-
Notifications
You must be signed in to change notification settings - Fork 5
/
ghack.py
executable file
·206 lines (187 loc) · 4.96 KB
/
ghack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#!/usr/bin/env python
# -*- encoding: utf-8 -*-
#
# filename: ghack.py
# written by 老妖@wooyun
# date: 2014-06-06
#
###############################################################################
import urllib, urllib2
import cookielib
import re
import sys, getopt
import os
import random
from lxml import etree
import time
import locale
from StringIO import StringIO
import gzip
from utils.google import google
from utils import webutils
opener = None
verbose = True
waitForPerReq = 1.0
searchPage = 1
resultCount = 20
command = ''
hacks = ('ext:xls', 'ext:xlsx', 'ext:doc', 'ext:docx', 'ext:txt', 'ext:zip',
'ext:conf', 'ext:rar', 'ext:sh', 'ext:gz', 'ext:bz2', 'ext:tar', 'ext:tgz',
'ext:mdb', 'ext:ini', 'ext:7z', 'ext:cgi', 'ext:py', "#",
'inurl:filename', 'inurl:upload', 'inurl:profile 管理员', 'inurl:cgi', #'inurl:cgi-bin',
'inurl:file', 'inurl:down', 'inurl:passwd', 'inurl:path', "#",
'intitle:"index.of"', 'intitle:管理 ', "#",
'intext:*@*.com', 'intext:*@*.net', 'intext:*@*.cn', 'intext:ftp://*:* ',
'intext:powered by', 'inurl:phpinfo.php',
'inurl:":8000"', 'inurl:":8080"', 'inurl:":8081"', 'inurl:":81"',
'inurl:":88"', 'inurl:":8888"', 'inurl:":8088"',
'Microsoft OLE DB Provider for SQL Server',
'microsoft jet database engine error',
'type mismatch',
'you have an error in your sql syntax',
'invalid sql statement',
'DorisDuke error',
'OleDbException',
'JasperException',
'Fatal Error',
'supplied argument is not a valid mysql',
'mysql_',
'odbc',
'jdbc',
'ora-00921',
'ADODB',
)
def execCmd(url):
if len(command) <= 0:
return
cmd = command.replace('{}', url)
os.system(cmd)
def googleHackLocal(host):
#import pdb
#pdb.set_trace()
#print('******* google hack: ' + host)
count = 0
for hack in hacks:
if hack == '#':
#time.sleep(5)
continue
print '******* [google] site:%s %s *******' % (host, hack)
try:
for url in google(opener, 'site:%s %s' % (host, hack), resultCount):
print ' [#] ' + url.decode('utf-8')
execCmd(url.decode('utf-8'))
except Exception,e:
print 'Exception', e
raise
time.sleep(random.randint(2, 5))
if count % 10 == 0:
time.sleep(10)
count = count + 1
def googleHackGhdb(host):
#return # Disabled
print '******* Hack exploit-db/GHDB *******'
i = 3977
count = 0
pattern = re.compile(r'Google search: <a href=\"http://www.google.com/search\?.*?q\=([^"]+)')
while True:
req = urllib2.Request('http://www.exploit-db.com/ghdb/%d/' % i)
webutils.setupRequest(req)
req.add_header('Accept-Encoding', 'gzip,deflate')
try:
response = opener.open(req, timeout = 15)
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO( response.read())
f = gzip.GzipFile(fileobj=buf)
html= f.read()
else:
html = response.read()
except:
continue
#print html
res = pattern.search(html)
if res == None:
#print str(html)
#break
continue
if len(res.groups()) <= 0:
continue
#res = urllib.unquote_plus(res.group(1))
what = webutils.escapeHtml(res.group(1))
what = urllib.unquote_plus(what)
print '******* [google] [GHDB: %d] site:%s %s *******' % (i, host, what)
for url in google(opener, 'site:%s %s' % (host, what), resultCount):
print ' [#] ' + url.decode('utf-8')
execCmd(url.decode('utf-8'))
i -= 1
if i <= 0:
break
time.sleep(random.randint(2, 5))
if count % 10 == 0:
time.sleep(10)
count = count + 1
#####################################################################
if __name__ == "__main__":
#import pdb
#pdb.set_trace()
import locale
reload(sys)
sys.setdefaultencoding(locale.getpreferredencoding())
def usage():
print 'ghack.py [op] host'
print '\t-l\t\tseach local GHDB only'
print '\t-g <host>\tredirect google'
print '\t-p <proxy>\tindicate proxy. example http@localhost:8080'
print '\t-h\t\thelp message'
print '\n\texample:\n\t\tghack.py www.example.com'
localOnly = False
remoteOnly = False
opts, args = getopt.getopt(sys.argv[1:], "e:hln:p:g:GP:rvw:")
cookieJar = None
proxy = ""
what = ""
for op, value in opts:
if op == '-l':
localOnly = True
elif op == '-e':
command = value
elif op == '-p':
proxy = value
elif op == '-g':
googleHome = value
elif op == '-G':
google = googleSearch
elif op == '-n':
resultCount = int(value)
#print resultCount
elif op == '-h':
usage()
sys.exit(0)
elif op == '-P':
searchPage = int(value)
elif op == '-r':
remoteOnly = True
elif op == '-v':
verbose = True
elif op == '-w':
what = value
if len(args) == 0 and len(what) == 0:
usage()
sys.exit(0)
try:
opener = urllib2.build_opener()
webutils.setupOpener(opener)
except Exception,e:
print 'Exception:', e
raise
sys.exit(-1)
if len(what) > 0:
# google(args[0], what, page = searchPage)
for url in google(opener, what, resultCount):
print url.decode('utf-8')
execCmd(url.decode('utf-8'))
sys.exit(0)
if not remoteOnly:
googleHackLocal(args[0])
if not localOnly:
googleHackGhdb(args[0])
print 'Done!'