Commits

thrapt  committed a6807b6 Merge

Merged LaNMaSteR53/recon-ng into master

  • Participants
  • Parent commits 88ae199, ccdcf5b

Comments (0)

Files changed (4)

File core/framework.py

 #import requests
 import urllib
 import urllib2
+import cookielib
 import json
 
 class module(cmd.Cmd):
         if self.goptions['proxy']['value']:
             proxies = {'http': self.goptions['proxy_server']['value'], 'https': self.goptions['proxy_server']['value']}
             handlers.append(urllib2.ProxyHandler(proxies))
-        
+        # create cookie jar
+        cj = cookielib.CookieJar()
+        handlers.append(urllib2.HTTPCookieProcessor(cj))
+
         # install opener
         opener = urllib2.build_opener(*handlers)
         urllib2.install_opener(opener)
             resp = e
 
         # build and return response object
-        return ResponseObject(resp)
+        return ResponseObject(resp, cj)
 
     #==================================================
     # FRAMEWORK METHODS
         """Exits current prompt level"""
         return True
 
+    # alias for exit
+    def do_back(self, params):
+        """Exits current prompt level"""
+        return True
+
     def do_info(self, params):
         """Displays module information"""
         pattern = '%s%s:'
 
 class ResponseObject(object):
 
-    def __init__(self, resp):
+    def __init__(self, resp, cj):
         # set hidden text property
         self.__text__ = resp.read()
         # set inherited properties
         self.headers = resp.headers.dict
         # detect and set encoding property
         self.encoding = resp.headers.getparam('charset')
+        self.cookies = cj
 
     @property
     def text(self):

File modules/auxiliary/server_side_enum.py

+import framework
+# unique to module
+from random import choice
+
+class Module(framework.module):
+
+    def __init__(self, params):
+        framework.module.__init__(self, params)
+        self.register_option('host', 'www.google.com', 'yes', 'target host')
+        self.register_option('protocol', 'http', 'yes', 'protocol of the host: http, https')
+        self.register_option('redirect', False, 'yes', 'follow redirects')
+        self.register_option('verbose', self.goptions['verbose']['value'], 'yes', self.goptions['verbose']['desc'])
+        self.info = {
+                     'Name': 'Server Side Enumerator',
+                     'Author': 'Tim Tomes (@LaNMaSteR53) and Kenan Abdullahoglu (@kyabd)',
+                     'Description': 'Analyzes response headers, cookies, and errors to determine which server-side technology is being used (PHP, .NET, JSP, CF, etc.).',
+                     'Comments': []
+                     }
+
+    def do_run(self, params):
+        if not self.validate_options(): return
+        # === begin here ===
+        self.enumerate()
+
+    def lookup(self, db, name, value):
+        for platform in db:
+            for i in db[platform][name.lower()]:
+                if i.lower() in value.lower():
+                    return platform
+        return None
+
+    def enumerate(self):
+        host = self.options['host']['value']
+        protocol = self.options['protocol']['value']
+        redirect = self.options['redirect']['value']
+        verbose = self.options['verbose']['value']
+
+        # dictionaries of search terms for each platform and check
+        # dictionary for server side scripting technologies
+        ss_script = {
+            'PHP': {
+                'ext':     ['php'],
+                'cookie':  ['phpsession', 'phpsessid'],
+                'powered': ['php']
+                },
+            'ASP/.NET': {
+                'ext':     ['asp', 'aspx'],
+                'cookie':  ['aspsessionid', 'asp.net_sessionid', 'aspsessid'],
+                'powered': ['asp', 'asp.net', 'vb.net']
+                },
+            'ColdFusion': {
+                'ext':     ['cfc', 'cfm', 'cfml', 'dbm', 'dbml'],
+                'cookie':  ['cfid', 'cftoken', 'cfglobals'],
+                'powered': ['coldfusion', 'cfmx']
+                },
+            'Java/J2E': {
+                'ext':     ['jsp', 'jspx', 'jspf'],
+                'cookie':  ['jsessionid', 'jsessid'],
+                'powered': ['jsp', 'jboss']
+                }
+            }
+        # dictionary for server side server technologies
+        ss_server = {
+            'Apache': {
+                'server': ['apache'],
+                'error':  ['apache']
+                },
+            'IIS': {
+                'server': ['iis'],
+                'error':  ['iis']
+                },
+            'Nginx': {
+                'server': ['nginx'],
+                'error':  ['nginx']
+                }
+            }
+
+        # make request
+        url = '%s://%s' % (protocol, host)
+        try: resp = self.request(url, redirect=redirect)
+        except KeyboardInterrupt:
+            print ''
+            return
+        except Exception as e:
+            self.error(e.__str__())
+            return
+        
+        tdata = []
+        # check for redirect
+        if verbose: self.output('Checking for redirect...')
+        if url != resp.url:
+            if verbose: tdata.append(['URL', url, '--'])
+            if verbose: tdata.append(['REDIR', resp.url, '--'])
+        else:
+            if verbose: tdata.append(['URL', resp.url, '--'])
+
+        # check file ext
+        if verbose: self.output('Checking file extension...')
+        from urlparse import urlparse
+        path = urlparse(resp.url).path
+        if path:
+            filename = path.split('/')[-1]
+            if verbose: tdata.append(['FILENAME', filename, '--'])
+            if '.' in filename:
+                ext = filename.split('.')[-1]
+                platform = self.lookup(ss_script, 'ext', ext)
+                if not platform: platform = 'Unknown'
+                tdata.append(['FILETYPE', ext, platform])
+
+        # check headers
+        if verbose: self.output('Checking headers...')
+        for header in resp.headers:
+            if header.lower() == 'location': platform = '--'
+            elif header.lower() == 'server': platform = self.lookup(ss_server, 'server', resp.headers[header])
+            elif header.lower() == 'x-powered-by': platform = self.lookup(ss_script, 'powered', resp.headers[header])
+            else: continue
+            # all ifs will end here if successful
+            if not platform: platform = 'Unknown'
+            tdata.append([header.upper(), resp.headers[header], platform])
+
+        # check cookies
+        if verbose: self.output('Checking cookies...')
+        for cookie in resp.cookies:
+            platform = self.lookup(ss_script, 'cookie', cookie.name)
+            if platform:
+                tdata.append(['COOKIE', cookie.name, platform])
+            elif 'sess' in cookie.name.lower(): 
+                tdata.append(['COOKIE', cookie.name, 'Unknown'])
+
+        # check error
+        if verbose: self.output('Checking error page...')
+        seq = ''.join(map(chr, range(97, 123)))
+        pre = ''.join(choice(seq) for x in range(10))
+        suf = ''.join(choice(seq) for x in range(3))
+        bad_file = '%s.%s' % (pre, suf)
+        bad_url = '%s/%s' % (url, bad_file)
+        if verbose: self.output('Attempting to generate an error with %s...' % (bad_url))
+        try:
+            resp = self.request(bad_url, redirect=False)
+            platform = self.lookup(ss_server, 'error', resp.text)
+            if not platform: platform = 'Unknown'
+            tdata.append(['ERROR', '%s (/%s)' % (str(resp.status_code), bad_file), platform])
+        except KeyboardInterrupt:
+            print ''
+            return
+        except Exception as e:
+            self.error(e.__str__())
+
+        self.table(tdata)

File modules/contacts/linkedin_auth.py

             raise Exception(self.error('Error: Invalid Response %s.' % resp['status']))
         request_token = dict(urlparse.parse_qsl(content))
         base_authorize_url = 'https://api.linkedin.com/uas/oauth/authorize'
-        authorize_url = "%s?oauth_token=%s" % (base_authorize_url, request_token['oauth_token'])
+        authorize_url = "%s?oauth_token=%s&scope=%s" % (base_authorize_url, request_token['oauth_token'], 'r_basicprofile+r_network')
         self.output('Go to the following link in your browser and enter the pin below:') 
         self.output(authorize_url)
         w = webbrowser.get()
         # add logic to NOT break when a module fails, but alert which module fails
         self.loaded_summary = []
         self.loaded_modules = []
+        if reload: self.output('Reloading...')
         for dirpath, dirnames, filenames in os.walk('./modules/'):
             if len(filenames) > 0:
                 cnt = 0
                     modulepath = os.path.join(dirpath, filename)
                     ModuleFile = open(modulepath, 'rb')
                     try:
-                        if reload: self.output('Reloading %s...' % (modulename))
                         imp.load_source(modulename, modulepath, ModuleFile)
                         __import__(modulename)
                         cnt += 1