public static string GetInfo(string target, int port) { string url = $"https://{target}:{port}/"; // Console.WriteLine("GetInfo - GetHTTPInfo"); var httpInfo = Web.GetHTTPInfo(url); if (httpInfo.AdditionalInfo == "Timeout") { return("- Timeout"); } if (httpInfo == (0, null, null, null, null, null, null, null)) { return(""); } string portData = Web.FormatHTTPInfo(httpInfo.StatusCode, httpInfo.PageTitle, httpInfo.PageText, httpInfo.DNS, httpInfo.Headers, httpInfo.SSLCert, httpInfo.URL); // Console.WriteLine("GetInfo - FindCommonFiles"); string commonFiles = Web.FindCommonFiles(url); if (commonFiles != "") { portData += Environment.NewLine + commonFiles; } // Console.WriteLine("GetInfo - TestBaseLF"); string baseLFI = Web.TestBaseLFI(target, port); if (baseLFI != "") { portData += Environment.NewLine + baseLFI + Environment.NewLine; } if (portData == "") { portData = "- No Info Found"; } return(portData); }
public static RedditInfo GetInfo(string name) { RedditInfo redditInfo = new RedditInfo { Exists = false }; var aboutPage = Web.GetHTTPInfo($"https://www.reddit.com/user/{name}/about.json"); if (aboutPage.StatusCode == HttpStatusCode.OK) { redditInfo.Exists = true; OSINT_Reddit_Profile.Rootobject profile = JsonSerializer.Deserialize <OSINT_Reddit_Profile.Rootobject>(aboutPage.PageText); redditInfo.CreationDate = DateTime.FromFileTimeUtc((long)profile.data.created_utc); redditInfo.CommentKarma = profile.data.comment_karma; var commentsPage = Web.GetHTTPInfo($"https://www.reddit.com/user/{name}/comments.json"); if (commentsPage.StatusCode == HttpStatusCode.OK) { OSINT_Reddit_Comments.Rootobject commentInfo = JsonSerializer.Deserialize <OSINT_Reddit_Comments.Rootobject>(commentsPage.PageText); foreach (var comment in commentInfo.data.children) { redditInfo.CommentList.Add(comment.data); } } } return(redditInfo); }
private static void Twitter(string username) { // Twitter usernames don't have spaces username = username.Replace(" ", ""); var httpInfo = Web.GetHTTPInfo("https://mobile.twitter.com/" + username); if (httpInfo.StatusCode == HttpStatusCode.NotFound) { Console.WriteLine("- Twitter: Not Found"); } else if (httpInfo.StatusCode == HttpStatusCode.OK) { Console.WriteLine("- Twitter: " + "Found".Pastel(Color.Green)); Console.WriteLine("-- Link: https://www.twitter.com/" + username); // Profile name Console.WriteLine("-- Name: " + httpInfo.PageTitle.Replace(" on Twitter", "")); // Split into segments string pageText = httpInfo.PageText; List <string> tableList = new List <string>(); tableList.AddRange(pageText.Split("<table", StringSplitOptions.RemoveEmptyEntries)); // Find Bio string profileInfo = tableList.First(x => x.Trim().StartsWith("class=\"profile-details\">")); string bio = profileInfo.Remove(0, profileInfo.IndexOf("<div class=\"bio\">") + 58); bio = bio.Substring(0, bio.IndexOf("</div>")).Trim(); if (bio.Trim() != "") { Console.WriteLine("-- Bio: " + bio); } // Find Stats string profileStats = tableList.First(x => x.Trim().StartsWith("class=\"profile-stats\">")); List <string> statList = profileStats.Split("<td", StringSplitOptions.RemoveEmptyEntries).ToList(); // 0 = N/A, 1 = Tweets, 2 = Following, 3 = Followers string tweetCount = statList[1].Remove(0, statList[1].IndexOf("statnum") + 9); tweetCount = tweetCount.Substring(0, tweetCount.IndexOf("<")); Console.WriteLine("-- Tweets: " + tweetCount); // Tweets - To do // List<string> tweetCount = tableList.Count(x => x.Trim().StartsWith("class=\"tweet \"")).ToList(); // Console.WriteLine("-- Tweets: " + tweetCount + (tweetCount == 20 ? "+" : "")); } else if (httpInfo.StatusCode == HttpStatusCode.TemporaryRedirect) { if (httpInfo.Headers["Location"] != null && httpInfo.Headers["Location"] == "/account/suspended") { Console.WriteLine("- Twitter: Account Suspended :<"); } } else { Console.WriteLine("- Twitter: Error - Bug Reelix"); } }
private static void YouTube(string username) { // YouTube usernames CAN have spaces - Oh gawd var httpInfo = Web.GetHTTPInfo("https://www.youtube.com/" + username); if (httpInfo.StatusCode == HttpStatusCode.OK) { string youtubeUsername = httpInfo.PageTitle.Replace(" - YouTube", ""); Console.WriteLine("- YouTube: " + "Found".Pastel(Color.Green)); Console.WriteLine("-- Link: https://www.youtube.com/" + username); Console.WriteLine("-- Name: " + youtubeUsername); // About page var aboutPage = Web.GetHTTPInfo("https://www.youtube.com/c/" + username + "/about"); // Description string description = aboutPage.PageText; description = description.Remove(0, description.IndexOf("og:description") + 25); description = description.Substring(0, description.IndexOf("\">")); if (description.Trim() != "") { Console.WriteLine("-- Description: " + description); } } else if (httpInfo.StatusCode == HttpStatusCode.NotFound) { Console.WriteLine("- YouTube: Not Found"); } else if (httpInfo.StatusCode == HttpStatusCode.Moved) { if (httpInfo.Headers["Location"] != null) { string location = httpInfo.Headers["Location"]; if (location.Contains("/user/")) { var userInfo = Web.GetHTTPInfo(location); Console.WriteLine("- YouTube: " + "Found".Pastel(Color.Green)); Console.WriteLine("-- User Profile: " + location); Console.WriteLine("-- Name: " + userInfo.PageTitle.Replace(" - YouTube", "")); } else { Console.WriteLine("- YouTube: Unknown Moved to " + httpInfo.Headers["Location"]); } } } else { Console.WriteLine("- YouTube: Error - Bug Reelix: " + httpInfo.StatusCode); } }
public static string GetInfo(string target, int port) { try { string url = ""; if (port == 80) { url = $"http://{target}/"; } else { url = $"http://{target}:{port}/"; } var httpInfo = Web.GetHTTPInfo(url); if (httpInfo.AdditionalInfo == "Timeout") { return("- Timeout"); } else if (httpInfo == (0, null, null, null, null, null, null, null)) { return(""); } string portData = Web.FormatHTTPInfo(httpInfo.StatusCode, httpInfo.PageTitle, httpInfo.PageText, httpInfo.DNS, httpInfo.Headers, httpInfo.SSLCert, httpInfo.URL); string commonFiles = Web.FindCommonFiles(url); if (commonFiles != "") { portData += Environment.NewLine + commonFiles; } string baseLFI = Web.TestBaseLFI(target, port); if (baseLFI != "") { portData += Environment.NewLine + baseLFI + Environment.NewLine; } if (portData == "") { portData = "- No Info Found"; } return(portData); } catch (Exception ex) { Console.WriteLine("Critical HTTP.GetInfo Error: " + ex.Message); return(""); } }
private static bool CheckGhostcat(string target) { var httpInfo = Web.GetHTTPInfo($"http://{target}/"); if (httpInfo.StatusCode == 0) { httpInfo = Web.GetHTTPInfo($"http://{target}:8080/"); if (httpInfo.StatusCode == 0) { return(false); } } string pageTitle = httpInfo.PageTitle; // Apache Tomcat/9.0.30 if (!pageTitle.StartsWith("Apache Tomcat/")) { return(false); } pageTitle = pageTitle.Replace("Apache Tomcat/", ""); System.Version theVersion = System.Version.Parse(pageTitle); // 6.* is EOL and unpatched if (theVersion.Major <= 6) { return(true); } // Below 7.0.100 if (theVersion.Major == 7 && theVersion < System.Version.Parse("7.0.100")) { return(true); } // Below 8.5.51 else if (theVersion.Major == 8 && theVersion < System.Version.Parse("8.5.51")) { return(true); } // Below 9.0.31 else if (theVersion.Major == 9 && theVersion < System.Version.Parse("9.0.31")) { return(true); } return(false); }
private static void GetGithubInfo(string username) { var httpInfo = Web.GetHTTPInfo($"https://api.github.com/users/{username}", "Reecon"); if (httpInfo.StatusCode == HttpStatusCode.NotFound) { Console.WriteLine("- Github: Not Found"); } else { Console.WriteLine("- Github: " + "Found".Pastel(Color.Green)); var githubInfo = JsonDocument.Parse(httpInfo.PageText); JsonElement login = githubInfo.RootElement.GetProperty("login"); Console.WriteLine("-- Login: "******"html_url"); Console.WriteLine($"-- Link: {htmlLink}"); JsonElement name = githubInfo.RootElement.GetProperty("name"); Console.WriteLine("-- Name: " + name); // TODO: Parse Repos + Commits // Repos: https://api.github.com/users/sakurasnowangelaiko/repos // Commits (And everything else): https://api.github.com/users/sakurasnowangelaiko/events ( } }
private static void Instagram(string username) { // Instagram usernames don't have spaces username = username.Replace(" ", ""); var httpInfo = Web.GetHTTPInfo("https://www.instagram.com/" + username + "/?__a=1"); if (httpInfo.StatusCode == HttpStatusCode.NotFound) { Console.WriteLine("- Instagram: Not Found"); } else if (httpInfo.StatusCode == HttpStatusCode.OK) { string pageText = httpInfo.PageText; Console.WriteLine("- Instagram: " + "Found".Pastel(Color.Green)); Console.WriteLine("-- Link: https://www.instagram.com/" + username + "/"); var document = JsonDocument.Parse(pageText); // Oh gawd foreach (var item in document.RootElement.EnumerateObject()) { if (item.Name == "graphql") { foreach (var graphitem in item.Value.EnumerateObject()) { if (graphitem.Name == "user") { foreach (var userItem in graphitem.Value.EnumerateObject()) { if (userItem.Name == "biography") { string biography = userItem.Value.GetString().Replace("\n", " -- "); if (biography.Trim() != "") { Console.WriteLine("-- Biography: " + userItem.Value.GetString().Replace("\n", " -- ")); } } if (userItem.Name == "full_name") { if (userItem.Value.ToString().Trim() != "") { Console.WriteLine("-- Full Name: " + userItem.Value); } } if (userItem.Name == "edge_owner_to_timeline_media") { foreach (var posts in userItem.Value.EnumerateObject()) { if (posts.Name == "count") { Console.WriteLine("-- Posts: " + posts.Value); } } } } } } } } } else { Console.WriteLine("- Instagram: Error - Bug Reelix"); } }
public static string FormatHTTPInfo(HttpStatusCode StatusCode, string PageTitle, string PageText, string DNS, WebHeaderCollection Headers, X509Certificate2 SSLCert, string URL) { string responseText = ""; List <string> headerList = new List <string>(); if (Headers != null) { headerList = Headers.AllKeys.ToList(); } if (StatusCode != HttpStatusCode.OK) { // There's a low chance that it will return a StatusCode that is not in the HttpStatusCode list in which case (int)StatusCode will crash if (StatusCode == HttpStatusCode.MovedPermanently) { if (Headers != null && Headers.Get("Location") != null) { responseText += "- Moved Permanently" + Environment.NewLine; responseText += "-> Location: " + Headers.Get("Location") + Environment.NewLine; headerList.Remove("Location"); } } else if (StatusCode == HttpStatusCode.Redirect) { if (Headers != null && Headers.Get("Location") != null) { responseText += "- Redirect" + Environment.NewLine; responseText += "-> Location: " + Headers.Get("Location") + Environment.NewLine; headerList.Remove("Location"); } } else if (StatusCode == HttpStatusCode.NotFound) { responseText += "- Base page is a 404" + Environment.NewLine; } else if (StatusCode != HttpStatusCode.OK) { try { responseText += "- Weird Status Code: " + (int)StatusCode + " " + StatusCode + Environment.NewLine; } catch { responseText += "- Unknown Status Code: " + " " + StatusCode + Environment.NewLine; } if (Headers != null && Headers.Get("Location") != null) { responseText += "-> Location: " + Headers.Get("Location") + Environment.NewLine; headerList.Remove("Location"); } } } if (!string.IsNullOrEmpty(PageTitle)) { PageTitle = PageTitle.Trim(); responseText += "- Page Title: " + PageTitle + Environment.NewLine; if (PageTitle.StartsWith("Apache Tomcat")) { // CVE's if (PageTitle == "Apache Tomcat/9.0.17") { responseText += "- " + "Apache Tomcat 9.0.17 Detected - Vulnerable to CVE-2019-0232!".Pastel(Color.Orange); } // Apache Tomcat Page NetworkCredential defaultTomcatCreds = new NetworkCredential("tomcat", "s3cret"); // Sanitize URL if (!url.EndsWith("/")) { url += "/"; } // Check Manager App string managerAppURL = URL + "manager/html"; var managerAppInfo = Web.GetHTTPInfo(managerAppURL); if (managerAppInfo.StatusCode == HttpStatusCode.Unauthorized) { responseText += "- Manager App Found - But it's Unauthorized" + Environment.NewLine; try { WebClient wc = new WebClient(); wc.Credentials = defaultTomcatCreds; wc.DownloadString(managerAppURL); responseText += "-- " + "Creds Found: defaultTomcatCredstomcat:s3cret".Pastel(Color.Orange) + Environment.NewLine; } catch { // Creds are still incorrect - Oh well } } else if (managerAppInfo.StatusCode == HttpStatusCode.Forbidden) { responseText += "- Manager App Found - But it's Forbidden" + Environment.NewLine; } else if (managerAppInfo.StatusCode != HttpStatusCode.NotFound) { responseText += "Unknown Manager App Status Code: " + managerAppInfo.StatusCode + Environment.NewLine; } // Check Host Manager string hostManagerURL = URL + "host-manager/html"; var hostManagerInfo = Web.GetHTTPInfo(hostManagerURL); if (hostManagerInfo.StatusCode == HttpStatusCode.Unauthorized) { responseText += "- Host Manager Found - But it's Unauthorized" + Environment.NewLine; try { WebClient wc = new WebClient(); wc.Credentials = defaultTomcatCreds; wc.DownloadString(hostManagerURL); responseText += "-- " + "Creds Found: tomcat:s3cret".Pastel(Color.Orange) + Environment.NewLine; } catch { // Creds are still incorrect - Oh well } } else if (hostManagerInfo.StatusCode == HttpStatusCode.Forbidden) { responseText += "- Host Manager Found - But it's Forbidden" + Environment.NewLine; } else if (hostManagerInfo.StatusCode != HttpStatusCode.NotFound) { responseText += "Unknown Host Manager Status Code: " + hostManagerInfo.StatusCode + Environment.NewLine; } } } if (PageText.Length > 0) { if (PageText.Length < 250) { responseText += "- Page Text: " + PageText.Trim() + Environment.NewLine; } if (PageText.Contains("/wp-content/themes/") && PageText.Contains("/wp-includes/")) { responseText += "- Wordpress detected!" + Environment.NewLine; try { string jsonData = wc.DownloadString("http://" + DNS + "/wp-json/wp/v2/users"); var document = JsonDocument.Parse(jsonData); foreach (JsonElement element in document.RootElement.EnumerateArray()) { string wpUser = element.GetProperty("name").GetString(); responseText += ("-- Wordpress User Found: " + wpUser).Pastel(Color.Orange) + Environment.NewLine; } } catch (WebException) { // Thrown on 404's and such - Ignore it } responseText += "-- wpscan --url http://" + DNS + "/ --enumerate u1-5" + Environment.NewLine; responseText += "-- hydra -L users.txt -P passwords.txt site.com http-post-form \"/blog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location\" -I -t 50" + Environment.NewLine; } else if (PageText.Trim() == "<b>The source you requested could not be found.</b>") { responseText += "-- Possible Icecast Server detected" + Environment.NewLine; // Thanks nmap! } } if (!string.IsNullOrEmpty(DNS)) { responseText += "- DNS: " + DNS + Environment.NewLine; } if (headerList.Any()) { headerList = Headers.AllKeys.ToList(); // Useful info if (headerList.Contains("Server")) { headerList.Remove("Server"); string serverText = Headers.Get("Server").Trim(); responseText += "- Server: " + serverText + Environment.NewLine; if (serverText.StartsWith("MiniServ/")) { responseText += "-- Webmin Server Detected" + Environment.NewLine; // 1.890, 1.900-1.920 - http://www.webmin.com/changes.html if (serverText.StartsWith("MiniServ/1.890") || serverText.StartsWith("MiniServ/1.900") || serverText.StartsWith("MiniServ/1.910") || serverText.StartsWith("MiniServ/1.920")) { responseText += "--- Possible Vulnerable Version: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb" + Environment.NewLine; } } else if (serverText.StartsWith("Werkzeug/")) { responseText += "-- " + "Werkzeug Detected - Check out /console <-----".Pastel(Color.Orange) + Environment.NewLine; } } // Useful info if (headerList.Contains("X-Powered-By")) { headerList.Remove("X-Powered-By"); string poweredBy = Headers.Get("X-Powered-By"); responseText += "- X-Powered-By: " + poweredBy + Environment.NewLine; if (poweredBy.Contains("JBoss")) { responseText += "-- " + "JBoss Detected - Run jexboss - https://github.com/joaomatosf/jexboss <-----".Pastel(Color.Orange) + Environment.NewLine; } } // Requires a login if (headerList.Contains("WWW-Authenticate")) { headerList.Remove("WWW-Authenticate"); responseText += "- WWW-Authenticate: " + Headers.Get("WWW-Authenticate") + Environment.NewLine; } // Kabana if (headerList.Contains("kbn-name")) { headerList.Remove("kbn-name"); responseText += "- kbn-name: " + Headers.Get("kbn-name") + Environment.NewLine; responseText += "-- You should get more kibana-based info further down" + Environment.NewLine;; } if (headerList.Contains("kbn-version")) { headerList.Remove("kbn-version"); responseText += "- kbn-version: " + Headers.Get("kbn-version") + Environment.NewLine; } // Useful cookies if (headerList.Contains("Set-Cookie")) { headerList.Remove("Set-Cookie"); string setCookie = Headers.Get("Set-Cookie"); responseText += "- Set-Cookie: " + setCookie + Environment.NewLine; if (setCookie.StartsWith("CUTENEWS_SESSION")) { responseText += "-- " + $"CuteNews Found - Browse to http://{DNS}/CuteNews/index.php".Pastel(Color.Orange) + Environment.NewLine; } } // Fun content types if (headerList.Contains("Content-Type")) { string contentType = Headers.Get("Content-Type"); if (contentType.StartsWith("text/html")) { // Skip it } else if (contentType.StartsWith("image")) { // The entire thing is an image - It's special! responseText += "- Content Type: " + Headers.Get("Content-Type").Pastel(Color.Orange) + " <--- It's an image!" + Environment.NewLine; } else { // A unique content type - Might be interesting responseText += "- Content-Type: " + Headers.Get("Content-Type") + Environment.NewLine; } } responseText += "- Other Headers: " + string.Join(",", headerList) + Environment.NewLine; } if (SSLCert != null) { X509Certificate2 theCert = SSLCert; string certIssuer = theCert.Issuer; string certSubject = theCert.Subject; // string certAltName = SSLCert.SubjectName.Name; responseText += "- SSL Cert Issuer: " + certIssuer + Environment.NewLine; responseText += "- SSL Cert Subject: " + certSubject + Environment.NewLine; if (theCert.Extensions != null) { // Console.WriteLine("Extensions is not null"); X509ExtensionCollection extensionCollection = theCert.Extensions; foreach (X509Extension extension in extensionCollection) { string friendlyName = extension.Oid.FriendlyName; // Console.WriteLine("Extension Name: " + extensionType); // Windows: Subject Alternative Name // Linux: X509v3 Subject Alternative Name if (friendlyName.Contains("Subject Alternative Name")) { AsnEncodedData asndata = new AsnEncodedData(extension.Oid, extension.RawData); List <string> formattedValues = asndata.Format(true).Split(new[] { Environment.NewLine }, StringSplitOptions.None).ToList(); string itemList = ""; foreach (string item in formattedValues) { string theItem = item; theItem = theItem.Replace("DNS Name=", ""); if (theItem.Contains("(")) { theItem = theItem.Remove(0, theItem.IndexOf("(") + 1).Replace(")", ""); itemList += theItem + ","; } else { itemList += theItem + ","; } } itemList = itemList.Trim(','); responseText += "- Subject Alternative Name: " + itemList + Environment.NewLine; } } } } // Clean off any redundant newlines responseText = responseText.TrimEnd(Environment.NewLine.ToCharArray()); return(responseText); }
public static string FindCommonFiles(string url) { // Console.WriteLine("In FindCommonFiles with " + url); string returnText = ""; if (!url.EndsWith("/")) { url += "/"; } // Wildcard test // WebClient throws an error on 403 (Forbidden) and 404 (Not Found) pages int notFoundLength = -1; string wildcardURL = url + "be0df04b-f5ff-4b4f-af99-00968cf08fed"; bool ignoreRedirect = false; try { // Console.WriteLine("Testing Wildcard"); var pageResult = Web.GetHTTPInfo(wildcardURL); string test = pageResult.PageText; notFoundLength = test.Length; if (pageResult.StatusCode == HttpStatusCode.OK) { returnText += $"- Wildcard paths such as {wildcardURL} return - This may cause issues..." + Environment.NewLine; } else if (pageResult.StatusCode == HttpStatusCode.Redirect || pageResult.StatusCode == HttpStatusCode.Moved) { ignoreRedirect = true; returnText += $"- Wildcard paths such as {wildcardURL} redirect - This may cause issues..." + Environment.NewLine; } } catch { } bool skipPHP = false; // PHP wildcards can be differnt string phpWildcardURL = url + "be0df04b-f5ff-4b4f-af99-00968cf08fed.php"; try { // Console.WriteLine("Testing php wildcard"); var pageResult = Web.GetHTTPInfo(phpWildcardURL); string test = pageResult.PageText; notFoundLength = test.Length; if (pageResult.StatusCode == HttpStatusCode.OK) { skipPHP = true; returnText += $"- .php wildcard paths such as {phpWildcardURL} return - This may cause issues..." + Environment.NewLine; } else if (pageResult.StatusCode == HttpStatusCode.Redirect || pageResult.StatusCode == HttpStatusCode.Moved) { skipPHP = true; returnText += $"- .php wildcard paths such as {phpWildcardURL} redirect - This may cause issues..." + Environment.NewLine; } } catch { } // Mini gobuster :p List <string> commonFiles = new List <string> { // robots.txt - Of course "robots.txt", // Most likely invalid folder for test purposes "woof/", // Common hidden folders "hidden/", "secret/", "backup/", // Common Index files "index.php", "index.html", // Common images folder "images/", // Hidden mail server "mail/", // Admin stuff "admin.php", "admin/", // Git repo ".git/HEAD", // SSH ".ssh/id_rsa", // Bash History ".bash_history", // NodeJS Environment File ".env", // General info file ".DS_STORE", // Wordpress stuff "blog/", "wordpress/", "wordpress/wp-config.php.bak", "wp-config.php", "wp-config.php.bak", // phpmyadmin "phpmyadmin/", // Kibana "app/kibana", // Bolt CMS "bolt-public/img/bolt-logo.png" }; if (skipPHP) { commonFiles.RemoveAll(x => x.EndsWith(".php")); } foreach (string file in commonFiles) { // Console.WriteLine("In Enum: " + file); string path = url + file; try { var response = Web.GetHTTPInfo(path); if (response.StatusCode == HttpStatusCode.OK) { // Since it's readable - Let's deal with it! try { string pageText = response.PageText; if (pageText.Length != notFoundLength) { returnText += "- " + $"Common Path is readable: {url}{file}".Pastel(Color.Orange) + Environment.NewLine; // Specific case for robots.txt since it's common and extra useful if (file == "robots.txt") { foreach (var line in pageText.Split(Environment.NewLine.ToCharArray())) { if (line != "") { returnText += "-- " + line + Environment.NewLine; } } } // Git repo! else if (file == ".git/HEAD") { returnText += "-- Git repo found!" + Environment.NewLine; // https://github.com/arthaud/git-dumper/issues/9 WebClient wc = new WebClient(); try { if (wc.DownloadString($"{url}.git/").Contains("../")) { // -q: Quiet (So the console doesn't get spammed) // -r: Download everything // -np: But don't go all the way backwards // -nH: So you only have the ".git" folder and not the IP folder as well returnText += $"--- Download the repo: wget -q -r -np -nH {url}.git/" + Environment.NewLine; returnText += "--- Get the logs: git log --pretty=format:\"%h - %an (%ae): %s %b\"" + Environment.NewLine; returnText += "--- Show a specific commit: git show 2eb93ac (Press q to close)" + Environment.NewLine; continue; } } catch { } returnText += "--- Download: https://raw.githubusercontent.com/arthaud/git-dumper/master/git-dumper.py" + Environment.NewLine; returnText += $"--- Run: python3 git-dumper.py {url}{file} .git" + Environment.NewLine; returnText += "--- Get the logs: git log --pretty=format:\"%h - %an (%ae): %s %b\"" + Environment.NewLine; returnText += "--- Show a specific commit: git show 2eb93ac (Press q to close)" + Environment.NewLine; } // Bolt else if (file == "bolt-public/img/bolt-logo.png") { returnText += "-- Bolt CMS!" + Environment.NewLine; returnText += $"-- Admin Page: {url}bolt" + Environment.NewLine; returnText += "-- If you get details and the version is 3.6.* or 3.7: https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce" + Environment.NewLine; } // Kibana! else if (file == "app/kibana") { returnText += "-- Kibana!" + Environment.NewLine; try { WebClient wc = new WebClient(); string toCheck = $"{url}{file}"; string pageData = wc.DownloadString($"{url}{file}"); if (pageData.IndexOf(""version":"") != -1) { string versionText = pageData.Remove(0, pageData.IndexOf(""version":"") + 26); versionText = versionText.Substring(0, versionText.IndexOf(""")); returnText += "--- Version: " + versionText + Environment.NewLine; returnText += "---- Kibana versions before 5.6.15 and 6.6.1 -> CVE-2019-7609 -> https://github.com/mpgn/CVE-2019-7609" + Environment.NewLine; } else { returnText += $"--- Version: {url}{file}#/management/" + Environment.NewLine; } } catch { returnText += $"--- Version: {url}{file}#/management/" + Environment.NewLine; } returnText += $"--- Elasticsearch Console: {url}{file}#/dev_tools/console" + Environment.NewLine; returnText += "---- General Info: GET /" + Environment.NewLine; returnText += "---- Get Indices: GET /_cat/indices?v" + Environment.NewLine; // These aren't meant to be params returnText += "---- Get Index Info: GET /{index}/_search/?pretty&size={docs.count}" + Environment.NewLine; } else { if (response.PageTitle.StartsWith("Index of /")) { returnText += "-- " + "Open directory listing".Pastel(Color.Orange); } else { string usefulInfo = Web.FindInfo(pageText, true); if (usefulInfo.Trim(Environment.NewLine.ToCharArray()) != "") { returnText += usefulInfo + Environment.NewLine; } } } } } catch (Exception ex) { Console.WriteLine("Bug Reelix - HTTP.FindCommonFiles Error: " + ex.Message + Environment.NewLine); } } else if (response.StatusCode == HttpStatusCode.Forbidden) { // Forbidden is still useful returnText += $"- Common Path is Forbidden: {url}{file}" + Environment.NewLine; } else if (response.StatusCode == HttpStatusCode.Redirect || response.StatusCode == HttpStatusCode.Moved) { if (!ignoreRedirect) { returnText += $"- Common Path redirects: {url}{file}" + Environment.NewLine; if (response.Headers != null && response.Headers.Get("Location") != null) { returnText += $"-- Redirection Location: {response.Headers.Get("Location")}" + Environment.NewLine; } } } else if (response.StatusCode == HttpStatusCode.Unauthorized) { returnText += $"- Common path requires authentication: {url}{file}" + Environment.NewLine; if (response.PageText != "") { returnText += $"-- Page Text: {response.PageText}" + Environment.NewLine; } } else if (response.StatusCode == 0) { Console.WriteLine("The HTTP Host is timing out :<"); returnText += $"- " + "Host timed out - Unable to enumerate".Pastel(Color.Red); break; } else if (response.StatusCode != HttpStatusCode.NotFound) { Console.WriteLine($"Unknown response for {file} - {response.StatusCode}"); } } catch (WebException ex) { if (ex.Response != null) { HttpWebResponse response = (HttpWebResponse)ex.Response; if (response.StatusCode == HttpStatusCode.OK) { returnText += $"- Common File exists: {url}{file}" + Environment.NewLine; string pageText = new StreamReader(response.GetResponseStream()).ReadToEnd(); string usefulInfo = Web.FindInfo(pageText, true); if (usefulInfo.Trim(Environment.NewLine.ToCharArray()) != "") { returnText += usefulInfo + Environment.NewLine; } } } else { if (ex.Message.Trim().StartsWith("The remote name could not be resolved:")) { string message = ex.Message.Trim().Replace("The remote name could not be resolved:", ""); returnText += "- Hostname Found: " + message.Trim().Trim('\'') + " - You need to do a manual common file check" + Environment.NewLine; return(returnText); } else if (ex.Message == "The operation has timed out") { returnText += "- FindCommonFiles Timeout :<" + Environment.NewLine; } else { if (ex.Message != null) { Console.WriteLine("FindCommonFiles - Something weird happened: " + ex.Message); } else { Console.WriteLine("FindCommonFiles - Something REALLY weird happened - And it left no error message!"); } return(returnText); } } } catch (Exception ex) { Console.WriteLine("FindCommonFiles - Fatal Woof: " + ex.Message); } } return(returnText.Trim(Environment.NewLine.ToArray())); }
public static string GetInfoMain(string target, int port, bool isHTTPS) { try { string url = ""; if (isHTTPS) { if (port == 443) { url = $"https://{target}/"; } else { url = $"https://{target}:{port}/"; } } else { if (port == 80) { url = $"http://{target}/"; } else { url = $"http://{target}:{port}/"; } } var httpInfo = Web.GetHTTPInfo(url); if (httpInfo.AdditionalInfo == "Timeout") { return("- Timeout"); } else if (httpInfo == (0, null, null, null, null, null, null, null)) { return(""); } string portData = Web.FormatHTTPInfo(httpInfo.StatusCode, httpInfo.PageTitle, httpInfo.PageText, httpInfo.DNS, httpInfo.Headers, httpInfo.SSLCert, httpInfo.URL); if (httpInfo.StatusCode == System.Net.HttpStatusCode.Unauthorized) { portData += "- Skipping file enumeration due to unauthorized result"; } else { string commonFiles = Web.FindCommonFiles(url); if (commonFiles != "") { portData += Environment.NewLine + commonFiles; } } string baseLFI = Web.TestBaseLFI(target, port); if (baseLFI != "") { portData += Environment.NewLine + baseLFI + Environment.NewLine; } if (portData == "") { portData = "- No Info Found"; } return(portData); } catch (Exception ex) { Console.WriteLine("Critical HTTP.GetInfo Error: " + ex.Message); return(""); } }