Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix, sni fuzzing preparation

Browse Source
This commit is contained in:
Roman Hergenreder 2023-10-29 17:22:24 +01:00
parent 2048702cf7
commit f7f9ad1628
3 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fileserver.py
View File

@ -254,6 +254,8 @@ class HttpFileServer(HTTPServer):
protocol = "https" if type(self.socket) == ssl.SSLSocket else "http" protocol = "https" if type(self.socket) == ssl.SSLSocket else "http"
if (int(port) == 80 and protocol == "http") or (int(port) == 443 and protocol == "https"): if (int(port) == 80 and protocol == "http") or (int(port) == 443 and protocol == "https"):
port = "" port = ""
else:
port = f":{port}"
return f"{protocol}://{addr}{port}" return f"{protocol}://{addr}{port}"

22
subdomainFuzz.sh
View File

@ -14,6 +14,7 @@ fi
DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||') DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
echo "[ ] Resolving IP-Address…" echo "[ ] Resolving IP-Address…"
output=$(resolveip $DOMAIN 2>&1) output=$(resolveip $DOMAIN 2>&1)
status=$(echo $?) status=$(echo $?)
@ -22,16 +23,31 @@ if ! [[ $status == 0 ]] ; then
exit exit
fi fi
function sni () {
protocol=$1
sni=$2
if ! [[ "$sni" =~ ".*:[0-9]+" ]]; then
if [[ $protocol == "https" ]]; then
sni="$sni:443"
else
sni="$sni:80"
fi
fi
echo $sni
}
IP_ADDRESS=$(echo $output | head -n 1 | awk '{print $NF}') IP_ADDRESS=$(echo $output | head -n 1 | awk '{print $NF}')
echo "[+] IP-Address: ${IP_ADDRESS}" echo "[+] IP-Address: ${IP_ADDRESS}"
echo "[ ] Retrieving default site…" echo "[ ] Retrieving default site…"
rnd=$(uuidgen)
sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m) charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m) charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc -m) charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}" echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
echo "[ ] Fuzzing…" echo "[ ] Fuzzing…"
(set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \ (set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}") -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")

9
util.py
View File

@ -266,8 +266,17 @@ def xor(a, b):
return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ]) return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
def base64urldecode(data): def base64urldecode(data):
if isinstance(data, str):
data = data.encode()
return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4)) return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4))
def base64urlencode(data):
if isinstance(data, str):
data = data.encode()
return base64.urlsafe_b64encode(data)
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None, _format=None): def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None, _format=None):
import exif import exif
from PIL import Image from PIL import Image