|
|
@@ -12,7 +12,8 @@ def generate_template(base_url, features):
|
|
|
|
imports = [
|
|
|
|
imports = [
|
|
|
|
"os", "io", "re", "sys",
|
|
|
|
"os", "io", "re", "sys",
|
|
|
|
"json", "time", "base64", "requests",
|
|
|
|
"json", "time", "base64", "requests",
|
|
|
|
"subprocess", "urllib.parse"
|
|
|
|
"subprocess", "urllib.parse",
|
|
|
|
|
|
|
|
"user_agent"
|
|
|
|
]
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
partial_imports = {
|
|
|
|
partial_imports = {
|
|
|
@@ -22,6 +23,8 @@ def generate_template(base_url, features):
|
|
|
|
"urllib3.exceptions": ["InsecureRequestWarning"]
|
|
|
|
"urllib3.exceptions": ["InsecureRequestWarning"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class_definitions = []
|
|
|
|
|
|
|
|
|
|
|
|
main_code = []
|
|
|
|
main_code = []
|
|
|
|
methods = []
|
|
|
|
methods = []
|
|
|
|
ip_address_arg = next(filter(lambda f: re.match(r"ip_address=(.*)", f), features), None)
|
|
|
|
ip_address_arg = next(filter(lambda f: re.match(r"ip_address=(.*)", f), features), None)
|
|
|
@@ -29,7 +32,8 @@ def generate_template(base_url, features):
|
|
|
|
|
|
|
|
|
|
|
|
variables = {
|
|
|
|
variables = {
|
|
|
|
"IP_ADDRESS": ip_address,
|
|
|
|
"IP_ADDRESS": ip_address,
|
|
|
|
"BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
|
|
|
|
"BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"',
|
|
|
|
|
|
|
|
"USER_AGENT": "user_agent.generate_user_agent()"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
proxy_arg = next(filter(lambda f: re.match(r"proxy=(.*)", f), features), None)
|
|
|
|
proxy_arg = next(filter(lambda f: re.match(r"proxy=(.*)", f), features), None)
|
|
|
@@ -67,48 +71,60 @@ def generate_template(base_url, features):
|
|
|
|
|
|
|
|
|
|
|
|
if "verify" not in kwargs:
|
|
|
|
if "verify" not in kwargs:
|
|
|
|
kwargs["verify"] = False
|
|
|
|
kwargs["verify"] = False
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
headers = kwargs.get("headers", {{}})
|
|
|
|
|
|
|
|
headers["User-Agent"] = USER_AGENT
|
|
|
|
|
|
|
|
kwargs["headers"] = headers
|
|
|
|
{proxy}
|
|
|
|
{proxy}
|
|
|
|
url = {full_url}
|
|
|
|
url = {full_url}
|
|
|
|
return client.request(method, url, **kwargs)
|
|
|
|
return client.request(method, url, **kwargs)
|
|
|
|
""")
|
|
|
|
""")
|
|
|
|
|
|
|
|
|
|
|
|
if "register" in features or "account" in features:
|
|
|
|
if "register" in features or "account" in features:
|
|
|
|
main_code.append("""if not register(USERNAME, PASSWORD):
|
|
|
|
main_code.append("""if not register(USER):
|
|
|
|
exit(1)
|
|
|
|
exit(1)
|
|
|
|
""")
|
|
|
|
""")
|
|
|
|
variables["USERNAME"] = '"Blindhero"'
|
|
|
|
|
|
|
|
variables["PASSWORD"] = '"test1234"'
|
|
|
|
|
|
|
|
methods.append("""
|
|
|
|
methods.append("""
|
|
|
|
def register(username, password):
|
|
|
|
def register(user):
|
|
|
|
res = request("POST", "/register", data={"username": username, "password": password})
|
|
|
|
res = request("POST", "/register", data={"username": user.username, "password": user.password})
|
|
|
|
if res.status_code != 200:
|
|
|
|
if res.status_code != 200:
|
|
|
|
print("[-] Error registering")
|
|
|
|
print("[-] Error registering")
|
|
|
|
exit()
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
return True
|
|
|
|
return True
|
|
|
|
""")
|
|
|
|
""")
|
|
|
|
|
|
|
|
|
|
|
|
if "login" in features or "account" in features:
|
|
|
|
if "login" in features or "account" in features:
|
|
|
|
main_code.append("""session = login(USERNAME, PASSWORD)
|
|
|
|
main_code.append("""session = login(USER)
|
|
|
|
if not session:
|
|
|
|
if not session:
|
|
|
|
exit(1)
|
|
|
|
exit(1)
|
|
|
|
""")
|
|
|
|
""")
|
|
|
|
variables["USERNAME"] = '"username"'
|
|
|
|
variables["USER"] = 'User("username", "password")'
|
|
|
|
variables["PASSWORD"] = '"password"'
|
|
|
|
class_definitions.append("""
|
|
|
|
|
|
|
|
class User:
|
|
|
|
|
|
|
|
def __init__(self, username, password):
|
|
|
|
|
|
|
|
self.username = username
|
|
|
|
|
|
|
|
self.password = password
|
|
|
|
|
|
|
|
def tobase64(self):
|
|
|
|
|
|
|
|
return base64.b64encode(f"{self.username}:{self.password}".encode()).decode()
|
|
|
|
|
|
|
|
def get_basic_auth(self):
|
|
|
|
|
|
|
|
return "Basic " + self.tobase64()
|
|
|
|
|
|
|
|
""")
|
|
|
|
|
|
|
|
|
|
|
|
methods.append("""
|
|
|
|
methods.append("""
|
|
|
|
def login(username, password):
|
|
|
|
def login(user):
|
|
|
|
session = requests.Session()
|
|
|
|
session = requests.Session()
|
|
|
|
res = request("POST", "/login", data={"username": username, "password": password}, session=session)
|
|
|
|
res = request("POST", "/login", data={"username": user.username, "password": user.password}, session=session)
|
|
|
|
if res.status_code != 200:
|
|
|
|
if res.status_code != 200:
|
|
|
|
print("[-] Error logging in")
|
|
|
|
print("[-] Error logging in")
|
|
|
|
exit()
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
return session
|
|
|
|
return session
|
|
|
|
""")
|
|
|
|
""")
|
|
|
|
|
|
|
|
|
|
|
|
if "sqli" in features:
|
|
|
|
if "sqli" in features:
|
|
|
|
partial_imports["hackingscripts.sqli"] = ["MySQLi", "PostgreSQLi", "BlindSQLi", "ReflectedSQLi"]
|
|
|
|
partial_imports["hackingscripts.utils.sqli"] = ["MySQLi", "PostgreSQLi", "BlindSQLi", "ReflectedSQLi"]
|
|
|
|
methods.append("""
|
|
|
|
class_definitions.append("""
|
|
|
|
class ReflectedSQLiPoC(MySQLi, ReflectedSQLi):
|
|
|
|
class ReflectedSQLiPoC(MySQLi, ReflectedSQLi):
|
|
|
|
def __init__(self):
|
|
|
|
def __init__(self):
|
|
|
|
# TODO: specify reflected columns with their types
|
|
|
|
# TODO: specify reflected columns with their types
|
|
|
@@ -117,7 +133,7 @@ class ReflectedSQLiPoC(MySQLi, ReflectedSQLi):
|
|
|
|
# TODO: build query and extract columns from response
|
|
|
|
# TODO: build query and extract columns from response
|
|
|
|
return None
|
|
|
|
return None
|
|
|
|
""")
|
|
|
|
""")
|
|
|
|
methods.append("""
|
|
|
|
class_definitions.append("""
|
|
|
|
class BlindSQLiPoC(MySQLi, BlindSQLi):
|
|
|
|
class BlindSQLiPoC(MySQLi, BlindSQLi):
|
|
|
|
def blind_sqli(self, condition: str, verbose=False) -> bool:
|
|
|
|
def blind_sqli(self, condition: str, verbose=False) -> bool:
|
|
|
|
# TODO: build query and evaluate condition
|
|
|
|
# TODO: build query and evaluate condition
|
|
|
@@ -153,6 +169,7 @@ if __name__ == "__main__":
|
|
|
|
|
|
|
|
|
|
|
|
imports = "\n".join(f"import {i}" for i in sorted(imports, key=len))
|
|
|
|
imports = "\n".join(f"import {i}" for i in sorted(imports, key=len))
|
|
|
|
imports += "\n" + "\n".join(sorted(list(f"from {p} import {', '.join(i)}" for p, i in partial_imports.items()), key=len))
|
|
|
|
imports += "\n" + "\n".join(sorted(list(f"from {p} import {', '.join(i)}" for p, i in partial_imports.items()), key=len))
|
|
|
|
|
|
|
|
class_definitions = "\n".join(class_definitions)
|
|
|
|
variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
|
|
|
|
variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
|
|
|
|
header = f"""#!/usr/bin/env python
|
|
|
|
header = f"""#!/usr/bin/env python
|
|
|
|
|
|
|
|
|
|
|
@@ -163,7 +180,7 @@ if __name__ == "__main__":
|
|
|
|
|
|
|
|
|
|
|
|
{imports}
|
|
|
|
{imports}
|
|
|
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
|
|
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
|
|
|
|
|
|
|
{class_definitions}
|
|
|
|
{variables}
|
|
|
|
{variables}
|
|
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
"""
|
|
|
|