Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 19:16:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

WebHacking: README, urllib2 scripts

Browse Source
This commit is contained in:
Mari Wahl 2014-12-29 13:06:07 -05:00
parent 54d8d02892
commit a36bde60b7
15 changed files with 209 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Other_Hackings/README.md
View File

@ -17,3 +17,4 @@
## Useful lists
- primes to 100k

11
Web_Security/OS_Command_Injection/README.md
View File

@ -10,11 +10,14 @@
* For example for snippet:
```
String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
Process proc = Runtime.getRuntime().exec(cmd);
```
For a client id equal **444**, we would have the following string:
```
cmd.exe /K processReports.bat clientId=444
```
@ -25,7 +28,7 @@ However, an attacker could run use the client id equal **444 && net user hacked
cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
```
## Examples of Injectuon Payloads:
## Examples of Injection Payloads:
* Control characters and common attack strings:
- '-- SQL injection
@ -39,7 +42,7 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
## Fuzz Testing Web Applications
* Focus on the relevant attack sruface of the web application.
* Focus on the relevant attack surface of the web application.
* Typically HTTP request parameters:
- QueryString
- POST data
@ -49,10 +52,10 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
* Other entry points with request structures:
- XML web services
- WCF, GWT, AMF
- Remote Method Invoation (RMI)
- Remote Method Invocation (RMI)
* Fixing injection flaws:
- Comphehensive, consistent server-side input validation
- Comprehensive, consistent server-side input validation
- User Safe command APIs
- Avoid concatenating strings passed to an interpreter
- Use strong data types in favor of strings

4
Web_Security/OS_Command_Injection/sqli_17_COMMAND_INJ.py → Web_Security/OS_Command_Injection/sqli_password_brute_force.py
View File

@ -1,8 +1,6 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
__author__ = "bt3"
import requests
import string

0
Web_Security/PHP_shellcodes/exploit_13.php → Web_Security/PHP_shellcodes/tricking_file_extension_gif.php
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 58 B

After

Width:  |  Height:  |  Size: 58 B

8
Web_Security/Phishing/README.md
View File

@ -6,6 +6,14 @@
## Tools
### Cloning a Login Page
```
$ wget -U "Mozilla/5.0" -mkL http://facebook.com
```
### Free Hostings:
- http://www.my3gb.com/

121
Web_Security/README.md
View File

@ -1,14 +1,53 @@
# Web Security
* If a database is involved --> SQL injection.
## Folders:
* If the input is used in the website --> XSS vulnerability.
### urllib2
- simple GET, POST, header, authentication scripts
- Scanning CMS suites installations
- Brute force directories and file locations
- Brute force HTML form authentication
### OS Command Injection
- Brute force password
### SQLi
- Brute force password
- Timed SQLi
- Cookie force brute
### PHP Shellcodes
- php primer
- xor
- exploits
### User ID
- cookie auth
- user id
### Phishing
- log.php
### Scanners
- heartbleed
---
## Steps of web exploitation:
1. Information Gathering
### 1) Information Gathering
* creation of dictionary: with **cewl.rb**/
@ -22,9 +61,14 @@ $ wget -rck <TARGET-WEBSITE>
* a search for other domains that are hosted on the same IP (virtual host): with **revhosts**.
* Tips:
* If a database is involved --> SQL injection.
* If the input is used in the website --> XSS vulnerability.
2. Automatic Testing (scanners)
### 2) Automatic Testing (scanners)
* Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
@ -37,11 +81,11 @@ $ wget -rck <TARGET-WEBSITE>
* fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
3. Manual testing
### 3. Manual testing
* testing vulnerabilities: Burpproxy, ZAP, sitescope.
* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Management Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
* headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
* fingerprinting to identify the architecture and configuration of the site: **httprint**.
@ -83,15 +127,15 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
```
* [My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html)
---
## How do You Hack a Web Application
* Fuzz testing: what happens when unexpected data is sent into the application?
* Authentication testing: are authentication requirements always enforced?
* Authorization testing: can authorization be bypassed?
* Information disclosure: is information disclosed that might help compromise the application.
* **Fuzz testing**: what happens when unexpected data is sent into the application?
* **Authentication testing**: are authentication requirements always enforced?
* **Authorization testing**: can authorization be bypassed?
* **Information disclosure**: is information disclosed that might help compromise the application.
### Web Testing Methodology:
@ -103,37 +147,19 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
* Unprivileged/Privileged.
- Identify key requests, functionality during crawl.
- Use logs as input for fuzzing GET & POST parameters.
- Use authenticated log to uncover unprotected resources.
- Use privileged log to uncover resources withou proper authorization.
- Use privileged log to uncover resources without proper authorization.
- Analyze logs for other potential weakness.
## Folders:
---
### OS Command Injection
### SQLi
- Brute force password
- Timed SQLi
- Cookie force brute
### PHP Shells
- php primer
- xor
- exploits
### User ID
- cookie auth
- user id
### Other Resources
#### When we have a Website/IP Address:
### When we have a Website/IP Address:
- Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.
@ -152,7 +178,7 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
## URLs
#### Octal
### Octal
- Example: http://017700000001 --> 127.0.0.1
@ -163,7 +189,7 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)
#### Great @
### Great @
- Everything between "http://" and "@" is completely irrelevant
@ -260,11 +286,6 @@ Set-Cookie: SID=472ndsw;expires=DATE;path=/;domain=SITE,HttpOnly
* Client sends Cookie header to server to continue session.
-----
## Tools
- Burp Suite
- FireBug] in Firefox
----
@ -661,20 +682,12 @@ Authorization: Basic YWRtaW46YWRtaW4=
</body>
```
----
-----------------
[FireBug]: http://getfirebug.com/
[Burp Suite]: http://portswigger.net/burp/
[pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html
[karmadecay]: http://karmadecay.com/
[tineye]: https://www.tineye.com/
[images.google.com]: https://images.google.com/?gws_rd=ssl
[base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp
[subbrute.py]: https://github.com/SparkleHearts/subbrute
[pnginfo]: http://www.stillhq.com/pngtools/
[namechk]: http://namechk.com
## Other Tools
* [FireBug](http://getfirebug.com/)
* [Burp Suite](http://portswigger.net/burp/)

3
Web_Security/SQLi/sqli_16_brute_force_password.py
View File

@ -1,7 +1,6 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
__author__ = "bt3"
import requests
import string

3
Web_Security/SQLi/sqli_18_timed_SQLi.py
View File

@ -1,7 +1,6 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
__author__ = "bt3"
import requests
import string

4
Web_Security/SQLi/sqli_COOKIE_brute.py
View File

@ -1,11 +1,9 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
__author__ = "bt3"
import requests
def brute_force_password(URL, PAYLOAD, MAXID):
for i in range(MAXID):

4
Web_Security/Scanners/README.md
View File

@ -23,7 +23,7 @@ $ ./nikto.pl -h <IP> -p <PORT> -output <OUTPUT-FILE>
## [W3af](http://w3af.org/)
* w3af is a Web Application Attack and Audit Framework. The projects goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
* w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
* It's coded in Python.
@ -31,7 +31,7 @@ $ ./nikto.pl -h <IP> -p <PORT> -output <OUTPUT-FILE>
* It removes some of the headaches involved in manual web application testing through its Fuzzy and manual request generator feature.
* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be perfomerd using variables parameters.
* It can be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be peperformedsing variables parameters.
* It also has features to exploit the vulnerabilities that it finds. w3af supports detection of both simple and blind OS commanding vulnerability.

68
Web_Security/urllib2/mapping_web_app_install.py Normal file
View File

@ -0,0 +1,68 @@
#!/usr/bin/env python
__author__ = "bt3"
import urllib2
import Queue
import os
import threading
THREADS = 10
TARGET = 'http://www.blackhatpython.com'
# local directory into which we have downloaded and extracted the web app
#DIRECTORY = '/home/User/Desktop/Joomla'
#DIRECTORY = '/home/User/Desktop/wordpress'
DIRECTORY = '/home/User/Desktop/drupal'
# list of file extensions to not fingerprinting
FILTERS = ['.jpg', '.gif', '.png', '.css']
# each operation in the loop will keep executing until the web_paths
# Queue is empty. on each iteration we grab a path from the queue, add it
# to the target website's base path and then attempt to retrieve it
def test_remote():
while not web_paths.empty():
path = web_paths.get()
url = '%s%s' % (TARGET, path)
request = urllib2.Request(url)
try:
response = urllib2.urlopen(request)
content = response.read()
# if we are successfully retrieving the file, the output HTTP status code
# and the full path for the file is printed
print '[%d] => %s' % (response.code, path)
response.close()
# if the file is not found or protected by .htaccess, error
except urllib2.HTTPError as error:
fail_count += 1
print "Failed" + str(error.code)
if __name__ == '__main__':
os.chdir(DIRECTORY)
# queue object where we store files to locate in the remote server
web_paths = Queue.Queue()
# os.walk function walks through all the files and directories in the local
# web application directory. this builds the full path to the target files
# and test them against filter list to make sure we are looking for the
# files types we want. For each valid file we find, we add it to our
# web_paths Queue.
for r, d, f in os.walk('.'):
for files in f:
remote_path = '%s/%s' %(r, files)
if remote_path[0] == '.':
remote_path = remote_path[1:]
if os.path.splitext(files)[1] not in FILTERS:
web_paths.put(remote_path)
# create a number of threads that will be called the test_remote function
# it operates in a loop that keep executing untul the web_paths queue is
# empty.
for i in range(THREADS):
print 'Spawning thread: ' + str(i)
t = threading.Thread(target=test_remote)
t.start()

25
Web_Security/urllib2/simple_get.py Normal file
View File

@ -0,0 +1,25 @@
#!/usr/bin/env python
__author__ = "bt3"
import urllib2
def get(url):
msg = urllib2.urlopen(url)
print msg.read()
def get_user_agent(url):
headers = {}
headers['User-Agent'] = 'Googlebot'
request = urllib2.Request(url, headers=headers)
response = urllib2.urlopen(request)
print response.read()
response.close()
if __name__ == '__main__':
HOST = 'http://www.google.com'
get_user_agent(HOST)

3
Web_Security/user_id/sqli_19_cookie_auth.py
View File

@ -1,7 +1,6 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
__author__ = "bt3"
import requests

3
Web_Security/user_id/sqli_20_user_id_2.py
View File

@ -1,7 +1,6 @@
#!/usr/bin/python
__author__ = "bt3gl"
__email__ = "bt33gl@gmail.com"
__author__ = "bt3"
import requests