2016-12-24 16:49:26 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
from flask import Flask , request , jsonify
from ghost import Ghost
2017-09-11 16:46:58 +00:00
from scans import *
2016-12-24 16:49:26 +00:00
import requests
2016-12-27 13:00:55 +00:00
import datetime
2016-12-24 16:49:26 +00:00
import re
app = Flask ( __name__ )
""" Route /ping
Description : Simple ping implementation to check if the server is up via the extension
"""
@app.route ( ' /ping ' , methods = [ ' GET ' ] )
def ping ( ) :
return " pong "
2017-09-13 11:44:09 +00:00
""" Template
Description : Basic template , will be used in the next features
"""
@app.route ( ' /template ' , methods = [ ' GET ' , ' POST ' ] )
def template ( ) :
return render_template ( ' index.html ' )
2016-12-24 16:49:26 +00:00
""" Route /
Description : main route for the flask application , every scan is launched from here
"""
@app.route ( ' / ' , methods = [ ' GET ' ] )
def index ( ) :
2016-12-27 21:40:20 +00:00
vulns = { ' rce ' : 0 , ' xss ' : 0 , ' sql ' : 0 , ' lfi ' : 0 , ' list ' : ' ' }
2017-09-11 16:46:58 +00:00
2016-12-24 16:49:26 +00:00
# Parse requests - extract arguments
2016-12-29 22:07:01 +00:00
args = request . args
url = args [ ' url ' ]
useragent = args [ ' useragent ' ]
methods = args [ ' method ' ]
data = args [ ' data ' ]
method = ' '
matches = [ ]
data_requests = { }
2016-12-29 19:03:58 +00:00
# Parse args for GET
2016-12-24 16:49:26 +00:00
if " ? " in url :
2016-12-29 22:07:01 +00:00
method = ' GET '
2016-12-29 19:03:58 +00:00
# Parse cookies strings - string like name:username|value:admin
cookies_requests = { }
cookies_ghost = " "
for cookie in args [ ' cookies ' ] . split ( ' \n ' ) :
c = cookie . split ( ' | ' )
if c != ' ' and c != None :
if len ( c ) != 1 :
name = str ( c [ 0 ] ) . replace ( ' name: ' , ' ' )
value = str ( c [ 1 ] ) . replace ( ' value: ' , ' ' )
cookies_requests [ name ] = value
cookies_ghost + = " " + cookie . replace ( ' name: ' , ' ' ) . replace ( ' value: ' , ' = ' ) . replace ( ' | ' , ' ' ) + " ; "
2017-09-11 16:46:58 +00:00
# Parse GET data (in url)
2016-12-24 16:49:26 +00:00
params = url . split ( ' ? ' ) [ 1 ]
regex = re . compile ( ' ([a-zA-Z0-9 \ -_]*?)= ' )
matches = regex . findall ( params )
2016-12-27 13:00:55 +00:00
2016-12-29 19:03:58 +00:00
# Parse args for POST
if data != ' ' :
2016-12-29 22:07:01 +00:00
method = ' POST '
2016-12-29 19:03:58 +00:00
# Parse document.cookie for Ghost and Requests
cookies_requests = { } #dict
cookies_ghost = " " #string header
for cookie in args [ ' cookies ' ] . split ( ' ; ' ) :
c = cookie . split ( ' = ' )
if c != ' ' and c != None :
if len ( c ) != 1 :
2016-12-29 22:07:01 +00:00
name = c [ 0 ]
2016-12-29 19:03:58 +00:00
value = c [ 1 ]
cookies_requests [ name ] = value
cookies_ghost + = " " + cookie . replace ( ' name: ' , ' ' ) . replace ( ' value: ' , ' = ' ) . replace ( ' | ' , ' ' ) + " ; "
2016-12-29 22:07:01 +00:00
# Parse POST data (in data parameter)
data_requests = { }
for post_data in data . split ( ' | ' ) :
d = post_data . split ( ' : ' )
if d != ' ' and d != None :
if len ( d ) != 1 :
name = str ( d [ 0 ] )
value = str ( d [ 1 ] )
data_requests [ name ] = value
# Convert dict(data_requests) to list(matches)
matches = data_requests . keys ( )
2016-12-29 23:03:16 +00:00
# Launch scans - iterate through all parameters
2016-12-29 22:07:01 +00:00
for fuzz in matches :
2017-09-11 16:46:58 +00:00
print ( " \n ---[ " + method + " - New parameter " + fuzz + " for url: " + url + " ]--- " )
2017-09-12 20:01:07 +00:00
scan_xss ( method , vulns , url , fuzz , cookies_ghost , useragent , data_requests )
2016-12-29 22:07:01 +00:00
scan_lfi ( method , vulns , url , fuzz , cookies_requests , useragent , data_requests )
scan_sql_error ( method , vulns , url , fuzz , cookies_requests , useragent , data_requests )
scan_sql_blind_time ( method , vulns , url , fuzz , cookies_requests , useragent , data_requests )
scan_rce ( method , vulns , url , fuzz , cookies_requests , useragent , data_requests )
2017-09-11 16:46:58 +00:00
2016-12-29 19:03:58 +00:00
2016-12-24 16:49:26 +00:00
# Display results as a json
return jsonify ( vulns )
if __name__ == ' __main__ ' :
2017-09-13 11:44:09 +00:00
app . run ( host = ' 0.0.0.0 ' , port = 8000 , threaded = True , passthrough_errors = True ) # Seems to crash the server with the following options, threaded=True, passthrough_errors=False)