Commit fb8dbdc0 authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 0.6.3

parents
#!/usr/bin/python
'''
GoLISMERO - Simple web analisis
Copyright (C) 2011 Daniel Garcia | dani@estotengoqueprobarlo.es
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
'''
#
# Genera el fichero de cambios de todos los ficheros del directorio donde se ejecuta
#
import os
import sys
import csv
import md5
def generate():
fileList = []
rootdir = os.curdir
# Obtencion de todos los ficheros .py y .csv
for root, subFolders, files in os.walk(rootdir):
#folderCount += len(subFolders)
for file in files:
spt = file.split(".")
ext = spt[len(spt) - 1 ] # obtenemos la extension del fichero
if ext == "py" or ext == "csv": # filtramos por extension
f = os.path.join(root,file)
fileList.append(f.replace("./",""))
# creacion del fichero de cambios
f_changes = csv.writer(open("Admin/changes.dat","w"))
# para cada fichero creamos una fila
m_md5 = md5.new()
for f in fileList:
# Nombre del fichero
filename = f
# firma
m_md5.update(filename)
firma = m_md5.hexdigest()
f_changes.writerow([filename,firma])
if __name__ == '__main__':
print ""
print "ChangesGenerator- File changes maker"
print ""
print "Daniel Garcia Garcia - dani@estotengoqueprobarlo.es"
print "http://www.estotengoqueprobarlo.es"
print ""
print ""
print "[i] Obtieniendo listado de directorios"
generate()
print "[i] Fichero creado correctamente"
print ""
\ No newline at end of file
GoLismero.py,14ea63df4b7e35232649a3c8c42ee9ea
api.py,01c72c030481ef2360fd6a427d9bbd06
argparse.py,650ba39c6bcac0839e696834682b6388
Admin/__init__.py,4ae85af1f32c428ea7e85a22cabcd6ac
Admin/ChangesGenerator.py,0535b310bae57653622d74354a419459
libs/checks.py,1e2d04f3118048b0ccf27efb405c8668
libs/Data.py,6ebda5ede9f06b12847aab2603f364e8
libs/fileresults.py,cee1c2a0c419852b13915ff1527208e3
libs/common_vars.csv,2853b17ba42330a082dc732425e868d7
libs/forms.py,179652a58f71487dd2ddf57cc5a37f03
libs/__init__.py,54504069dc830b2e269f0737463c5c65
libs/Links.py,976bc2ac7ae3eb8fb04be5ae67e278c3
libs/vulns.py,4b5c5ff3cdf4f7a32693326775b9080e
libs/io_functions.py,b92e40b460db42b3254615b3e47933e0
libs/io_net.py,dab1a589e3611d20bb5e557c0c1f9352
libs/updater.py,477e4116fbb354b13e7810b5796353cc
libs/spider.py,748dc74e054e2ce0e15faf536dcade62
libs/ntlm/des.py,388856296676bfb424bd1a8dc5ea629b
libs/ntlm/__init__.py,c85314d11128c9b5c1406b1a510b0aad
libs/ntlm/U32.py,c31fcec6261ffa3d61db09ac589e5831
libs/ntlm/des_data.py,4c4ab96a83d9a6ae52e9d8199ce51ee1
libs/ntlm/des_c.py,62efd0e20993f3529654695ec6aebc4c
libs/ntlm/HTTPNtlmAuthHandler.py,6e6ceb2b1294478a58c0ee684221e864
libs/ntlm/ntlm.py,1c22adf10c16dced89e19c54a17ac3af
bs4/dammit.py,710a751d00e221b5a513169e3c383d39
bs4/__init__.py,11940cb4095e47e02cc2466eff23ef70
bs4/testing.py,9dd7f3c9e009e49d058220a8286223ab
bs4/element.py,a7e6b07e01535c92fc3d8a5892af5747
bs4/builder/_html5lib.py,71dccc3a2deed055a8c6a5fd9d90159f
bs4/builder/__init__.py,8b8112f2f806fecf713b8e063b9a62cf
bs4/builder/_htmlparser.py,0dc30cf400b6e4a365a99a1637e16924
bs4/builder/_lxml.py,805362e937e0ede0cba21ee005a2b2ab
bs4/tests/test_html5lib.py,41cede1e87402a07fa6c18346a3c04f5
bs4/tests/test_tree.py,ddc337830b6af52df39d2039edbe94cb
bs4/tests/test_htmlparser.py,c69ed473562ba55f67fc36984eda573e
bs4/tests/test_docs.py,2693fe9ee1770b5278a990677a057890
bs4/tests/test_soup.py,4e33405d91066fe5acfc7082c5d1083f
bs4/tests/__init__.py,bf21bffcbff5972d84752e6517a9d277
bs4/tests/test_builder_registry.py,9306305e03a81e5fd472720c889ba9d6
bs4/tests/test_lxml.py,7be06e9a141207b53297d45ef1a3bd3d
#!/usr/bin/python2.7
'''
GoLISMERO - Simple web analisis
Copyright (C) 2011 Daniel Garcia | dani@estotengoqueprobarlo.es
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
'''
import argparse
from libs.updater import *
from libs.io_functions import *
from api import *
from sys import exit
import textwrap
__version__ = "0.2"
__prog__ = "GoLISMERO"
__examples__ = '''
Examples:
- GoLISMERO.py -t site.com -c
- GoLISMERO.py -t site.com -c -A links -x
- GoLISMERO.py -t site.com -m -c -A links -o results.html -F html -x
- GoLISMERO.py -t site.com -c -A links -o wfuzz_script.sh -F wfuzz
- GoLISMERO.py -t site.com -A links --no-css --no-script --no-images --no-mail -c -x
or GoLISMERO.py -t site.com -A links -nc -ns -ni -nm
or GoLISMERO.py -t site.com -A links --no-all
or GoLISMERO.py -t site.com -A links -na
For more examples you can see EXAMPLES.txt
'''
# Parameters
PARAMETERS=cParams()
def Credits():
print ""
print "%s - The Web Knife." % (__prog__)
print ""
print "Daniel Garcia Garcia - dani@iniqua.com | dani@estotengoqueprobarlo.es"
print ""
#
# Comienzo del programa
#
if __name__ == '__main__':
Credits()
#En caso de que se haya introducido una pagina, navegamos a esta URL e iniciamos el proceso de investigacion
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, epilog=__examples__)
parser.add_argument('-R', action='store', dest='recursivity', help='recursivity level of spider. Default=0', default = 0)
parser.add_argument('-t', action='store', dest='target', help='target web site.')
parser.add_argument('-o', action='store', dest='output', help='output file.', default = None)
parser.add_argument('-F', action='store', dest='format', help='output format. "scripting" is perfect to combine with awk,cut,grep.... default=text', choices = ['text','html','csv','xml','scripting','wfuzz'], default = 'text')
parser.add_argument('-A', action='store', dest='scan', help='Scan only forms, only links or both. Default=all', choices = ['all','forms','links'], default = 'all')
parser.add_argument('-V', action='store_true', help='Show version.')
parser.add_argument('-c', action='store_true', help='colorize output. Default=No')
parser.add_argument('-x','--search-vulns', action='store_true', help='looking url potentially dangerous and bugs. As default not selected')
parser.add_argument('-m','--compat-mode', action='store_true', help='show results as compact format. As default not selected.')
parser.add_argument('-na','--no-all', action='store_true', help='implies no-css, no-script, no-images and no-mail. As default not selected.')
parser.add_argument('-nc','--no-css', action='store_true', help='don\'t get css links. As default not selected.')
parser.add_argument('-ns','--no-script', action='store_true', help='don\'t get script links. As default not selected.')
parser.add_argument('-ni','--no-images', action='store_true', help='don\'t get images links. As default not selected.')
parser.add_argument('-nm','--no-mail', action='store_true', help='don\'t get mails (mailto: tags). As default not selected.')
parser.add_argument('-nl','--no-unparam-links', action='store_true', help='don\'t get links that have not parameters. As default not selected.')
parser.add_argument('-l','--long-summary', action='store_true', help='detailed summary of process. As default not selected.')
parser.add_argument('-us','--http-auth-user', action='store', dest='http_auth_user', help='set http authenticacion user. As default is empty.', default = None)
parser.add_argument('-ps','--http-auth-pass', action='store', dest='http_auth_pass', help='set http authenticacion pass. As default not empty.', default = None)
parser.add_argument('-C','--cookie', action='store', dest='cookie', help='set custom cookie. As default is empty.', default = None)
parser.add_argument('-P','--proxy', action='store', dest='proxy', help='set proxy, as format: IP:PORT. As default is empty.', default = None)
parser.add_argument('-U','--update', action='store_true', help='update Golismero.')
parser.add_argument('-f','--finger', action='store', dest='finger', help='fingerprint web aplication. As default not selected. (not implemented yet) ', default = None)
parser.add_argument('--follow', action='store_true', help='follow redirect. As default not redirect.')
P = parser.parse_args()
if P.update is True:
print "[i] Updating..."
update()
print ""
exit(0)
# Asociamos variable globales
PARAMETERS.RECURSIVITY = P.recursivity
PARAMETERS.OUTPUT_FILE = P.output
PARAMETERS.TARGET = P.target
PARAMETERS.SHOW_TYPE = P.scan
PARAMETERS.SUMMARY= P.long_summary
PARAMETERS.COLOR = P.c
PARAMETERS.OUTPUT_FILE = P.output
PARAMETERS.OUTPUT_FORMAT = P.format
PARAMETERS.IS_NCSS = P.no_css
PARAMETERS.IS_NJS = P.no_script
PARAMETERS.IS_NIMG = P.no_images
PARAMETERS.IS_NMAIL = P.no_mail
PARAMETERS.PROXY = P.proxy
PARAMETERS.COOKIE = P.cookie
PARAMETERS.AUTH_USER = P.http_auth_user
PARAMETERS.AUTH_PASS = P.http_auth_pass
PARAMETERS.IS_N_PARAMS_LINKS = P.no_unparam_links
PARAMETERS.COMPACT = P.compat_mode
PARAMETERS.FOLLOW = P.follow
PARAMETERS.VERSION = P.V
PARAMETERS.VULNS = P.search_vulns
# Mostrar version
if PARAMETERS.VERSION is True:
print "%s version is '%s'" % (__prog__, __version__)
print ""
exit(0)
# Marcamos todos los "no"
if P.no_all is True:
PARAMETERS.IS_NCSS = True
PARAMETERS.IS_NJS = True
PARAMETERS.IS_NIMG = True
PARAMETERS.IS_NMAIL = True
try:
GoLISMERO_Main(PARAMETERS)
except IOError,e:
print ""
print str(e)
print ""
sys.exit(1)
# Mostrar resultados
ShowScreenResults(PARAMETERS)
#!/usr/bin/python
'''
GoLISMERO - Simple web analisis
Copyright (C) 2011 Daniel Garcia | dani@estotengoqueprobarlo.es
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
'''
from xml.dom.minidom import parse
from libs.io_net import *
from libs.io_functions import *
from libs.checks import *
from libs.spider import *
from libs.Data import *
from libs.vulns import *
class GoLink:
'''
Store link info and parameters
'''
url = None
params = []
class GoLinkParam:
'''
Store info for each simple links
'''
name = None
value = None
class GoForm:
'''
Store form info as name, action and method. Also include params, if it have.
'''
name = None
action = None
method = None
params = []
class GoFormParam:
'''
Store params for each form
'''
name = None
value = None
type = None
class GoFingerprint:
'''
Store fingerprint info.
'''
probability = None
framework = None
class GoLISMERO_DATA:
'''
This class store info loaded from xml results generated for GoLISMERO
'''
site = None
links = []
forms = []
fingerprint = None
def __str__(self):
R = ""
try:
R += self.site + "\n"
# Links
for i in self.links:
url = i.url
if url is None:
url = "unknown"
R += "|=" + url + "\n"
if i.params is not None and len(i.params) > 0:
for p in i.params:
name = p.name
value = p.value
if name == None:
name = "unknown"
if value == None:
value = "unknown"
R += "|--" + name + "=" + value + "\n"
# Forms
for f in self.forms:
name = f.name
method = f.method
action = f.action
if name == None:
name = "not named"
if method == None:
method = "unknown"
if action == None:
action = "unknown"
R += "|=" + name + ": method=" + method + "|" + action + "\n"
if f.params is not None and len(f.params) > 0:
for fp in f.params:
type = fp.type
name = fp.name
value = fp.value
if type == None:
type = "unknown"
if name == None:
name = "unknown"
if value == None:
value = "unknown"
R += "|--(" + type + ")" + name + "=" + value + "\n"
# Fingerprint
if self.fingerprint is not None:
R += "|= Application: " + self.fingerprint.framework + "as probability: " + self.fingerprint.probability + "\n"
except:
return R
return R
def loadGoLISMEROXML(self,file):
'''
Open and load info from a XML file generated of GoLISMERO
'''
dom = parse(file)
g = GoLISMERO_DATA()
for node in dom.getElementsByTagName("golismero"):
for s in node.getElementsByTagName("site"):
self.site = s.attributes['url'].value
# recuperamos los enlaces
for l in dom.getElementsByTagName("link"):
l_l = GoLink()
l_l.url = l.attributes['url'].value
# Busqueda de atributos
for a in l.getElementsByTagName("param"):
p = GoLinkParam()
p.name = a.attributes['name'].value
p.value = a.attributes['value'].value
l_l.params.append(p)
self.links.append(l_l)
# recuperamos los enlaces
for f in dom.getElementsByTagName("form"):
l_f = GoForm()
l_f.action = f.attributes['name'].value
l_f.action = f.attributes['action'].value
l_f.method = f.attributes['method'].value
# Busqueda de atributos
for a in f.getElementsByTagName("param"):
p = GoFormParam()
p.name = a.attributes['name'].value
p.type = a.attributes['type'].value
p.value = a.attributes['value'].value
l_f.params.append(p)
self.forms.append(l_f)
# Fingerprint
for fp in dom.getElementsByTagName("fingerprint"):
l_fp = GoFingerprint()
l_fp.framework = fp.attributes['framework'].value
l_fp.probability = fp.attributes['probability'].value
self.fingerprint = l_fp
#
# Parametros de la linea de comandos
#
class cParams:
'''
Command line parameters data store. Necesary for call GoLISMERO.
'''
def __init__(self):
# Parametros de entrada
self.RECURSIVITY = 0
self.OUTPUT_FILE = None # Fichero con los resultados
self.TARGET = None
self.SHOW_TYPE= None
self.COLOR = False
self.OUTPUT_FILE=None
self.OUTPUT_FORMAT=None
self.IS_NCSS=False
self.IS_NJS=False
self.IS_NIMG=False
self.IS_NMAIL=False
self.IS_N_PARAMS_LINKS = False
self.COMPACT = False
self.FOLLOW = False
self.VERSION = False
self.VULNS = False
self.VULNS_DATA = None # Array que contiene todas la vulnerabilidades cargadas de los ficheros
self.RESULTS = ""
self.SUMMARY=False
self.DOMAIN=None
self.PROTOCOL=None
self.PROXY=None
self.COOKIE=None
self.AUTH_USER=None
self.AUTH_PASS=None
def GoLISMERO_Main(PARAMETERS):
'''
Start point to call GoLISMERO. It returns results in var "RESULTS" of object passed as parameters.
@param PARAMETERS: an objecto of type cParams that contain all params for GoLISMERO execution.
@return: None
'''
if PARAMETERS.TARGET is None:
raise IOError("You mush specify a target (-t).")
# Mostrar version
if PARAMETERS.VERSION is True:
raise IOError("Function not allowed on api call.")
# Comprobamos opciones de autenticacion
if (PARAMETERS.AUTH_USER is not None and PARAMETERS.AUTH_PASS is None) or (PARAMETERS.AUTH_USER is None and PARAMETERS.AUTH_PASS is not None):
raise IOError("[!] If you want authentication you need to expecify authentication type.")
elif PARAMETERS.AUTH_USER is not None and PARAMETERS.AUTH_PASS is not None:
# Comprobamos que la autenticacion con el usuario y password funciona
if checkAuthCredentials(PARAMETERS.TARGET, PARAMETERS.PROXY, PARAMETERS.AUTH_USER, PARAMETERS.AUTH_PASS) is False:
raise IOError("[!] User or password are not correct and can't connect to target.")
# Check proxy
if PARAMETERS.PROXY is not None:
if isCheckProxy(PARAMETERS.PROXY) is False:
raise IOError("[!] Proxy format are not correct.")
# Si se tienen que buscar vulnerabilidades se cargan los ficheros
if PARAMETERS.VULNS is not None:
PARAMETERS.VULNS_DATA = loadVulnsFiles()
PARAMETERS.TARGET = PrepareURL(PARAMETERS.TARGET)
PARAMETERS.DOMAIN = getDomain(PARAMETERS.TARGET)
PARAMETERS.PROTOCOL = getProtocol(PARAMETERS.TARGET)
# Crear fichero de salida, si procede
MakeFileResults(PARAMETERS)
# Ejecucion principal
spider(PARAMETERS)
# Write results to file
if PARAMETERS.OUTPUT_FILE is not None:
writeToFile(PARAMETERS)
\ No newline at end of file
File added
This diff is collapsed.
File added
"""Beautiful Soup
Elixir and Tonic
"The Screen-Scraper's Friend"
http://www.crummy.com/software/BeautifulSoup/
Beautiful Soup uses a plug-in parser to parse a (possibly invalid) XML
or HTML document into a tree representation. The parser does the work
of building a parse tree, and Beautiful Soup provides provides methods
and Pythonic idioms that make it easy to navigate, search, and modify
the parse tree.
Beautiful Soup works with Python 2.6 and up. It works better if lxml
or html5lib is installed.
For more than you ever wanted to know about Beautiful Soup, see the
documentation:
http://www.crummy.com/software/BeautifulSoup/documentation.html
"""
__author__ = "Leonard Richardson (leonardr@segfault.org)"
__version__ = "4.0.0b"
__copyright__ = "Copyright (c) 2004-2011 Leonard Richardson"
__license__ = "MIT"
__all__ = ['BeautifulSoup']
import re
from .builder import builder_registry
from .dammit import UnicodeDammit
from .element import DEFAULT_OUTPUT_ENCODING, NavigableString, Tag
class BeautifulSoup(Tag):
"""
This class defines the basic interface called by the tree builders.
These methods will be called by the parser:
reset()
feed(markup)
The tree builder may call these methods from its feed() implementation:
handle_starttag(name, attrs) # See note about return value
handle_endtag(name)
handle_data(data) # Appends to the current data node
endData(containerClass=NavigableString) # Ends the current data node
No matter how complicated the underlying parser is, you should be
able to build a tree using 'start tag' events, 'end tag' events,
'data' events, and "done with data" events.
If you encounter an empty-element tag (aka a self-closing tag,
like HTML's <br> tag), call handle_starttag and then
handle_endtag.
"""
ROOT_TAG_NAME = u'[document]'
# If the end-user gives no indication which tree builder they
# want, look for one with these features.
DEFAULT_BUILDER_FEATURES = ['html']
# Used when determining whether a text node is all whitespace and
# can be replaced with a single space. A text node that contains
# fancy Unicode spaces (usually non-breaking) should be left
# alone.
STRIP_ASCII_SPACES = {9: None, 10: None, 12: None, 13: None, 32: None, }
def __init__(self, markup="", features=None, builder=None,
parse_only=None, from_encoding=None):
"""The Soup object is initialized as the 'root tag', and the
provided markup (which can be a string or a file-like object)
is fed into the underlying parser."""
if builder is None:
if isinstance(features, basestring):
features = [features]
if features is None or len(features) == 0:
features = self.DEFAULT_BUILDER_FEATURES
builder_class = builder_registry.lookup(*features)
if builder_class is None:
raise ValueError(
"Couldn't find a tree builder with the features you "
"requested: %s. Do you need to install a parser library?"
% ",".join(features))
builder = builder_class()
self.builder = builder
self.is_xml = builder.is_xml
self.builder.soup = self
self.parse_only = parse_only
self.reset()
if hasattr(markup, 'read'): # It's a file-type object.
markup = markup.read()
self.markup, self.original_encoding, self.declared_html_encoding = (
self.builder.prepare_markup(markup, from_encoding))
try:
self._feed()
except StopParsing:
pass
# Clear out the markup and the builder so they can be CGed.
self.markup = None
self.builder.soup = None
self.builder = None
def _feed(self):
# Convert the document to Unicode.
self.builder.reset()
self.builder.feed(self.markup)
# Close out any unfinished strings and close all the open tags.
self.endData()
while self.currentTag.name != self.ROOT_TAG_NAME:
self.popTag()
def reset(self):
Tag.__init__(self, self, self.builder, self.ROOT_TAG_NAME)
self.hidden = 1
self.builder.reset()
self.currentData = []
self.currentTag = None
self.tagStack = []
self.pushTag(self)
def popTag(self):
tag = self.tagStack.pop()
#print "Pop", tag.name
if self.tagStack:
self.currentTag = self.tagStack[-1]
return self.currentTag
def pushTag(self, tag):
#print "Push", tag.name
if self.currentTag: