WebHacking: README, urllib2 scripts

Other_Hackings/README.md

@@ -17,3 +17,4 @@
 ## Useful lists
 
 - primes to 100k
+

Web_Security/OS_Command_Injection/README.md

@@ -10,11 +10,14 @@
 
 
 * For example for snippet:
+
 ```
 String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
 Process proc = Runtime.getRuntime().exec(cmd);
 ```
+
 For a client id equal **444**, we would have the following string:
+
 ```
 cmd.exe /K processReports.bat clientId=444
 ```
@@ -25,7 +28,7 @@ However, an attacker could run use the client id equal **444 && net user hacked
 cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 ```
 
-## Examples of Injectuon Payloads:
+## Examples of Injection Payloads:
 
 * Control characters and common attack strings:
 	- '-- SQL injection
@@ -39,7 +42,7 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 
 ## Fuzz Testing Web Applications
 
-* Focus on the relevant attack sruface of the web application.
+* Focus on the relevant attack surface of the web application.
 * Typically HTTP request parameters:
 	- QueryString
 	- POST data
@@ -49,10 +52,10 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 * Other entry points with request structures:
 	- XML web services
 	- WCF, GWT, AMF
-	- Remote Method Invoation (RMI)
+	- Remote Method Invocation (RMI)
 
 * Fixing injection flaws:
-	- Comphehensive, consistent server-side input validation
+	- Comprehensive, consistent server-side input validation
 	- User Safe command APIs
 	- Avoid concatenating strings passed to an interpreter
 	- Use strong data types in favor of strings

Web_Security/OS_Command_Injection/sqli_password_brute_force.py

@@ -1,8 +1,6 @@
 #!/usr/bin/python
 
-__author__ = "bt3gl"
+__author__ = "bt3"
-__email__ = "bt33gl@gmail.com"
-
 
 import requests
 import string

Web_Security/Phishing/README.md

@@ -6,6 +6,14 @@
 
 ## Tools
 
+
+
+### Cloning a Login Page
+
+```
+$ wget -U "Mozilla/5.0" -mkL http://facebook.com
+```
+
 ### Free Hostings:
 
 - http://www.my3gb.com/

Web_Security/README.md

@@ -1,14 +1,53 @@
 # Web Security
 
-* If a database is involved -->  SQL injection.
+## Folders:
 
-* If the input is used in the website --> XSS vulnerability.
+### urllib2
+
+- simple GET, POST, header, authentication scripts
+- Scanning CMS suites installations
+- Brute force directories and file locations
+- Brute force HTML form authentication
+
+### OS Command Injection
+
+- Brute force password
+
+### SQLi
+
+- Brute force password
+- Timed SQLi
+- Cookie force brute
 
 
+### PHP Shellcodes
+
+- php primer
+- xor
+- exploits
+
+### User ID
+- cookie auth
+- user id
+
+### Phishing
+
+- log.php
+
+
+### Scanners
+
+- heartbleed
+
+
+
+
+
+---
 
 ## Steps of web exploitation:
 
-1. Information Gathering
+### 1) Information Gathering
 
 * creation of dictionary: with **cewl.rb**/
 
@@ -22,9 +61,14 @@ $ wget -rck <TARGET-WEBSITE>
 
 * a search for other domains that are hosted on the same IP  (virtual host): with **revhosts**.
 
+* Tips:
+
+	* If a database is involved -->  SQL injection.
+
+	* If the input is used in the website --> XSS vulnerability.
 
 
-2. Automatic Testing (scanners)
+### 2) Automatic Testing (scanners)
 
 * Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
 
@@ -37,11 +81,11 @@ $ wget -rck <TARGET-WEBSITE>
 * fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
 
 
-3. Manual testing
+### 3. Manual testing
 
 * testing vulnerabilities: Burpproxy, ZAP, sitescope.
 
-* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
+* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Management Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
 
 * headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
 * fingerprinting to identify the architecture and configuration of the site: **httprint**.
@@ -83,15 +127,15 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 ```
 
 
-* [My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html)
 
 ---
 ## How do You Hack a Web Application
 
-* Fuzz testing: what happens when unexpected data is sent into the application?
+* **Fuzz testing**: what happens when unexpected data is sent into the application?
-* Authentication testing: are authentication requirements always enforced?
+* **Authentication testing**: are authentication requirements always enforced?
-* Authorization testing: can authorization be bypassed?
+* **Authorization testing**: can authorization be bypassed?
-* Information disclosure: is information disclosed that might help compromise the application.
+* **Information disclosure**: is information disclosed that might help compromise the application.
+
 
 ### Web Testing Methodology:
 
@@ -103,37 +147,19 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 	* Unprivileged/Privileged.
 
 - Identify key requests, functionality during crawl.
+
 - Use logs as input for fuzzing GET & POST parameters.
+
 - Use authenticated log to uncover unprotected resources.
-- Use privileged log to uncover resources withou proper authorization.
+
+- Use privileged log to uncover resources without proper authorization.
+
 - Analyze logs for other potential weakness.
 
 
-## Folders:
+---
 
-### OS Command Injection
+### When we have a Website/IP Address:
-
-
-### SQLi
-
-- Brute force password
-- Timed SQLi
-- Cookie force brute
-
-
-### PHP Shells
-
-- php primer
-- xor
-- exploits
-
-### User ID
-- cookie auth
-- user id
-
-### Other Resources
-
-#### When we have a Website/IP Address:
 
 - Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.
 
@@ -152,7 +178,7 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 
 ## URLs
 
-#### Octal
+### Octal
 
 - Example: http://017700000001 --> 127.0.0.1
 
@@ -163,7 +189,7 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)
 
 
-#### Great @
+### Great @
 
 - Everything between "http://" and "@" is completely irrelevant
 
@@ -260,11 +286,6 @@ Set-Cookie: SID=472ndsw;expires=DATE;path=/;domain=SITE,HttpOnly
 * Client sends Cookie header to server to continue session.
 
 
------
-## Tools
-
-- Burp Suite
-- FireBug] in Firefox
 
 
 ----
@@ -661,20 +682,12 @@ Authorization: Basic YWRtaW46YWRtaW4=
 </body>
 ```
 
-----
 
 
 
 
 -----------------
-[FireBug]: http://getfirebug.com/
-[Burp Suite]: http://portswigger.net/burp/
-[pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html
-[karmadecay]: http://karmadecay.com/
-[tineye]:  https://www.tineye.com/
-[images.google.com]: https://images.google.com/?gws_rd=ssl
-[base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp
-[subbrute.py]: https://github.com/SparkleHearts/subbrute
-[pnginfo]: http://www.stillhq.com/pngtools/
-[namechk]: http://namechk.com
 
+## Other Tools
+* [FireBug](http://getfirebug.com/)
+* [Burp Suite](http://portswigger.net/burp/)

Web_Security/SQLi/README.md

@@ -94,7 +94,7 @@ http://www.website.com/info.php?id=10'
 
 If the website returns the following error:
 
-	You have an error in your SQL syntax...
+		You have an error in your SQL syntax...
 
 It means that this website is vulnerable to SQL.
 
@@ -204,7 +204,7 @@ $SQL = "SELECT * FROM users WHERE username='$name'";
 	- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
 	- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
 
-* Do not display explicit error messages that show the request or a part of the SQL request. They can helpfingerprint the RDBMS(MSSQL, MySQL).
+* Do not display explicit error messages that show the request or a part of the SQL request. They can help fingerprint the RDBMS(MSSQL, MySQL).
 
 * Erase user accounts that are not used (and default accounts).
 

Web_Security/SQLi/sqli_16_brute_force_password.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python
 
-__author__ = "bt3gl"
+__author__ = "bt3"
-__email__ = "bt33gl@gmail.com"
 
 import requests
 import string

Web_Security/SQLi/sqli_18_timed_SQLi.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python
 
-__author__ = "bt3gl"
+__author__ = "bt3"
-__email__ = "bt33gl@gmail.com"
 
 import requests
 import string

Web_Security/SQLi/sqli_COOKIE_brute.py

@@ -1,11 +1,9 @@
 #!/usr/bin/python
 
-__author__ = "bt3gl"
+__author__ = "bt3"
-__email__ = "bt33gl@gmail.com"
 
 import requests
 
-
 def brute_force_password(URL, PAYLOAD, MAXID):
 
     for i in range(MAXID):

Web_Security/Scanners/README.md

@@ -23,7 +23,7 @@ $ ./nikto.pl -h <IP> -p <PORT> -output <OUTPUT-FILE>
 
 ## [W3af](http://w3af.org/)
 
-* w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
+* w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
 
 * It's coded in Python.
 
@@ -31,7 +31,7 @@ $ ./nikto.pl -h <IP> -p <PORT> -output <OUTPUT-FILE>
 
 * It removes some of the headaches involved in manual web application testing through its Fuzzy and manual request generator feature.
 
-* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be perfomerd using variables parameters.
+* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be peperformedsing variables parameters.
 
 * It also has features to exploit the vulnerabilities that it finds. w3af supports detection of both simple and blind  OS commanding vulnerability.
 

Web_Security/urllib2/mapping_web_app_install.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+import urllib2
+import Queue
+import os
+import threading
+
+THREADS = 10
+TARGET = 'http://www.blackhatpython.com'
+# local directory into which we have downloaded and extracted the web app
+#DIRECTORY = '/home/User/Desktop/Joomla'
+#DIRECTORY = '/home/User/Desktop/wordpress'
+DIRECTORY = '/home/User/Desktop/drupal'
+# list of file extensions to not fingerprinting
+FILTERS = ['.jpg', '.gif', '.png', '.css']
+
+# each operation in the loop will keep executing until the web_paths
+# Queue is empty. on each iteration we grab a path from the queue, add it
+# to the target website's base path and then attempt to retrieve it
+def test_remote():
+    while not web_paths.empty():
+        path = web_paths.get()
+        url = '%s%s' % (TARGET, path)
+        request = urllib2.Request(url)
+
+        try:
+            response = urllib2.urlopen(request)
+            content = response.read()
+
+            # if we are successfully retrieving the file, the output HTTP status code
+            # and the full path for the file is printed
+            print '[%d] => %s' % (response.code, path)
+            response.close()
+
+        # if the file is not found or protected by .htaccess, error
+        except urllib2.HTTPError as error:
+            fail_count += 1
+            print "Failed" + str(error.code)
+
+
+if __name__ == '__main__':
+    os.chdir(DIRECTORY)
+    # queue object where we store files to locate in the remote server
+    web_paths = Queue.Queue()
+
+    # os.walk function walks through all the files and directories in the local
+    # web application directory. this builds the full path to the target files
+    # and test them against filter list to make sure we are looking for the
+    # files types we want. For each valid file we find, we add it to our
+    # web_paths Queue.
+    for r, d, f in os.walk('.'):
+        for files in f:
+            remote_path = '%s/%s' %(r, files)
+            if remote_path[0] == '.':
+                remote_path = remote_path[1:]
+            if os.path.splitext(files)[1] not in FILTERS:
+                web_paths.put(remote_path)
+
+
+    # create a number of threads that will be called the test_remote function
+    # it operates in a loop that keep executing untul the web_paths queue is
+    # empty.
+    for i in range(THREADS):
+        print 'Spawning thread: ' + str(i)
+        t = threading.Thread(target=test_remote)
+        t.start()

Web_Security/urllib2/simple_get.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+import urllib2
+
+def get(url):
+    msg = urllib2.urlopen(url)
+    print msg.read()
+
+def get_user_agent(url):
+    headers = {}
+    headers['User-Agent'] = 'Googlebot'
+
+    request = urllib2.Request(url, headers=headers)
+    response = urllib2.urlopen(request)
+
+    print response.read()
+    response.close()
+
+
+
+if __name__ == '__main__':
+    HOST = 'http://www.google.com'
+    get_user_agent(HOST)

Web_Security/user_id/sqli_19_cookie_auth.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python
 
-__author__ = "bt3gl"
+__author__ = "bt3"
-__email__ = "bt33gl@gmail.com"
 
 import requests
 

Web_Security/user_id/sqli_20_user_id_2.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python
 
-__author__ = "bt3gl"
+__author__ = "bt3"
-__email__ = "bt33gl@gmail.com"
 
 import requests