public static string GetInfo(string target, int port)
{
string url = $"https://{target}:{port}/";
// Console.WriteLine("GetInfo - GetHTTPInfo");
var httpInfo = Web.GetHTTPInfo(url);
if (httpInfo.AdditionalInfo == "Timeout")
{
return("- Timeout");
}
if (httpInfo == (0, null, null, null, null, null, null, null))
{
return("");
}
string portData = Web.FormatHTTPInfo(httpInfo.StatusCode, httpInfo.PageTitle, httpInfo.PageText, httpInfo.DNS, httpInfo.Headers, httpInfo.SSLCert, httpInfo.URL);
// Console.WriteLine("GetInfo - FindCommonFiles");
string commonFiles = Web.FindCommonFiles(url);
if (commonFiles != "")
{
portData += Environment.NewLine + commonFiles;
}
// Console.WriteLine("GetInfo - TestBaseLF");
string baseLFI = Web.TestBaseLFI(target, port);
if (baseLFI != "")
{
portData += Environment.NewLine + baseLFI + Environment.NewLine;
}
if (portData == "")
{
portData = "- No Info Found";
}
return(portData);
}
public static RedditInfo GetInfo(string name)
{
RedditInfo redditInfo = new RedditInfo {
Exists = false
};
var aboutPage = Web.GetHTTPInfo($"https://www.reddit.com/user/{name}/about.json");
if (aboutPage.StatusCode == HttpStatusCode.OK)
{
redditInfo.Exists = true;
OSINT_Reddit_Profile.Rootobject profile = JsonSerializer.Deserialize <OSINT_Reddit_Profile.Rootobject>(aboutPage.PageText);
redditInfo.CreationDate = DateTime.FromFileTimeUtc((long)profile.data.created_utc);
redditInfo.CommentKarma = profile.data.comment_karma;
var commentsPage = Web.GetHTTPInfo($"https://www.reddit.com/user/{name}/comments.json");
if (commentsPage.StatusCode == HttpStatusCode.OK)
{
OSINT_Reddit_Comments.Rootobject commentInfo = JsonSerializer.Deserialize <OSINT_Reddit_Comments.Rootobject>(commentsPage.PageText);
foreach (var comment in commentInfo.data.children)
{
redditInfo.CommentList.Add(comment.data);
}
}
}
return(redditInfo);
}
private static void Twitter(string username)
{
// Twitter usernames don't have spaces
username = username.Replace(" ", "");
var httpInfo = Web.GetHTTPInfo("https://mobile.twitter.com/" + username);
if (httpInfo.StatusCode == HttpStatusCode.NotFound)
{
Console.WriteLine("- Twitter: Not Found");
}
else if (httpInfo.StatusCode == HttpStatusCode.OK)
{
Console.WriteLine("- Twitter: " + "Found".Pastel(Color.Green));
Console.WriteLine("-- Link: https://www.twitter.com/" + username);
// Profile name
Console.WriteLine("-- Name: " + httpInfo.PageTitle.Replace(" on Twitter", ""));
// Split into segments
string pageText = httpInfo.PageText;
List <string> tableList = new List <string>();
tableList.AddRange(pageText.Split("<table", StringSplitOptions.RemoveEmptyEntries));
// Find Bio
string profileInfo = tableList.First(x => x.Trim().StartsWith("class=\"profile-details\">"));
string bio = profileInfo.Remove(0, profileInfo.IndexOf("<div class=\"bio\">") + 58);
bio = bio.Substring(0, bio.IndexOf("</div>")).Trim();
if (bio.Trim() != "")
{
Console.WriteLine("-- Bio: " + bio);
}
// Find Stats
string profileStats = tableList.First(x => x.Trim().StartsWith("class=\"profile-stats\">"));
List <string> statList = profileStats.Split("<td", StringSplitOptions.RemoveEmptyEntries).ToList();
// 0 = N/A, 1 = Tweets, 2 = Following, 3 = Followers
string tweetCount = statList[1].Remove(0, statList[1].IndexOf("statnum") + 9);
tweetCount = tweetCount.Substring(0, tweetCount.IndexOf("<"));
Console.WriteLine("-- Tweets: " + tweetCount);
// Tweets - To do
// List<string> tweetCount = tableList.Count(x => x.Trim().StartsWith("class=\"tweet \"")).ToList();
// Console.WriteLine("-- Tweets: " + tweetCount + (tweetCount == 20 ? "+" : ""));
}
else if (httpInfo.StatusCode == HttpStatusCode.TemporaryRedirect)
{
if (httpInfo.Headers["Location"] != null && httpInfo.Headers["Location"] == "/account/suspended")
{
Console.WriteLine("- Twitter: Account Suspended :<");
}
}
else
{
Console.WriteLine("- Twitter: Error - Bug Reelix");
}
}
private static void YouTube(string username)
{
// YouTube usernames CAN have spaces - Oh gawd
var httpInfo = Web.GetHTTPInfo("https://www.youtube.com/" + username);
if (httpInfo.StatusCode == HttpStatusCode.OK)
{
string youtubeUsername = httpInfo.PageTitle.Replace(" - YouTube", "");
Console.WriteLine("- YouTube: " + "Found".Pastel(Color.Green));
Console.WriteLine("-- Link: https://www.youtube.com/" + username);
Console.WriteLine("-- Name: " + youtubeUsername);
// About page
var aboutPage = Web.GetHTTPInfo("https://www.youtube.com/c/" + username + "/about");
// Description
string description = aboutPage.PageText;
description = description.Remove(0, description.IndexOf("og:description") + 25);
description = description.Substring(0, description.IndexOf("\">"));
if (description.Trim() != "")
{
Console.WriteLine("-- Description: " + description);
}
}
else if (httpInfo.StatusCode == HttpStatusCode.NotFound)
{
Console.WriteLine("- YouTube: Not Found");
}
else if (httpInfo.StatusCode == HttpStatusCode.Moved)
{
if (httpInfo.Headers["Location"] != null)
{
string location = httpInfo.Headers["Location"];
if (location.Contains("/user/"))
{
var userInfo = Web.GetHTTPInfo(location);
Console.WriteLine("- YouTube: " + "Found".Pastel(Color.Green));
Console.WriteLine("-- User Profile: " + location);
Console.WriteLine("-- Name: " + userInfo.PageTitle.Replace(" - YouTube", ""));
}
else
{
Console.WriteLine("- YouTube: Unknown Moved to " + httpInfo.Headers["Location"]);
}
}
}
else
{
Console.WriteLine("- YouTube: Error - Bug Reelix: " + httpInfo.StatusCode);
}
}
public static string GetInfo(string target, int port)
{
try
{
string url = "";
if (port == 80)
{
url = $"http://{target}/";
}
else
{
url = $"http://{target}:{port}/";
}
var httpInfo = Web.GetHTTPInfo(url);
if (httpInfo.AdditionalInfo == "Timeout")
{
return("- Timeout");
}
else if (httpInfo == (0, null, null, null, null, null, null, null))
{
return("");
}
string portData = Web.FormatHTTPInfo(httpInfo.StatusCode, httpInfo.PageTitle, httpInfo.PageText, httpInfo.DNS, httpInfo.Headers, httpInfo.SSLCert, httpInfo.URL);
string commonFiles = Web.FindCommonFiles(url);
if (commonFiles != "")
{
portData += Environment.NewLine + commonFiles;
}
string baseLFI = Web.TestBaseLFI(target, port);
if (baseLFI != "")
{
portData += Environment.NewLine + baseLFI + Environment.NewLine;
}
if (portData == "")
{
portData = "- No Info Found";
}
return(portData);
}
catch (Exception ex)
{
Console.WriteLine("Critical HTTP.GetInfo Error: " + ex.Message);
return("");
}
}
private static bool CheckGhostcat(string target)
{
var httpInfo = Web.GetHTTPInfo($"http://{target}/");
if (httpInfo.StatusCode == 0)
{
httpInfo = Web.GetHTTPInfo($"http://{target}:8080/");
if (httpInfo.StatusCode == 0)
{
return(false);
}
}
string pageTitle = httpInfo.PageTitle;
// Apache Tomcat/9.0.30
if (!pageTitle.StartsWith("Apache Tomcat/"))
{
return(false);
}
pageTitle = pageTitle.Replace("Apache Tomcat/", "");
System.Version theVersion = System.Version.Parse(pageTitle);
// 6.* is EOL and unpatched
if (theVersion.Major <= 6)
{
return(true);
}
// Below 7.0.100
if (theVersion.Major == 7 && theVersion < System.Version.Parse("7.0.100"))
{
return(true);
}
// Below 8.5.51
else if (theVersion.Major == 8 && theVersion < System.Version.Parse("8.5.51"))
{
return(true);
}
// Below 9.0.31
else if (theVersion.Major == 9 && theVersion < System.Version.Parse("9.0.31"))
{
return(true);
}
return(false);
}
private static void GetGithubInfo(string username)
{
var httpInfo = Web.GetHTTPInfo($"https://api.github.com/users/{username}", "Reecon");
if (httpInfo.StatusCode == HttpStatusCode.NotFound)
{
Console.WriteLine("- Github: Not Found");
}
else
{
Console.WriteLine("- Github: " + "Found".Pastel(Color.Green));
var githubInfo = JsonDocument.Parse(httpInfo.PageText);
JsonElement login = githubInfo.RootElement.GetProperty("login");
Console.WriteLine("-- Login: "******"html_url");
Console.WriteLine($"-- Link: {htmlLink}");
JsonElement name = githubInfo.RootElement.GetProperty("name");
Console.WriteLine("-- Name: " + name);
// TODO: Parse Repos + Commits
// Repos: https://api.github.com/users/sakurasnowangelaiko/repos
// Commits (And everything else): https://api.github.com/users/sakurasnowangelaiko/events (
}
}
private static void Instagram(string username)
{
// Instagram usernames don't have spaces
username = username.Replace(" ", "");
var httpInfo = Web.GetHTTPInfo("https://www.instagram.com/" + username + "/?__a=1");
if (httpInfo.StatusCode == HttpStatusCode.NotFound)
{
Console.WriteLine("- Instagram: Not Found");
}
else if (httpInfo.StatusCode == HttpStatusCode.OK)
{
string pageText = httpInfo.PageText;
Console.WriteLine("- Instagram: " + "Found".Pastel(Color.Green));
Console.WriteLine("-- Link: https://www.instagram.com/" + username + "/");
var document = JsonDocument.Parse(pageText);
// Oh gawd
foreach (var item in document.RootElement.EnumerateObject())
{
if (item.Name == "graphql")
{
foreach (var graphitem in item.Value.EnumerateObject())
{
if (graphitem.Name == "user")
{
foreach (var userItem in graphitem.Value.EnumerateObject())
{
if (userItem.Name == "biography")
{
string biography = userItem.Value.GetString().Replace("\n", " -- ");
if (biography.Trim() != "")
{
Console.WriteLine("-- Biography: " + userItem.Value.GetString().Replace("\n", " -- "));
}
}
if (userItem.Name == "full_name")
{
if (userItem.Value.ToString().Trim() != "")
{
Console.WriteLine("-- Full Name: " + userItem.Value);
}
}
if (userItem.Name == "edge_owner_to_timeline_media")
{
foreach (var posts in userItem.Value.EnumerateObject())
{
if (posts.Name == "count")
{
Console.WriteLine("-- Posts: " + posts.Value);
}
}
}
}
}
}
}
}
}
else
{
Console.WriteLine("- Instagram: Error - Bug Reelix");
}
}
public static string FormatHTTPInfo(HttpStatusCode StatusCode, string PageTitle, string PageText, string DNS, WebHeaderCollection Headers, X509Certificate2 SSLCert, string URL)
{
string responseText = "";
List <string> headerList = new List <string>();
if (Headers != null)
{
headerList = Headers.AllKeys.ToList();
}
if (StatusCode != HttpStatusCode.OK)
{
// There's a low chance that it will return a StatusCode that is not in the HttpStatusCode list in which case (int)StatusCode will crash
if (StatusCode == HttpStatusCode.MovedPermanently)
{
if (Headers != null && Headers.Get("Location") != null)
{
responseText += "- Moved Permanently" + Environment.NewLine;
responseText += "-> Location: " + Headers.Get("Location") + Environment.NewLine;
headerList.Remove("Location");
}
}
else if (StatusCode == HttpStatusCode.Redirect)
{
if (Headers != null && Headers.Get("Location") != null)
{
responseText += "- Redirect" + Environment.NewLine;
responseText += "-> Location: " + Headers.Get("Location") + Environment.NewLine;
headerList.Remove("Location");
}
}
else if (StatusCode == HttpStatusCode.NotFound)
{
responseText += "- Base page is a 404" + Environment.NewLine;
}
else if (StatusCode != HttpStatusCode.OK)
{
try
{
responseText += "- Weird Status Code: " + (int)StatusCode + " " + StatusCode + Environment.NewLine;
}
catch
{
responseText += "- Unknown Status Code: " + " " + StatusCode + Environment.NewLine;
}
if (Headers != null && Headers.Get("Location") != null)
{
responseText += "-> Location: " + Headers.Get("Location") + Environment.NewLine;
headerList.Remove("Location");
}
}
}
if (!string.IsNullOrEmpty(PageTitle))
{
PageTitle = PageTitle.Trim();
responseText += "- Page Title: " + PageTitle + Environment.NewLine;
if (PageTitle.StartsWith("Apache Tomcat"))
{
// CVE's
if (PageTitle == "Apache Tomcat/9.0.17")
{
responseText += "- " + "Apache Tomcat 9.0.17 Detected - Vulnerable to CVE-2019-0232!".Pastel(Color.Orange);
}
// Apache Tomcat Page
NetworkCredential defaultTomcatCreds = new NetworkCredential("tomcat", "s3cret");
// Sanitize URL
if (!url.EndsWith("/"))
{
url += "/";
}
// Check Manager App
string managerAppURL = URL + "manager/html";
var managerAppInfo = Web.GetHTTPInfo(managerAppURL);
if (managerAppInfo.StatusCode == HttpStatusCode.Unauthorized)
{
responseText += "- Manager App Found - But it's Unauthorized" + Environment.NewLine;
try
{
WebClient wc = new WebClient();
wc.Credentials = defaultTomcatCreds;
wc.DownloadString(managerAppURL);
responseText += "-- " + "Creds Found: defaultTomcatCredstomcat:s3cret".Pastel(Color.Orange) + Environment.NewLine;
}
catch
{
// Creds are still incorrect - Oh well
}
}
else if (managerAppInfo.StatusCode == HttpStatusCode.Forbidden)
{
responseText += "- Manager App Found - But it's Forbidden" + Environment.NewLine;
}
else if (managerAppInfo.StatusCode != HttpStatusCode.NotFound)
{
responseText += "Unknown Manager App Status Code: " + managerAppInfo.StatusCode + Environment.NewLine;
}
// Check Host Manager
string hostManagerURL = URL + "host-manager/html";
var hostManagerInfo = Web.GetHTTPInfo(hostManagerURL);
if (hostManagerInfo.StatusCode == HttpStatusCode.Unauthorized)
{
responseText += "- Host Manager Found - But it's Unauthorized" + Environment.NewLine;
try
{
WebClient wc = new WebClient();
wc.Credentials = defaultTomcatCreds;
wc.DownloadString(hostManagerURL);
responseText += "-- " + "Creds Found: tomcat:s3cret".Pastel(Color.Orange) + Environment.NewLine;
}
catch
{
// Creds are still incorrect - Oh well
}
}
else if (hostManagerInfo.StatusCode == HttpStatusCode.Forbidden)
{
responseText += "- Host Manager Found - But it's Forbidden" + Environment.NewLine;
}
else if (hostManagerInfo.StatusCode != HttpStatusCode.NotFound)
{
responseText += "Unknown Host Manager Status Code: " + hostManagerInfo.StatusCode + Environment.NewLine;
}
}
}
if (PageText.Length > 0)
{
if (PageText.Length < 250)
{
responseText += "- Page Text: " + PageText.Trim() + Environment.NewLine;
}
if (PageText.Contains("/wp-content/themes/") && PageText.Contains("/wp-includes/"))
{
responseText += "- Wordpress detected!" + Environment.NewLine;
try
{
string jsonData = wc.DownloadString("http://" + DNS + "/wp-json/wp/v2/users");
var document = JsonDocument.Parse(jsonData);
foreach (JsonElement element in document.RootElement.EnumerateArray())
{
string wpUser = element.GetProperty("name").GetString();
responseText += ("-- Wordpress User Found: " + wpUser).Pastel(Color.Orange) + Environment.NewLine;
}
}
catch (WebException)
{
// Thrown on 404's and such - Ignore it
}
responseText += "-- wpscan --url http://" + DNS + "/ --enumerate u1-5" + Environment.NewLine;
responseText += "-- hydra -L users.txt -P passwords.txt site.com http-post-form \"/blog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location\" -I -t 50" + Environment.NewLine;
}
else if (PageText.Trim() == "<b>The source you requested could not be found.</b>")
{
responseText += "-- Possible Icecast Server detected" + Environment.NewLine; // Thanks nmap!
}
}
if (!string.IsNullOrEmpty(DNS))
{
responseText += "- DNS: " + DNS + Environment.NewLine;
}
if (headerList.Any())
{
headerList = Headers.AllKeys.ToList();
// Useful info
if (headerList.Contains("Server"))
{
headerList.Remove("Server");
string serverText = Headers.Get("Server").Trim();
responseText += "- Server: " + serverText + Environment.NewLine;
if (serverText.StartsWith("MiniServ/"))
{
responseText += "-- Webmin Server Detected" + Environment.NewLine;
// 1.890, 1.900-1.920 - http://www.webmin.com/changes.html
if (serverText.StartsWith("MiniServ/1.890") || serverText.StartsWith("MiniServ/1.900") || serverText.StartsWith("MiniServ/1.910") || serverText.StartsWith("MiniServ/1.920"))
{
responseText += "--- Possible Vulnerable Version: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb" + Environment.NewLine;
}
}
else if (serverText.StartsWith("Werkzeug/"))
{
responseText += "-- " + "Werkzeug Detected - Check out /console <-----".Pastel(Color.Orange) + Environment.NewLine;
}
}
// Useful info
if (headerList.Contains("X-Powered-By"))
{
headerList.Remove("X-Powered-By");
string poweredBy = Headers.Get("X-Powered-By");
responseText += "- X-Powered-By: " + poweredBy + Environment.NewLine;
if (poweredBy.Contains("JBoss"))
{
responseText += "-- " + "JBoss Detected - Run jexboss - https://github.com/joaomatosf/jexboss <-----".Pastel(Color.Orange) + Environment.NewLine;
}
}
// Requires a login
if (headerList.Contains("WWW-Authenticate"))
{
headerList.Remove("WWW-Authenticate");
responseText += "- WWW-Authenticate: " + Headers.Get("WWW-Authenticate") + Environment.NewLine;
}
// Kabana
if (headerList.Contains("kbn-name"))
{
headerList.Remove("kbn-name");
responseText += "- kbn-name: " + Headers.Get("kbn-name") + Environment.NewLine;
responseText += "-- You should get more kibana-based info further down" + Environment.NewLine;;
}
if (headerList.Contains("kbn-version"))
{
headerList.Remove("kbn-version");
responseText += "- kbn-version: " + Headers.Get("kbn-version") + Environment.NewLine;
}
// Useful cookies
if (headerList.Contains("Set-Cookie"))
{
headerList.Remove("Set-Cookie");
string setCookie = Headers.Get("Set-Cookie");
responseText += "- Set-Cookie: " + setCookie + Environment.NewLine;
if (setCookie.StartsWith("CUTENEWS_SESSION"))
{
responseText += "-- " + $"CuteNews Found - Browse to http://{DNS}/CuteNews/index.php".Pastel(Color.Orange) + Environment.NewLine;
}
}
// Fun content types
if (headerList.Contains("Content-Type"))
{
string contentType = Headers.Get("Content-Type");
if (contentType.StartsWith("text/html"))
{
// Skip it
}
else if (contentType.StartsWith("image"))
{
// The entire thing is an image - It's special!
responseText += "- Content Type: " + Headers.Get("Content-Type").Pastel(Color.Orange) + " <--- It's an image!" + Environment.NewLine;
}
else
{
// A unique content type - Might be interesting
responseText += "- Content-Type: " + Headers.Get("Content-Type") + Environment.NewLine;
}
}
responseText += "- Other Headers: " + string.Join(",", headerList) + Environment.NewLine;
}
if (SSLCert != null)
{
X509Certificate2 theCert = SSLCert;
string certIssuer = theCert.Issuer;
string certSubject = theCert.Subject;
// string certAltName = SSLCert.SubjectName.Name;
responseText += "- SSL Cert Issuer: " + certIssuer + Environment.NewLine;
responseText += "- SSL Cert Subject: " + certSubject + Environment.NewLine;
if (theCert.Extensions != null)
{
// Console.WriteLine("Extensions is not null");
X509ExtensionCollection extensionCollection = theCert.Extensions;
foreach (X509Extension extension in extensionCollection)
{
string friendlyName = extension.Oid.FriendlyName;
// Console.WriteLine("Extension Name: " + extensionType);
// Windows: Subject Alternative Name
// Linux: X509v3 Subject Alternative Name
if (friendlyName.Contains("Subject Alternative Name"))
{
AsnEncodedData asndata = new AsnEncodedData(extension.Oid, extension.RawData);
List <string> formattedValues = asndata.Format(true).Split(new[] { Environment.NewLine }, StringSplitOptions.None).ToList();
string itemList = "";
foreach (string item in formattedValues)
{
string theItem = item;
theItem = theItem.Replace("DNS Name=", "");
if (theItem.Contains("("))
{
theItem = theItem.Remove(0, theItem.IndexOf("(") + 1).Replace(")", "");
itemList += theItem + ",";
}
else
{
itemList += theItem + ",";
}
}
itemList = itemList.Trim(',');
responseText += "- Subject Alternative Name: " + itemList + Environment.NewLine;
}
}
}
}
// Clean off any redundant newlines
responseText = responseText.TrimEnd(Environment.NewLine.ToCharArray());
return(responseText);
}
public static string FindCommonFiles(string url)
{
// Console.WriteLine("In FindCommonFiles with " + url);
string returnText = "";
if (!url.EndsWith("/"))
{
url += "/";
}
// Wildcard test
// WebClient throws an error on 403 (Forbidden) and 404 (Not Found) pages
int notFoundLength = -1;
string wildcardURL = url + "be0df04b-f5ff-4b4f-af99-00968cf08fed";
bool ignoreRedirect = false;
try
{
// Console.WriteLine("Testing Wildcard");
var pageResult = Web.GetHTTPInfo(wildcardURL);
string test = pageResult.PageText;
notFoundLength = test.Length;
if (pageResult.StatusCode == HttpStatusCode.OK)
{
returnText += $"- Wildcard paths such as {wildcardURL} return - This may cause issues..." + Environment.NewLine;
}
else if (pageResult.StatusCode == HttpStatusCode.Redirect || pageResult.StatusCode == HttpStatusCode.Moved)
{
ignoreRedirect = true;
returnText += $"- Wildcard paths such as {wildcardURL} redirect - This may cause issues..." + Environment.NewLine;
}
}
catch { }
bool skipPHP = false;
// PHP wildcards can be differnt
string phpWildcardURL = url + "be0df04b-f5ff-4b4f-af99-00968cf08fed.php";
try
{
// Console.WriteLine("Testing php wildcard");
var pageResult = Web.GetHTTPInfo(phpWildcardURL);
string test = pageResult.PageText;
notFoundLength = test.Length;
if (pageResult.StatusCode == HttpStatusCode.OK)
{
skipPHP = true;
returnText += $"- .php wildcard paths such as {phpWildcardURL} return - This may cause issues..." + Environment.NewLine;
}
else if (pageResult.StatusCode == HttpStatusCode.Redirect || pageResult.StatusCode == HttpStatusCode.Moved)
{
skipPHP = true;
returnText += $"- .php wildcard paths such as {phpWildcardURL} redirect - This may cause issues..." + Environment.NewLine;
}
}
catch { }
// Mini gobuster :p
List <string> commonFiles = new List <string>
{
// robots.txt - Of course
"robots.txt",
// Most likely invalid folder for test purposes
"woof/",
// Common hidden folders
"hidden/",
"secret/",
"backup/",
// Common Index files
"index.php",
"index.html",
// Common images folder
"images/",
// Hidden mail server
"mail/",
// Admin stuff
"admin.php",
"admin/",
// Git repo
".git/HEAD",
// SSH
".ssh/id_rsa",
// Bash History
".bash_history",
// NodeJS Environment File
".env",
// General info file
".DS_STORE",
// Wordpress stuff
"blog/",
"wordpress/",
"wordpress/wp-config.php.bak",
"wp-config.php",
"wp-config.php.bak",
// phpmyadmin
"phpmyadmin/",
// Kibana
"app/kibana",
// Bolt CMS
"bolt-public/img/bolt-logo.png"
};
if (skipPHP)
{
commonFiles.RemoveAll(x => x.EndsWith(".php"));
}
foreach (string file in commonFiles)
{
// Console.WriteLine("In Enum: " + file);
string path = url + file;
try
{
var response = Web.GetHTTPInfo(path);
if (response.StatusCode == HttpStatusCode.OK)
{
// Since it's readable - Let's deal with it!
try
{
string pageText = response.PageText;
if (pageText.Length != notFoundLength)
{
returnText += "- " + $"Common Path is readable: {url}{file}".Pastel(Color.Orange) + Environment.NewLine;
// Specific case for robots.txt since it's common and extra useful
if (file == "robots.txt")
{
foreach (var line in pageText.Split(Environment.NewLine.ToCharArray()))
{
if (line != "")
{
returnText += "-- " + line + Environment.NewLine;
}
}
}
// Git repo!
else if (file == ".git/HEAD")
{
returnText += "-- Git repo found!" + Environment.NewLine;
// https://github.com/arthaud/git-dumper/issues/9
WebClient wc = new WebClient();
try
{
if (wc.DownloadString($"{url}.git/").Contains("../"))
{
// -q: Quiet (So the console doesn't get spammed)
// -r: Download everything
// -np: But don't go all the way backwards
// -nH: So you only have the ".git" folder and not the IP folder as well
returnText += $"--- Download the repo: wget -q -r -np -nH {url}.git/" + Environment.NewLine;
returnText += "--- Get the logs: git log --pretty=format:\"%h - %an (%ae): %s %b\"" + Environment.NewLine;
returnText += "--- Show a specific commit: git show 2eb93ac (Press q to close)" + Environment.NewLine;
continue;
}
}
catch { }
returnText += "--- Download: https://raw.githubusercontent.com/arthaud/git-dumper/master/git-dumper.py" + Environment.NewLine;
returnText += $"--- Run: python3 git-dumper.py {url}{file} .git" + Environment.NewLine;
returnText += "--- Get the logs: git log --pretty=format:\"%h - %an (%ae): %s %b\"" + Environment.NewLine;
returnText += "--- Show a specific commit: git show 2eb93ac (Press q to close)" + Environment.NewLine;
}
// Bolt
else if (file == "bolt-public/img/bolt-logo.png")
{
returnText += "-- Bolt CMS!" + Environment.NewLine;
returnText += $"-- Admin Page: {url}bolt" + Environment.NewLine;
returnText += "-- If you get details and the version is 3.6.* or 3.7: https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce" + Environment.NewLine;
}
// Kibana!
else if (file == "app/kibana")
{
returnText += "-- Kibana!" + Environment.NewLine;
try
{
WebClient wc = new WebClient();
string toCheck = $"{url}{file}";
string pageData = wc.DownloadString($"{url}{file}");
if (pageData.IndexOf(""version":"") != -1)
{
string versionText = pageData.Remove(0, pageData.IndexOf(""version":"") + 26);
versionText = versionText.Substring(0, versionText.IndexOf("""));
returnText += "--- Version: " + versionText + Environment.NewLine;
returnText += "---- Kibana versions before 5.6.15 and 6.6.1 -> CVE-2019-7609 -> https://github.com/mpgn/CVE-2019-7609" + Environment.NewLine;
}
else
{
returnText += $"--- Version: {url}{file}#/management/" + Environment.NewLine;
}
}
catch
{
returnText += $"--- Version: {url}{file}#/management/" + Environment.NewLine;
}
returnText += $"--- Elasticsearch Console: {url}{file}#/dev_tools/console" + Environment.NewLine;
returnText += "---- General Info: GET /" + Environment.NewLine;
returnText += "---- Get Indices: GET /_cat/indices?v" + Environment.NewLine;
// These aren't meant to be params
returnText += "---- Get Index Info: GET /{index}/_search/?pretty&size={docs.count}" + Environment.NewLine;
}
else
{
if (response.PageTitle.StartsWith("Index of /"))
{
returnText += "-- " + "Open directory listing".Pastel(Color.Orange);
}
else
{
string usefulInfo = Web.FindInfo(pageText, true);
if (usefulInfo.Trim(Environment.NewLine.ToCharArray()) != "")
{
returnText += usefulInfo + Environment.NewLine;
}
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("Bug Reelix - HTTP.FindCommonFiles Error: " + ex.Message + Environment.NewLine);
}
}
else if (response.StatusCode == HttpStatusCode.Forbidden)
{
// Forbidden is still useful
returnText += $"- Common Path is Forbidden: {url}{file}" + Environment.NewLine;
}
else if (response.StatusCode == HttpStatusCode.Redirect || response.StatusCode == HttpStatusCode.Moved)
{
if (!ignoreRedirect)
{
returnText += $"- Common Path redirects: {url}{file}" + Environment.NewLine;
if (response.Headers != null && response.Headers.Get("Location") != null)
{
returnText += $"-- Redirection Location: {response.Headers.Get("Location")}" + Environment.NewLine;
}
}
}
else if (response.StatusCode == HttpStatusCode.Unauthorized)
{
returnText += $"- Common path requires authentication: {url}{file}" + Environment.NewLine;
if (response.PageText != "")
{
returnText += $"-- Page Text: {response.PageText}" + Environment.NewLine;
}
}
else if (response.StatusCode == 0)
{
Console.WriteLine("The HTTP Host is timing out :<");
returnText += $"- " + "Host timed out - Unable to enumerate".Pastel(Color.Red);
break;
}
else if (response.StatusCode != HttpStatusCode.NotFound)
{
Console.WriteLine($"Unknown response for {file} - {response.StatusCode}");
}
}
catch (WebException ex)
{
if (ex.Response != null)
{
HttpWebResponse response = (HttpWebResponse)ex.Response;
if (response.StatusCode == HttpStatusCode.OK)
{
returnText += $"- Common File exists: {url}{file}" + Environment.NewLine;
string pageText = new StreamReader(response.GetResponseStream()).ReadToEnd();
string usefulInfo = Web.FindInfo(pageText, true);
if (usefulInfo.Trim(Environment.NewLine.ToCharArray()) != "")
{
returnText += usefulInfo + Environment.NewLine;
}
}
}
else
{
if (ex.Message.Trim().StartsWith("The remote name could not be resolved:"))
{
string message = ex.Message.Trim().Replace("The remote name could not be resolved:", "");
returnText += "- Hostname Found: " + message.Trim().Trim('\'') + " - You need to do a manual common file check" + Environment.NewLine;
return(returnText);
}
else if (ex.Message == "The operation has timed out")
{
returnText += "- FindCommonFiles Timeout :<" + Environment.NewLine;
}
else
{
if (ex.Message != null)
{
Console.WriteLine("FindCommonFiles - Something weird happened: " + ex.Message);
}
else
{
Console.WriteLine("FindCommonFiles - Something REALLY weird happened - And it left no error message!");
}
return(returnText);
}
}
}
catch (Exception ex)
{
Console.WriteLine("FindCommonFiles - Fatal Woof: " + ex.Message);
}
}
return(returnText.Trim(Environment.NewLine.ToArray()));
}
public static string GetInfoMain(string target, int port, bool isHTTPS)
{
try
{
string url = "";
if (isHTTPS)
{
if (port == 443)
{
url = $"https://{target}/";
}
else
{
url = $"https://{target}:{port}/";
}
}
else
{
if (port == 80)
{
url = $"http://{target}/";
}
else
{
url = $"http://{target}:{port}/";
}
}
var httpInfo = Web.GetHTTPInfo(url);
if (httpInfo.AdditionalInfo == "Timeout")
{
return("- Timeout");
}
else if (httpInfo == (0, null, null, null, null, null, null, null))
{
return("");
}
string portData = Web.FormatHTTPInfo(httpInfo.StatusCode, httpInfo.PageTitle, httpInfo.PageText, httpInfo.DNS, httpInfo.Headers, httpInfo.SSLCert, httpInfo.URL);
if (httpInfo.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
portData += "- Skipping file enumeration due to unauthorized result";
}
else
{
string commonFiles = Web.FindCommonFiles(url);
if (commonFiles != "")
{
portData += Environment.NewLine + commonFiles;
}
}
string baseLFI = Web.TestBaseLFI(target, port);
if (baseLFI != "")
{
portData += Environment.NewLine + baseLFI + Environment.NewLine;
}
if (portData == "")
{
portData = "- No Info Found";
}
return(portData);
}
catch (Exception ex)
{
Console.WriteLine("Critical HTTP.GetInfo Error: " + ex.Message);
return("");
}
}