Merge remote-tracking branch 'upstream/master' into misfortune-cookie

7db65a6b · Milad Doorbash · 11186a54 · 1424ff04 · 7db65a6b · 7db65a6b
Commit 7db65a6b authored Apr 27, 2016 by Milad Doorbash
5 changed files
--- a/routersploit/modules/creds/http_form_bruteforce.py
+++ b/routersploit/modules/creds/http_form_bruteforce.py
@@ -36,6 +36,7 @@ class Exploit(exploits.Exploit):
    passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
    form = exploits.Option('auto', 'Post Data: auto or in form login={{LOGIN}}&password={{PASS}}&submit')
    path = exploits.Option('/login.php', 'URL Path')
+    form_path = exploits.Option('same', 'same as path or URL Form Path')
    verbosity = exploits.Option('yes', 'Display authentication attempts')

    credentials = []
@@ -46,9 +47,15 @@ class Exploit(exploits.Exploit):
        self.credentials = []
        self.attack()

+    def get_form_path(self):
+        if self.form_path == 'same':
+            return self.path
+        else:
+            return self.form_path
+
    @multi
    def attack(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))

        try:
            requests.get(url, verify=False)
@@ -61,11 +68,15 @@ class Exploit(exploits.Exploit):

        # authentication type
        if self.form == 'auto':
-            self.data = self.detect_form()
+            form_data = self.detect_form()

-            if self.data is None:
+            if form_data is None:
                print_error("Could not detect form")
                return
+
+            (form_action, self.data) = form_data
+            if form_action:
+                self.path = form_action
        else:
            self.data = self.form

@@ -116,7 +127,7 @@ class Exploit(exploits.Exploit):
                self.invalid["max"] = l

    def detect_form(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
        r = requests.get(url, verify=False)
        soup = BeautifulSoup(r.text, "lxml")

@@ -125,20 +136,22 @@ class Exploit(exploits.Exploit):
        if form is None:
            return None

+        action = form.attrs.get('action', None)
+
        if len(form) > 0:
            res = []
            for inp in form.findAll("input"):
                if 'name' in inp.attrs.keys():
-                    if inp.attrs['name'].lower() in ["username", "user", "login"]:
+                    if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
                        res.append(inp.attrs['name'] + "=" + "{{USER}}")
-                    elif inp.attrs['name'].lower() in ["password", "pass"]:
+                    elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
                        res.append(inp.attrs['name'] + "=" + "{{PASS}}")
                    else:
                        if 'value' in inp.attrs.keys():
                            res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
                        else:
                            res.append(inp.attrs['name'] + "=")
-        return '&'.join(res)
+        return (action, '&'.join(res))

    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)

--- a/routersploit/modules/creds/http_form_default.py
+++ b/routersploit/modules/creds/http_form_default.py
@@ -34,6 +34,7 @@ class Exploit(exploits.Exploit):
    defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
    form = exploits.Option('auto', 'Post Data: auto or in form login={{LOGIN}}&password={{PASS}}&submit')
    path = exploits.Option('/login.php', 'URL Path')
+    form_path = exploits.Option('same', 'same as path or URL Form Path')
    verbosity = exploits.Option('yes', 'Display authentication attempts')

    credentials = []
@@ -44,9 +45,15 @@ class Exploit(exploits.Exploit):
        self.credentials = []
        self.attack()

+    def get_form_path(self):
+        if self.form_path == 'same':
+            return self.path
+        else:
+            return self.form_path
+
    @multi
    def attack(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))

        try:
            requests.get(url, verify=False)
@@ -59,11 +66,15 @@ class Exploit(exploits.Exploit):

        # authentication type
        if self.form == 'auto':
-            self.data = self.detect_form()
+            form_data = self.detect_form()

-            if self.data is None:
+            if form_data is None:
                print_error("Could not detect form")
                return
+
+            (form_action, self.data) = form_data
+            if form_action:
+                self.path = form_action
        else:
            self.data = self.form

@@ -109,7 +120,7 @@ class Exploit(exploits.Exploit):
                self.invalid["max"] = l

    def detect_form(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
        r = requests.get(url, verify=False)
        soup = BeautifulSoup(r.text, "lxml")

@@ -118,20 +129,22 @@ class Exploit(exploits.Exploit):
        if form is None:
            return None

+        action = form.attrs.get('action', None)
+
        if len(form) > 0:
            res = []
            for inp in form.findAll("input"):
                if 'name' in inp.attrs.keys():
-                    if inp.attrs['name'].lower() in ["username", "user", "login"]:
+                    if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
                        res.append(inp.attrs['name'] + "=" + "{{USER}}")
-                    elif inp.attrs['name'].lower() in ["password", "pass"]:
+                    elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
                        res.append(inp.attrs['name'] + "=" + "{{PASS}}")
                    else:
                        if 'value' in inp.attrs.keys():
                            res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
                        else:
                            res.append(inp.attrs['name'] + "=")
-        return '&'.join(res)
+        return (action, '&'.join(res))

    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)

--- a/routersploit/modules/scanners/autopwn.py
+++ b/routersploit/modules/scanners/autopwn.py
@@ -17,9 +17,9 @@ class Exploit(exploits.Exploit):
    __info__ = {
        'name': 'AutoPwn',
        'description': 'Scanner module for all vulnerabilities.',
-        'author': [
+        'authors': [
            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
-         ],
+        ],
    }

    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1')  # target address

--- a/routersploit/modules/scanners/dlink_scan.py
+++ b/routersploit/modules/scanners/dlink_scan.py
@@ -17,7 +17,7 @@ class Exploit(exploits.Exploit):
    __info__ = {
        'name': 'D-Link Scanner',
        'description': 'Scanner module for D-Link devices',
-        'author': [
+        'authors': [
            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
        ],
    }

--- a/routersploit/utils.py
+++ b/routersploit/utils.py
@@ -314,7 +314,7 @@ def pprint_dict_in_order(dictionary, order=None):
        prettyprint(rest_keys, dictionary[rest_keys])


-def random_text(length, alph=string.letters+string.digits):
+def random_text(length, alph=string.ascii_letters+string.digits):
    """ Random text generator. NOT crypto safe.
    
    Generates random text with specified length and alphabet.