"Version ([0-9.]*) .* The Cacti Group")
 
             self.printMatch("Cacti", cacti_pattern.search(content), 1)
 
             self.printMatch("Cacti", cacti_pattern.search(content), 1)
 
 
 
+        poweredBy = soup.find(id="poweredBy")
 
+        if poweredBy:
 
+            content = poweredBy.text.strip()
 
+
 
+            osticket_pattern = re.compile(r"powered by osTicket")
 
+            self.printMatch("OsTicket", osticket_pattern.search(content))
 
 
 
         moodle_pattern_1 = re.compile(r"^https://download.moodle.org/mobile\?version=(\d+)(&|$)")
 
         moodle_pattern_1 = re.compile(r"^https://download.moodle.org/mobile\?version=(\d+)(&|$)")
 
         moodle_pattern_2 = re.compile(r"^https://docs.moodle.org/(\d+)/")
 
         moodle_pattern_2 = re.compile(r"^https://docs.moodle.org/(\d+)/")