-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding pattern based scanners for active recon.
*Buggy and unstable
- Loading branch information
1 parent
2fa0e7e
commit 21d656c
Showing
5 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| - name: 'Wordpress user enumeration' | ||
| pattern: '/wp-json/wp/v2/users/' | ||
| matcher: 'author' | ||
|
|
||
| - name: 'PHP info File disclosure' | ||
| pattern: '/phpinfo.php' | ||
| matcher: '[email protected]' | ||
|
|
||
| - name: 'Dotenv file disclosure' | ||
| pattern: '/.env' | ||
| matcher: 'APP_URL' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| - name: 'XSS' | ||
| pattern: '<script>alert(XSS)</script>' | ||
| matcher: 'XSS' | ||
| payload: '<script>alert("XSS")</script>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| import requests | ||
| import re | ||
| import yaml | ||
| from tqdm import tqdm # Import tqdm for progress bar | ||
|
|
||
| # Load the vulnerability patterns from the configuration file | ||
| with open("configs/file_exposure_config.yaml", "r") as config_file: | ||
| vulnerabilities = yaml.safe_load(config_file) | ||
|
|
||
| def scan_target(target_domain, vulnerabilities): | ||
| try: | ||
| response = requests.get(f"https://{target_domain}") | ||
| if response.status_code == 200: | ||
| with tqdm(total=len(vulnerabilities), desc=f"Scanning {target_domain}") as pbar: | ||
| for vuln in vulnerabilities: | ||
| name = vuln["name"] | ||
| pattern = vuln["pattern"] | ||
| matcher = vuln["matcher"] | ||
| response2 = requests.get(f"https://{target_domain}{pattern}") | ||
| if re.search(matcher, response2.text, re.IGNORECASE): | ||
| print(f"Vulnerability detected on {target_domain}: {name}") | ||
| # Testing | ||
| # else: | ||
| # print(f"{target_domain}/{pattern}") | ||
| pbar.update(1) # Update the progress bar | ||
| except requests.exceptions.RequestException as e: | ||
| print(f"Error scanning {target_domain}: {e}") | ||
|
|
||
| def main(): | ||
| target_domain = input("Enter the target domain (e.g., example.com): ") | ||
| scan_target(target_domain, vulnerabilities) | ||
|
|
||
| if __name__ == "__main__": | ||
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| import requests | ||
| import re | ||
| import yaml | ||
| from tqdm import tqdm | ||
| from concurrent.futures import ThreadPoolExecutor | ||
|
|
||
| def get_urls(domain): | ||
| # Get all the URLs from archive.org. | ||
| response = requests.get( | ||
| f"https://web.archive.org/cdx/search/cdx?url={domain}/*&output=json&fl=original&collapse=urlkey") | ||
| data = response.json() | ||
| urls = [entry[0] if entry[0].startswith('http') else 'https://' + entry[0] for entry in | ||
| data] # Add 'https://' if no scheme | ||
| return urls | ||
|
|
||
| def scan_url(url, vulnerabilities): | ||
| try: | ||
| response = requests.get(url) | ||
| if response.status_code == 200: | ||
| for vuln in vulnerabilities: | ||
| name = vuln["name"] | ||
| pattern = vuln["pattern"] | ||
| matcher = vuln["matcher"] | ||
| payload = vuln.get("payload", "") # Get the payload field or an empty string if not provided | ||
| # payload_matcher = vuln.get("payload_matcher", None) | ||
| # | ||
| # if payload_matcher and re.search(payload_matcher, response.text, re.IGNORECASE): | ||
| # print(f"Skipping URL {url} as it matches a payload_matcher") | ||
| # continue | ||
|
|
||
| new_url = url.replace('=', '=' + payload) | ||
| # print(new_url) | ||
| response2 = requests.get(new_url + pattern) | ||
| if re.search(matcher, response2.text, re.IGNORECASE): | ||
| # if re.search(payload, response2.text, re.IGNORECASE): | ||
| print(f"Potential XSS detected on {url}: {name}") | ||
| except requests.exceptions.RequestException as e: | ||
| print(f"Error scanning {url}: {e}") | ||
|
|
||
| def scan_for_xss(urls, vulnerabilities): | ||
| with tqdm(total=len(urls), unit="URLs", desc="Scanning URLs") as pbar, ThreadPoolExecutor() as executor: | ||
| futures = [executor.submit(scan_url, url, vulnerabilities) for url in urls] | ||
| for future in futures: | ||
| future.result() # Wait for each task to complete | ||
| pbar.update(1) | ||
|
|
||
|
|
||
| def main(): | ||
| target_domain = input("Enter the target domain (e.g., example.com): ") | ||
| domain_urls = get_urls(target_domain) | ||
|
|
||
| # Load the vulnerability patterns from the configuration file | ||
| with open("configs/xss_config.yaml", "r") as config_file: | ||
| vulnerabilities = yaml.safe_load(config_file) | ||
|
|
||
| scan_for_xss(domain_urls, vulnerabilities) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| main() |