import framework # unique to module class Module(framework.module): def __init__(self, params): framework.module.__init__(self, params) self.register_option('source', 'db', 'yes', 'source of hosts for module input (see \'info\' for options)') self.register_option('validate', True, 'yes', 'validate known SQLi vulnerbility') self.info = { 'Name': 'GenericRestaurantMenu Vulnerability Page Finder and Validator', 'Author': 'Jay Turla (@shipcod3)', 'Description': 'Checks the hosts for possible GenericRestaurantMenu vulnerabilities', 'Comments': [ 'Source options: [ db | | ./path/to/file | query ]', 'Google Dork: inurl:"view.cfm?category_ID"', ] } def module_run(self): hosts = self.get_source(self.options['source']['value'], 'SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host') validate = self.options['validate']['value'] # check all hosts for GenericRestaurantMenu Menu Categories Editor Page, SQL Query Info Disclosure, and Possible SQLi Vulnerbility protocols = ['http', 'https'] cnt = 0 for host in hosts: for proto in protocols: url = '%s://%s/Menu/admin/' % (proto, host) try: resp = self.request(url, redirect=False) code = resp.status_code except KeyboardInterrupt: raise KeyboardInterrupt except: code = 'Error' if code == 200 and 'Menu Categories' in resp.text: self.alert('%s => %s. Menu Categories Editor Page Found!' % (url, code)) cnt += 1 if validate: vulncode = "%s://%s/menu/view.cfm?category_ID=1'" % (proto, host) try: resp = self.request(vulncode, redirect=False) code = resp.status_code except KeyboardInterrupt: raise KeyboardInterrupt except: code = 'Error' if code == 500 and 'Executing Database Query' in resp.text: self.alert('%s => %s. SQL Query Info Disclosure and Possible SQLi (boolean-based blind) Vulnerability Found!' % (vulncode, code)) cnt += 1 else: self.verbose('%s => %s' % (vulncode, code)) else: self.verbose('%s => %s' % (url, code)) self.output('%d possibly vulnerable pages found!' % (cnt))