Exploit template enhancement

Merge remote-tracking branch 'mirror/master'
SQLi improvement
2025-12-14 12:51:41 +01:00 · 2025-12-08 15:32:39 +01:00 · 2025-12-08 14:34:23 +01:00 · 2025-12-08 14:34:23 +01:00 · 2025-12-08 14:34:23 +01:00 · 2025-12-08 13:28:17 +01:00
14 changed files with 3987 additions and 1178 deletions
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ Can be deployed on victim machines to scan the intranet.
 - dnsserver.py: Create a temporary dns server responding dynamically to basic DNS requests (in-memory)
 - sshserver.py: Create a temporary ssh server to intercept credentials (TODO: relay) (in-memory)
 - smtpserver.py: Create a temporary smtp server (in-memory)
- ftpserver.py: Create a temporary ftp server (in-memory, thanks to @thanks to [@benzammour](https://github.com/benzammour))
+- ftpserver.py: Create a temporary ftp server (in-memory, thanks to [@benzammour](https://github.com/benzammour))
 - template.py: Creates a template for web exploits, similar to pwnlib's template
 - pcap_file_extract.py: Lists and extracts files from http connections found in pcap files
 - find_git_commit.py: Compares a local repository (e.g. downloaded from a remote server) with another git repository to guess the commit hash. Useful to find used versions
--- a/BIN
+++ b/BIN
--- a/BIN
+++ b/BIN
--- a/git-dumper.py
+++ b/git-dumper.py
@@ -530,7 +530,7 @@ if __name__ == '__main__':
                                     description='Dump a git repository from a website.')
    parser.add_argument('url', metavar='URL',
                        help='url')
-    parser.add_argument('directory', metavar='DIR',
+    parser.add_argument('--directory', metavar='DIR', default=None, type=str,
                        help='output directory')
    parser.add_argument('--proxy',
                        help='use the specified proxy')
@@ -577,6 +577,13 @@ if __name__ == '__main__':
            parser.error('invalid proxy')
    # output directory
    if args.directory is None:
        parsed_url = urllib.parse.urlparse(args.url)
        if not parsed_url or not parsed_url.hostname:
            parser.error('no output directory given and cannot derive from URL')
        else:
            args.directory = parsed_url.hostname
    if not os.path.exists(args.directory):
        os.makedirs(args.directory)
--- a/linpeas.sh
+++ b/linpeas.sh
--- a/sqli.py
+++ b/sqli.py
@@ -5,12 +5,14 @@ import string
 class SQLi(ABC):
    @staticmethod
-    def build_query(column: str|list, table=None, condition=None, offset=None):
+    def build_query(column: str|list, table=None, condition=None, offset=None, limit=1):
-        column = column if isinstance(column, str) else ",".join(column)
+        query = "SELECT "
-        condition = "" if not condition else f" WHERE {condition}"
+        query += column if isinstance(column, str) else ",".join(column)
-        offset = "" if offset is None else f" OFFSET {offset}"
+        query += "" if not table else f" FROM {table}"
-        table = "" if not table else f" FROM {table}"
+        query += "" if not condition else f" WHERE {condition}"
-        return f"SELECT {column}{table}{condition} LIMIT 1{offset}"
+        query += "" if limit is None else f" LIMIT {limit}"
        query += "" if offset is None or limit is None else f" OFFSET {offset}"
        return query
    def extract_multiple_ints(self, column: str, table=None, condition=None, verbose=False):
        row_count = self.extract_int(f"COUNT({column})", table=table, condition=condition, verbose=verbose)
@@ -34,9 +36,11 @@ class SQLi(ABC):
        return rows
-    @abstractmethod
+    def substring(self, what, offset: int, size: int):
-    def ascii(self):
+        return f"substr({what},{offset},{size})"
-        pass
+
    def ascii(self, what):
        return f"ascii({what})"
    @abstractmethod
    def extract_int(self, column: str, table=None, condition=None, 
@@ -153,6 +157,25 @@ class ReflectedSQLi(SQLi, ABC):
        return rows
    @classmethod
    def guess_reflected_columns(cls, callback):
        data = None
        column_count = 1
        while data is None:
            query_columns = list(map(lambda c: f"'column-{c}-sqli'", range(column_count)))
            query_str = cls.build_query(query_columns)
            data = callback(query_str) # should return some kind of text for a given query
            if not data:
                column_count += 1
                continue
        reflected_columns = []
        for c in range(column_count):
            column_name = f"'column-{c}-sqli'"
            reflected_columns.append(str if column_name in data else None) # how to guess the type (str/int)?
        return reflected_columns
    # todo: extract_multiple with columns as dict (name -> type), e.g. extract_multiple({"id": int, "name": str})
 class BlindSQLi(SQLi, ABC):
@@ -206,7 +229,7 @@ class BlindSQLi(SQLi, ABC):
        cur_str = ""
        while True:
            found = False
-            cur_column = self.ascii() + f"(substr({column},{len(cur_str) + 1},1))"
+            cur_column = self.ascii(self.substring(column, len(cur_str) + 1, 1))
            if charset:
                query = self.build_query(cur_column, table, condition, offset)
                for c in charset:
@@ -234,7 +257,6 @@ class BlindSQLi(SQLi, ABC):
        return cur_str
 class PostgreSQLi(SQLi, ABC):
    def get_database_version(self, verbose=False):
        return self.extract_string("VERSION()", verbose=verbose)
@@ -254,9 +276,6 @@ class PostgreSQLi(SQLi, ABC):
                                             f"table_schema='{schema}' AND table_name='{table}'",
                                             verbose=verbose)
    def ascii(self):
        return "ascii"
 class MySQLi(SQLi, ABC):
    def get_database_version(self, verbose=False):
        return self.extract_string("VERSION()", verbose=verbose)
@@ -276,10 +295,6 @@ class MySQLi(SQLi, ABC):
                                             f"table_schema='{schema}' AND table_name='{table}'",
                                             verbose=verbose)
    def ascii(self):
        return "ascii"
 class SQLitei(SQLi, ABC):
    def get_database_version(self, verbose=False):
        return self.extract_string("sqlite_version()", verbose=verbose)
@@ -298,5 +313,5 @@ class SQLitei(SQLi, ABC):
        # TODO: we could query the "sql" column and parse it using regex
        raise Exception("Not implemented!")
-    def ascii(self):
+    def ascii(self, what):
-        return "unicode"
+        return f"unicode({what})"
--- a/subdomainFuzz.sh
+++ b/subdomainFuzz.sh
@@ -14,13 +14,19 @@ fi
 DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
-
+if [ $# -lt 2 ]; then
-echo "[ ] Resolving IP-Address…"
+  echo "[ ] Resolving IP-Address…"
-output=$(resolveip $DOMAIN 2>&1)
+  output=$(resolveip $DOMAIN 2>&1)
-status=$(echo $?)
+  status=$(echo $?)
-if ! [[ $status == 0 ]] ; then
+  if ! [[ $status == 0 ]] ; then
-  echo "[-] ${output}"
+    echo "[-] ${output}"
-  exit
+    exit
  fi
  IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
  echo "[+] IP-Address: ${IP_ADDRESS}"
 else
  IP_ADDRESS=$2
  echo "[+] Using IP-Address: ${IP_ADDRESS}"
 fi
 function sni () {
@@ -37,17 +43,15 @@ function sni () {
  echo $sni
 }
 IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
 echo "[+] IP-Address: ${IP_ADDRESS}"
 echo "[ ] Retrieving default site…"
 rnd=$(uuidgen)
 sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
 charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
 charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
 charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
 echo "[ ] Fuzzing…"
 (set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
  -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-  -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
+  -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
--- a/template.py
+++ b/template.py
@@ -1,23 +1,40 @@
 #!/usr/bin/env python
 import re
 import sys
 import json
 import argparse
 import urllib.parse
 def generate_template(base_url, features):
-    ip_address = "util.get_address()"
+    # we could all need that
-    for feature in features:
+    imports = [
-        if feature.lower().startswith("ip_address="):
+        "os", "io", "re", "sys",
-            ip_address = "'" + feature.split("=")[1] + "'"
+        "json", "time", "base64", "requests",
        "subprocess", "urllib.parse"
    ]
    partial_imports = {
        "bs4": ["BeautifulSoup"],
        "hackingscripts": ["util", "rev_shell"],
        "urllib3.exceptions": ["InsecureRequestWarning"]
    }
    main_code = []
    methods = []
    ip_address_arg = next(filter(lambda f: re.match(r"ip_address=(.*)", f), features), None)
    ip_address = "util.get_address()" if not ip_address_arg else "'" + ip_address_arg[1] + "'"
    variables = {
        "IP_ADDRESS": ip_address, 
-        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"',
+        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
        "PROXIES": json.dumps({"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"})
    }
-    if "proxies" in features or "burp" in features:
+    proxy_arg = next(filter(lambda f: re.match(r"proxy=(.*)", f), features), None)
    if proxy_arg or "burp" in features:
        proxy_url = "http://127.0.0.1:8080" if not proxy_arg else proxy_arg[1]
        variables["PROXIES"] = json.dumps({"http": proxy_url, "https": proxy_url})
        proxy = """
    if \"proxies\" not in kwargs:
        kwargs[\"proxies\"] = PROXIES
@@ -34,8 +51,8 @@ def generate_template(base_url, features):
    else:
        vhost_param = ""
        full_url = "BASE_URL + uri"
-
+        
-    request_method = f"""def request(method, uri{vhost_param}, **kwargs):
+    methods.insert(0, f"""def request(method, uri{vhost_param}, **kwargs):
    if not uri.startswith("/") and uri != "":
        uri = "/" + uri
@@ -52,25 +69,12 @@ def generate_template(base_url, features):
    {proxy}
    url = {full_url}
    return client.request(method, url, **kwargs)
 """
    methods = [request_method]
    if "login" in features or "account" in features:
        variables["USERNAME"] = '"Blindhero"'
        variables["PASSWORD"] = '"test1234"'
        methods.append("""
 def login(username, password):
    session = requests.Session()
    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
    if res.status_code != 200:
        print("[-] Error logging in")
        exit()
    return session
 """)
    if "register" in features or "account" in features:
        main_code.append("""if not register(USERNAME, PASSWORD):
        exit(1)
 """)
        variables["USERNAME"] = '"Blindhero"'
        variables["PASSWORD"] = '"test1234"'
        methods.append("""
@@ -83,11 +87,71 @@ def register(username, password):
    return True
 """)
-    main = """
+    if "login" in features or "account" in features:
        main_code.append("""session = login(USERNAME, PASSWORD)
    if not session:
        exit(1)
 """)
        variables["USERNAME"] = '"username"'
        variables["PASSWORD"] = '"password"'
        methods.append("""
 def login(username, password):
    session = requests.Session()
    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
    if res.status_code != 200:
        print("[-] Error logging in")
        exit()
    return session
 """)
    if "sqli" in features:
        partial_imports["hackingscripts.sqli"] = ["MySQLi", "PostgreSQLi", "BlindSQLi", "ReflectedSQLi"]
        methods.append("""
 class ReflectedSQLiPoC(MySQLi, ReflectedSQLi):
    def __init__(self):
        # TODO: specify reflected columns with their types
        super().__init__([None, str, int])
    def reflected_sqli(self, columns: list, table=None, condition=None, offset=None, verbose=False):
        # TODO: build query and extract columns from response
        return None
 """)
        methods.append("""
 class BlindSQLiPoC(MySQLi, BlindSQLi):
    def blind_sqli(self, condition: str, verbose=False) -> bool:
        # TODO: build query and evaluate condition
        return False
 """)
        main_code.append("""poc = ReflectedSQLiPoC()
    print(poc.get_current_user())  
 """)
    if "http-server" in features or "file-server" in features:
        partial_imports["hackingscripts.fileserver"] = ["HttpFileServer"]
        main_code.append("""file_server = HttpFileServer("0.0.0.0", 3000)
    file_server.enableLogging()
    file_server.addRoute("/dynamic", on_request)
    file_server.addFile("/static", b"static-content")
    file_server.startBackground()
 """)
        methods.append("""
 def on_request(req):
    # TODO: auto generated method stub
    return 200, b"", { "X-Custom-Header": "1" }     
 """)
    if len(main_code) == 0:
        main_code = ["pass"]
    main = f"""
 if __name__ == "__main__":
-    pass
+    {'\n    '.join(main_code)}
 """
    imports = "\n".join(f"import {i}" for i in sorted(imports, key=len))
    imports += "\n" + "\n".join(sorted(list(f"from {p} import {', '.join(i)}" for p, i in partial_imports.items()), key=len))
    variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
    header = f"""#!/usr/bin/env python
@@ -96,21 +160,7 @@ if __name__ == "__main__":
 # For more information, visit: https://git.romanh.de/Roman/HackingScripts
 # 
-import os
+{imports}
 import io
 import re
 import sys
 import json
 import time
 import base64
 import requests
 import subprocess
 import urllib.parse
 from bs4 import BeautifulSoup
 from hackingscripts import util, rev_shell
 from hackingscripts.fileserver import HttpFileServer
 from hackingscripts.sqli import MySQLi, PostgreSQLi, BlindSQLi, ReflectedSQLi
 from urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 {variables}
@@ -121,14 +171,38 @@ requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 if __name__ == "__main__":
-    if len(sys.argv) < 2:
+    parser = argparse.ArgumentParser(
-        print("Usage: %s <URL> [features]" % sys.argv[0])
+        description="Exploit Template for web attacks",
-        exit()
+        formatter_class=argparse.RawTextHelpFormatter
    )
-    url = sys.argv[1]
+    available_features = [
        "ip_address=[...]: Local IP-Address for reverse connections",
        "burp|proxy=[...]: Tunnel traffic through a given proxy or Burp defaults",
        "subdomain|vhost: Allow to specify a subdomain for outgoing requests",
        "register|account: Generate an account registration method stub",
        "login|account: Generate an account login method stub",
        "sqli: Generate an template SQL-Injection class",
        "http-server|file-server: Generate code for starting an in-memory http server"
    ]
    parser.add_argument("url", type=str, help="Target URL")
    parser.add_argument(
        "-f",
        "--features",
        nargs="*",
        type=str,
        default=[],
        help="Optional list of features:\n- " + "\n- ".join(available_features)
    )
    args = parser.parse_args()
    url = args.url
    if "://" not in url:
        url = "http://" + url
-    features = [] if len(sys.argv) < 3 else sys.argv[2].split(",")
+    features = args.features
    template = generate_template(url, features)
    print(template)
--- a/util.py
+++ b/util.py
@@ -135,6 +135,9 @@ def assert_json_path(res, path, value, err=None):
    json_data = json.loads(res.text)
    for key in filter(None, path.split(".")):
        match = re.match(r"\[([0-9]+)\]", key)
        if match:
            key = int(match[1])
        json_data = json_data[key]
    if json_data == value:
--- a/win/chisel.exe
+++ b/win/chisel.exe
--- a/win/chisel64.exe
+++ b/win/chisel64.exe
--- a/win/winPEAS.bat
+++ b/win/winPEAS.bat
@@ -69,57 +69,62 @@ ECHO.
 CALL :T_Progress 2
 :ListHotFixes
-wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+where wmic >nul 2>&1
 if %errorlevel% equ 0 (
    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
 ) else (
    powershell -command "Get-HotFix | Format-Table -AutoSize"
 )
 set expl=no
 for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes)
 IF "%expl%" == "yes" ECHO.   [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2592799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3143141" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2393802" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB982799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB979683" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2305420" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB981957" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB4013081" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB977165" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB941693" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB920958" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB914389" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB908523" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB890859" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB842526" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB835732" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB841872" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2975684" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3136041" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3057191" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2989935" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2778930" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2850851" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2870008" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)
 ECHO.
 CALL :T_Progress 2
@@ -197,7 +202,12 @@ CALL :T_Progress 1
 :AVSettings
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
-WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 
+where wmic >nul 2>&1
 if %errorlevel% equ 0 (
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
 ) else (
    powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
 ) 
 ECHO.Checking for defender whitelisted PATHS
 reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul
 CALL :T_Progress 1
@@ -226,7 +236,12 @@ CALL :T_Progress 3
 :MountedDisks
 CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
-(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
+where wmic >nul 2>&1
 if %errorlevel% equ 0 (
    wmic logicaldisk get caption | more
 ) else (
    fsutil fsinfo drives
 )
 ECHO.
 CALL :T_Progress 1
@@ -273,15 +288,29 @@ tasklist /SVC
 ECHO.
 CALL :T_Progress 2
 ECHO.   [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
-for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
+where wmic >nul 2>&1
-	for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
+if %errorlevel% equ 0 (
-		icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
 		for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
 			icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 		)
 	)
 ) else (
 	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
 		icacls "%%x" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
 )
 ECHO.
 ECHO.   [i] Checking directory permissions of running processes (DLL injection)
-for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
+where wmic >nul 2>&1
-	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+if %errorlevel% equ 0 (
 	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
 		icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
 ) else (
 	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
 		for /f "delims=" %%d in ("%%~dpx") do icacls "%%d" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
 )
 ECHO.
 CALL :T_Progress 3
@@ -452,8 +481,19 @@ ECHO.
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
 ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
-for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
+where wmic >nul 2>&1
-    for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+if %errorlevel% equ 0 (
 	for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
 		for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 	)
 ) else (
 	for /f "tokens=*" %%a in ('powershell -command "Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -and $_.PathName -notlike '*system32*'} | Select-Object -ExpandProperty PathName"') do (
 		for /f "tokens=1 delims= " %%b in ("%%a") do (
 			set "svcpath=%%b"
 			set "svcpath=!svcpath:~1,-1!"
 			if exist "!svcpath!" icacls "!svcpath!" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 		)
 	)
 )
 ECHO.
 CALL :T_Progress 1
@@ -628,16 +668,29 @@ if "%long%" == "true" (
 	ECHO.
 	ECHO.   [i] Iterating through the drives
 	ECHO.
-	for /f %%x in ('wmic logicaldisk get name^| more') do (
+	where wmic >nul 2>&1
-		set tdrive=%%x
+	if !errorlevel! equ 0 (
-		if "!tdrive:~1,2!" == ":" (
+		for /f %%x in ('wmic logicaldisk get name ^| more') do (
-			%%x
+			set tdrive=%%x
-            CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
+			if "!tdrive:~1,2!" == ":" (
-	        findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
+				%%x
-            ECHO.
+				CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
-            CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+				findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
-            dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"  
+				ECHO.
-            ECHO.
+				CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
 				dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
 				ECHO.
 			)
 		)
 	) else (
 		for /f %%x in ('powershell -command "Get-PSDrive -PSProvider FileSystem | Where-Object {$_.Root -match ':'} | Select-Object -ExpandProperty Name"') do (
 			%%x:
 			CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
 			findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
 			ECHO.
 			CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
 			dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
 			ECHO.
 		)
 	)
 	CALL :T_Progress 2
@@ -654,7 +707,8 @@ EXIT /B
 :SetOnce
 REM :: ANSI escape character is set once below - for ColorLine Subroutine
-SET "E=0x1B["
+for /F %%a in ('echo prompt $E ^| cmd') do set "ESC=%%a"
 SET "E=%ESC%["
 SET "PercentageTrack=0"
 EXIT /B
@@ -666,5 +720,5 @@ EXIT /B
 :ColorLine
 SET "CurrentLine=%~1"
-FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A
+ECHO.!CurrentLine!
 EXIT /B
--- a/win/winPEAS.exe
+++ b/win/winPEAS.exe
--- a/win/winPEASx64.exe
+++ b/win/winPEASx64.exe
Author	SHA1	Message	Date
Roman Hergenreder	91dcd50350	Exploit template enhancement	2025-12-14 12:51:41 +01:00
Roman Hergenreder	75b845a74f	Merge remote-tracking branch 'mirror/master'	2025-12-08 15:32:39 +01:00
Roman Hergenreder	58329993e2	SQLi improvement	2025-12-08 14:34:23 +01:00
Roman Hergenreder	6b807eb828	SQLi: custom substr method	2025-12-08 14:34:23 +01:00
Roman Hergenreder	7088f50fa0	Subdomain Fuzz: static IP	2025-12-08 14:34:23 +01:00
Roman Hergenreder	b9cdecad77	SQLi improvement	2025-12-08 13:28:17 +01:00
Roman Hergenreder	43b1a0ebc6	SQLi: custom substr method	2025-12-08 12:35:56 +01:00
Roman Hergenreder	6cd353b911	Subdomain Fuzz: static IP	2025-12-08 12:35:30 +01:00
Roman	d89c0ccf64	Allow array indices for assert_json_path()	2025-12-05 12:23:57 +01:00
Roman Hergenreder	50750f5463	minor additions	2025-12-05 12:22:08 +01:00
Roman Hergenreder	93296c4172	Tool Update	2025-12-05 12:22:08 +01:00
Roman Hergenreder	a73847454f	minor additions	2025-12-05 09:21:33 +01:00
Roman Hergenreder	790b97f945	Tool Update	2025-12-05 09:18:44 +01:00
Roman	5f7e482895	Allow array indices for assert_json_path()	2025-08-01 12:36:30 +02:00
Roman Hergenreder	e0c14aad4c	README fixed	2025-04-27 12:08:41 +02:00