Hi.
In this week I will publish few new informations about vulnerabilities I found.
For example full technical details about vulnerable (latest) version of SMF 2.0.4 will be available after contact with vendor.
*update:*
I see that in some cases there is a possibility to drop a (web)shell via CSRF attack.
Post will be updated, so...
See you soon! ;)
Monday, 25 March 2013
Wednesday, 20 March 2013
[EN] Modules in your own webscanner - few OPTIONS
Below we have 2 codes.
First will get all HTTP OPTIONS (if this is possible).
Second one, will try to send TRACE (could be used to XST vulnerabilities).
Here we go:
#!/usr/bin/env python
# try_options.py
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
conn.request('OPTIONS','/')
resp = conn.getresponse()
page_respone = resp.read()
#print page_respone
print resp.status, resp.reason
full_answer = resp.getheaders()
#print 'What we have here:\n', full_answer
print '-----------------------------------------------'
i=0
while i < len(full_answer):
print ' -> '.join(full_answer[i])
i=i+1
(Code is at pastebin too).
Next stage is to try if we can use TRACE (if test before will show us this method available):
#!/usr/bin/env python
# try_trace.py
# more at http://hauntit.blogspot.com
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
#conn.request('TRACE','/w0rkin')
conn.request('TRACE','/<script>alert(/w0rkin/)</script>')
resp = conn.getresponse()
page_response = resp.read()
#print page_response
print
print 'try TRACE for: ', url
print 'Status: ',resp.status, resp.reason
full_answer = resp.getheaders()
print '\nWhat we have here:\n'#, full_answer
print '-----------------------------------------------'
i=0
if resp.status == 200:
while i < len(full_answer):
print ' with value: '.join(full_answer[i])
i=i+1
print '-----------------------------------------------'
print 'Response:\n', page_response
else:
print 'No TRACE, or other problem :C' # try manually or add debug here
(and pastebin-version).
Enjoy ;)
First will get all HTTP OPTIONS (if this is possible).
Second one, will try to send TRACE (could be used to XST vulnerabilities).
Here we go:
#!/usr/bin/env python
# try_options.py
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
conn.request('OPTIONS','/')
resp = conn.getresponse()
page_respone = resp.read()
#print page_respone
print resp.status, resp.reason
full_answer = resp.getheaders()
#print 'What we have here:\n', full_answer
print '-----------------------------------------------'
i=0
while i < len(full_answer):
print ' -> '.join(full_answer[i])
i=i+1
(Code is at pastebin too).
Next stage is to try if we can use TRACE (if test before will show us this method available):
#!/usr/bin/env python
# try_trace.py
# more at http://hauntit.blogspot.com
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
#conn.request('TRACE','/w0rkin')
conn.request('TRACE','/<script>alert(/w0rkin/)</script>')
resp = conn.getresponse()
page_response = resp.read()
#print page_response
print 'try TRACE for: ', url
print 'Status: ',resp.status, resp.reason
full_answer = resp.getheaders()
print '\nWhat we have here:\n'#, full_answer
print '-----------------------------------------------'
i=0
if resp.status == 200:
while i < len(full_answer):
print ' with value: '.join(full_answer[i])
i=i+1
print '-----------------------------------------------'
print 'Response:\n', page_response
else:
print 'No TRACE, or other problem :C' # try manually or add debug here
(and pastebin-version).
Enjoy ;)
[EN] Modules in your own webscanner - SQL injection module
Here I will present a simple idea of how to get to know if your site is vulnerable to SQL Injection.
This code is working on POST requests (idea is grabbed from XSS-ver-POST module).
Code was released because durning few tests I found an 0day vulnerability (sql injection) in one of Joomla's modules (I won't tell you which one was that ;) try it at your own!)
Code is here:
#!/usr/bin/env python
# try_POST_sqli.py
#
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
#
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
print
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' (to test) string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('log_file_with_sql_output.txt','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('MySQL')
if line != -1:
print '\t[+- ( POST SQLI alert! ) -+]'
print '\t [+] Found sqli in line:' ,line
print data[y]
print poc.writelines(data)
#poc.close() # write&save simple p0c file. ;7
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
You can also find this code at pastebin.
Let me know if you have any questions. ;)
Cheers o/
This code is working on POST requests (idea is grabbed from XSS-ver-POST module).
Code was released because durning few tests I found an 0day vulnerability (sql injection) in one of Joomla's modules (I won't tell you which one was that ;) try it at your own!)
Code is here:
#!/usr/bin/env python
# try_POST_sqli.py
#
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
#
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' (to test) string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('log_file_with_sql_output.txt','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('MySQL')
if line != -1:
print '\t[+- ( POST SQLI alert! ) -+]'
print '\t [+] Found sqli in line:' ,line
print data[y]
print poc.writelines(data)
#poc.close() # write&save simple p0c file. ;7
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
You can also find this code at pastebin.
Let me know if you have any questions. ;)
Cheers o/
[EN] Modules in your own webscanner - LFI module
Code listed below is a simple LFI-checker. It's based on the same module as XSS-over-POST.
As I wrote before, all of those 'modules' can be rewrited in one, bigger code.
Here is the code:
As I wrote before, all of those 'modules' can be rewrited in one, bigger code.
Here is the code:
#!/usr/bin/env python
# ----
# try_lfi.py - simple find if there is LFI vulnerability
# ----
# - can be also used to find traversal-vulnerabilities
# - tests can be extended to find more information than just passwd file.
import urllib
import sys
#defines:
url=sys.argv[1]
checkLfis = open('LFItext.txt','r')
try_lfi = checkLfis.readlines()
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/page?param=')
sys.exit(1)
else:
print '---------------------------------------------------------------'
print '[+] Searching for traversal/LFI vulnerability at URL: ', url
print '---------------------------------------------------------------'
i=0
for line in try_lfi:
full_url_to_check = url+line
try_page = urllib.urlopen(full_url_to_check)
read_page = try_page.readlines()
i=i+1
print 'Trying: ',line
print 'Status: ', try_page.getcode()
print '\t[~] Now reading the answer to '
print 'find out if there is our \'vulnerable-string\'...'
for read_lines in read_page:
if read_lines.find('root') != -1:
print '\t[+] Found potential LFI bug! '
print 'This is the answer: ', read_lines print '---------------------------------------------------------------'
As you can read at this code, it's using a LFItext.txt file to search some
various strings. At module's source you will find how to use it against
some local-file include vulnerabilities.
Whole code is available also at pastebin.
Feedback is welcome ;)
Enjoy! o/
[EN] Modules in your own webscanner - XSS over POST
This is another example of how python can be used to build (maybe simple but) useful
webapp scanner. This part (called 'module') can be used to figureout where in tested page we
will have a possibility of XSS vulnerablity (via HTTP POST).
It could be a good exercise to connect all of those 'modules' to build 'one code'
to test all vulnerabilities.
To start, create a file named try_POST_xss.py. (Like before, we will need chmod u+x for this file.)
Source code you can find below:
#!/usr/bin/env python
# ----
# try_POST_xss.py
# ----
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = 'your<xss<code<here' # for example script+alert(2222) - see below ;)
# if you want I have version 'payloads-from-file' too.
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
print
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' ('to find') string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('poc_file_for_POST_xss.html','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('2222')
if line != -1:
print '\t[+- ( POST XSS alert! ) -+]'
print '\t [+] Found POST XSS in line:' ,line
print data[y]
print poc.writelines(data)
# poc.close() # write&save simple p0c file. ;7
# lookout here, because in some cases .close() method will generate an error.
# that's why it's #commented here.
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
# here we'll create a POST for found parameter
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
# EOF.
# ----
Interesting thing here is that you will find 0days vulnerabilities at big companies.
Trust me. ;)
And - as always - feedback is welcome.
(* full code you will find also here.)
Enjoy! ;)
webapp scanner. This part (called 'module') can be used to figureout where in tested page we
will have a possibility of XSS vulnerablity (via HTTP POST).
It could be a good exercise to connect all of those 'modules' to build 'one code'
to test all vulnerabilities.
To start, create a file named try_POST_xss.py. (Like before, we will need chmod u+x for this file.)
Source code you can find below:
#!/usr/bin/env python
# ----
# try_POST_xss.py
# ----
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = 'your<xss<code<here' # for example script+alert(2222) - see below ;)
# if you want I have version 'payloads-from-file' too.
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' ('to find') string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('poc_file_for_POST_xss.html','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('2222')
if line != -1:
print '\t[+- ( POST XSS alert! ) -+]'
print '\t [+] Found POST XSS in line:' ,line
print data[y]
print poc.writelines(data)
# poc.close() # write&save simple p0c file. ;7
# lookout here, because in some cases .close() method will generate an error.
# that's why it's #commented here.
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
# here we'll create a POST for found parameter
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
# EOF.
# ----
Interesting thing here is that you will find 0days vulnerabilities at big companies.
Trust me. ;)
And - as always - feedback is welcome.
(* full code you will find also here.)
Enjoy! ;)
[EN] Modules in your own webscanner - find dirs and files
Durning the projects often the question is 'what tools we use'.
It would be difficult to 'present' the entire list of tools available in distros such as BackTrack,
but sometimes also hard to believe that we can use 'our own tools'.
Today, the idea taken directly from the popular DirBuster (available here). If you don't know it,
take a few minutes to check it out against your server(s).
Sometimes, when we're doing tests 'from shell' (or from console, you name it), we would like to use 'lighter' tool, than Java-based DirBuster.
Python can be the answer here.
With a few lines of code, we can offer a simple solution. A small program written in Python,
reads 'line by line' filenames and/or dir-names listed in the TXT-list-file and after that it
will present status code (of HTTP response) for each file/dirname.
In the directory where you'll put this python-code, let's create the file with a list of the interesting location(s) on a remote server. Sample list could look like this:
/config.php
/config_inc.php
/config/
/configuration/
/configuration.php
/doc/
/api/
/cache/
/template/
/language/
/media/
/modules/
/plugins/
/install/
/users/
/admincp/
/modcp/
/archive/
/archives/
/sitemap.xml
/ckeditor.php
/FCKeditor/editor/filemanager/browser/default/browser.html
/editor/filemanager/browser/default/browser.html
/fckeditor/editor/css/
/wp-admin/
/wp-content/
/wp-includes/
/index.aspx
/manual/
/server-status
/phpinfo.php
/pi.php
/phpMyAdmin/
/phpmyadmin/
/pma/
/panel/
/login/
/register
/contac
Of course a good choice is to use your own list (but for start you can try 'lists' from DirBuster / fuzzdb project).
Save this list to 'dirsToCheck.txt' file. This is of course a sample list of 'most interesting (us)' locations on a remote test-server. Finding those files/dirs can be significant (from 'webapp-test-point-of-view') because their could be used in the future to abuse, or obtaining information that will be useful durning another steps in pentest.
How do I take advantage of it now?
The program, which is below, does the following:
* the previously prepared TXT-file (with names and locations of directories and files), reads a line by line 'name-location'
* those 'names' (locations) will be used to build a full-URL address to remote hosts (as sys.argv[1])
* full-URL now is checking by HTTP GET (by urllib)
* status code (HTTP response) is the answer from each test (for each 'location')
Code is here:
#!/usr/bin/env python
# ---
# try_dirs.py
# this 'module' will check if there is a file/dir at remote host.
# files/dirs can be edited (you will find it at dirsToCheck.txt file).
# ---
# version : 2 @ 19.03.2013
#
import urllib
import sys
# defines:
url = sys.argv[1]
dirsToCheck = open('dirsToCheck.txt','r')
try_dir = dirsToCheck.readlines()
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/')
sys.exit(1)
else:
print '--------------------------------------------------------------'
print 'Try enumerate files/dirs at this URL: ',url
print '--------------------------------------------------------------'
i=0
for line in try_dir:
full_url_to_check = url+line
# print full_url_to_check
try_page = urllib.urlopen(full_url_to_check)
i=i+1
if try_page.getcode() == 200:
print 'Found location: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 401:
print 'Found location: ', line
print 'Seems to be authorized only: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() >= 500:
print 'Found server-side problem: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 403:
print 'Found but you have no permissions to access: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
Now you can re-edit this code to add for example 404-code (what can be useful durning information gathering steps, because sometimes 404-pages responsing with accurate name and server version).
At this stage, all (the results of the program) can be written by a *nix-based 'redirect to a file' using the '> name.txt'.
Another method is to create a larger 'program' and to establish methods of saving it to 'log-file' (eg using. writelines() to generate a simple report in a more elegant way.
How to run it you will find at code. At console you can use
$chmod u+x check_dirs.py
and next:
$ ./check_dirs.py http://our-server.com (with > filelog.txt if you want)
Sample output will look like this:
$ ./check_dirs-2.py http://www.xxx.xx
--------------------------------------------------------------
Try enumerate files/dirs at this URL: http://www.xxx.xx
--------------------------------------------------------------
Found location: /plugins/
Status: 200
------------------------------------------
Found location: /sitemap.xml
Status: 200
------------------------------------------
Found but you have no permissions to access: /wp-admin/
Status: 403
------------------------------------------
Found location: /wp-content/
Status: 200
------------------------------------------
Found but you have no permissions to access: /server-status
Status: 403
------------------------------------------
(...)
(* full code you will find here.)
Enjoy ;)
It would be difficult to 'present' the entire list of tools available in distros such as BackTrack,
but sometimes also hard to believe that we can use 'our own tools'.
Today, the idea taken directly from the popular DirBuster (available here). If you don't know it,
take a few minutes to check it out against your server(s).
Sometimes, when we're doing tests 'from shell' (or from console, you name it), we would like to use 'lighter' tool, than Java-based DirBuster.
Python can be the answer here.
With a few lines of code, we can offer a simple solution. A small program written in Python,
reads 'line by line' filenames and/or dir-names listed in the TXT-list-file and after that it
will present status code (of HTTP response) for each file/dirname.
In the directory where you'll put this python-code, let's create the file with a list of the interesting location(s) on a remote server. Sample list could look like this:
/config.php
/config_inc.php
/config/
/configuration/
/configuration.php
/doc/
/api/
/cache/
/template/
/language/
/media/
/modules/
/plugins/
/install/
/users/
/admincp/
/modcp/
/archive/
/archives/
/sitemap.xml
/ckeditor.php
/FCKeditor/editor/filemanager/browser/default/browser.html
/editor/filemanager/browser/default/browser.html
/fckeditor/editor/css/
/wp-admin/
/wp-content/
/wp-includes/
/index.aspx
/manual/
/server-status
/phpinfo.php
/pi.php
/phpMyAdmin/
/phpmyadmin/
/pma/
/panel/
/login/
/register
/contac
Of course a good choice is to use your own list (but for start you can try 'lists' from DirBuster / fuzzdb project).
Save this list to 'dirsToCheck.txt' file. This is of course a sample list of 'most interesting (us)' locations on a remote test-server. Finding those files/dirs can be significant (from 'webapp-test-point-of-view') because their could be used in the future to abuse, or obtaining information that will be useful durning another steps in pentest.
How do I take advantage of it now?
The program, which is below, does the following:
* the previously prepared TXT-file (with names and locations of directories and files), reads a line by line 'name-location'
* those 'names' (locations) will be used to build a full-URL address to remote hosts (as sys.argv[1])
* full-URL now is checking by HTTP GET (by urllib)
* status code (HTTP response) is the answer from each test (for each 'location')
Code is here:
#!/usr/bin/env python
# ---
# try_dirs.py
# this 'module' will check if there is a file/dir at remote host.
# files/dirs can be edited (you will find it at dirsToCheck.txt file).
# ---
# version : 2 @ 19.03.2013
#
import urllib
import sys
# defines:
url = sys.argv[1]
dirsToCheck = open('dirsToCheck.txt','r')
try_dir = dirsToCheck.readlines()
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/')
sys.exit(1)
else:
print '--------------------------------------------------------------'
print 'Try enumerate files/dirs at this URL: ',url
print '--------------------------------------------------------------'
i=0
for line in try_dir:
full_url_to_check = url+line
# print full_url_to_check
try_page = urllib.urlopen(full_url_to_check)
i=i+1
if try_page.getcode() == 200:
print 'Found location: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 401:
print 'Found location: ', line
print 'Seems to be authorized only: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() >= 500:
print 'Found server-side problem: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 403:
print 'Found but you have no permissions to access: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
Now you can re-edit this code to add for example 404-code (what can be useful durning information gathering steps, because sometimes 404-pages responsing with accurate name and server version).
At this stage, all (the results of the program) can be written by a *nix-based 'redirect to a file' using the '> name.txt'.
Another method is to create a larger 'program' and to establish methods of saving it to 'log-file' (eg using. writelines() to generate a simple report in a more elegant way.
How to run it you will find at code. At console you can use
$chmod u+x check_dirs.py
and next:
$ ./check_dirs.py http://our-server.com (with > filelog.txt if you want)
Sample output will look like this:
$ ./check_dirs-2.py http://www.xxx.xx
--------------------------------------------------------------
Try enumerate files/dirs at this URL: http://www.xxx.xx
--------------------------------------------------------------
Found location: /plugins/
Status: 200
------------------------------------------
Found location: /sitemap.xml
Status: 200
------------------------------------------
Found but you have no permissions to access: /wp-admin/
Status: 403
------------------------------------------
Found location: /wp-content/
Status: 200
------------------------------------------
Found but you have no permissions to access: /server-status
Status: 403
------------------------------------------
(...)
(* full code you will find here.)
Enjoy ;)
Wednesday, 13 March 2013
[EN] Modules in your own web scanner - #1
Soon... ;]
As soon as possible you will find here also:
- xss over GET 'test module'
- xss over POST 'test module'
- directory traversal/LFI 'test module' - (@10/02)
- sql injection 'test module' - (@19/03)*
- dir-finder 'module' - (@10/02)
- (... still in progress ;])
- and some information gathering 'module'
'to do' is of course GUI version, but who knows, maybe for now I will stay with console-based version.
Anyway... *After few minutes of using 'sqli-test' module I found an '0day vulnerability' in some 'random-checked' Joomla module (sqli injection vuln), so it's also usefull for searching this kind of bugs.*
*20.03.2013 - update*
As you can see, few modules are here today. Let me know about any feedback/ideas/questions.
Thanks!
o/
As soon as possible you will find here also:
- xss over GET 'test module'
- xss over POST 'test module'
- directory traversal/LFI 'test module' - (@10/02)
- sql injection 'test module' - (@19/03)*
- dir-finder 'module' - (@10/02)
- (... still in progress ;])
- and some information gathering 'module'
'to do' is of course GUI version, but who knows, maybe for now I will stay with console-based version.
Anyway... *After few minutes of using 'sqli-test' module I found an '0day vulnerability' in some 'random-checked' Joomla module (sqli injection vuln), so it's also usefull for searching this kind of bugs.*
*20.03.2013 - update*
As you can see, few modules are here today. Let me know about any feedback/ideas/questions.
Thanks!
o/
Tuesday, 5 March 2013
[EN] Why is good to turn off error display
this is a foobar-temporary-name, not for some tutorial 'how to 1,2,3', but
for tutorial of 'how to think about possibilities of vulnerability'.
Questions?
No? thanks. Go.
Trick 1. What is the purpose?
Answer: Cash. Hacktivism. Stupidity.
Trick 2. Most 'common' ways of hacking?
In my opinion - the most dangerous bug, is input-vulnerabilities kind of bugs.
(code/php injections, others rce - I'm calling it all: 'rce' ;))
So 'most dangerous' and 'most simple to re-script'.
Trick 3. No sample, just idea.
'What if' an attacker will go to google.com search bar, and few ideas about
how to connect parameters of 'google-hacks', to find _really_ useful things, maybe will
change your site to one of those already 'h4ck3d'?
hm...
ok. ;]
simple arsenal: 5 parameters:
(param:example)#
site:com # find sites.COM
site:com -site:com.br # find sites.COM without .com.br
site:org intext:findme # find all sites.ORG with 'findme' word
ext:php # find all php type of files (extensions)
intitle:motel # find all pages contains 'title' with motel word
Great.
If you have some knowledge about writting php pages,
you can get few simple ideas right now.
As a coder you saw 'few times' some error-messages,
for example 'Error in line...' whatever.
Remember those errors from MySQL? ;>
Maybe this simple example will refresh your memory:
site:r0x intext:"SQL.Syntax" ext:php intext:error
ok not bad, but not so good also. ;)
Upgrade:
intext:"SQL.Syntax" ext:php intext:error inurl:".php?*=2"site:stillr0x
this google-dork actually gives you 'few' vulnerable to sqlinjection attacks
sites, so b patient and think what you're doing. if you're doing anything with this ideas,
do NOT do bad things and remember to test it only against your sites.
Remember. ;)
More? here.
o/
for tutorial of 'how to think about possibilities of vulnerability'.
Questions?
No? thanks. Go.
Trick 1. What is the purpose?
Answer: Cash. Hacktivism. Stupidity.
Trick 2. Most 'common' ways of hacking?
In my opinion - the most dangerous bug, is input-vulnerabilities kind of bugs.
(code/php injections, others rce - I'm calling it all: 'rce' ;))
So 'most dangerous' and 'most simple to re-script'.
Trick 3. No sample, just idea.
'What if' an attacker will go to google.com search bar, and few ideas about
how to connect parameters of 'google-hacks', to find _really_ useful things, maybe will
change your site to one of those already 'h4ck3d'?
hm...
ok. ;]
simple arsenal: 5 parameters:
(param:example)#
site:com # find sites.COM
site:com -site:com.br # find sites.COM without .com.br
site:org intext:findme # find all sites.ORG with 'findme' word
ext:php # find all php type of files (extensions)
intitle:motel # find all pages contains 'title' with motel word
Great.
If you have some knowledge about writting php pages,
you can get few simple ideas right now.
As a coder you saw 'few times' some error-messages,
for example 'Error in line...' whatever.
Remember those errors from MySQL? ;>
Maybe this simple example will refresh your memory:
site:r0x intext:"SQL.Syntax" ext:php intext:error
ok not bad, but not so good also. ;)
Upgrade:
intext:"SQL.Syntax" ext:php intext:error inurl:".php?*=2"site:stillr0x
this google-dork actually gives you 'few' vulnerable to sqlinjection attacks
sites, so b patient and think what you're doing. if you're doing anything with this ideas,
do NOT do bad things and remember to test it only against your sites.
Remember. ;)
More? here.
o/
[EN] Hello, I'm looking for a job.
After 4 months of recrutation to RBS... I'm not too good to work there.
Practical knowledge is worst than certificates in resume.
Yeah, yeah, but one question:
Malware or 14years hacker from Japan - has no certs too, but they can still hack and down your company.
Think twice about ignoratn HR's.
"Hey Shimomura! Your kung-fu the best!"
Practical knowledge is worst than certificates in resume.
Yeah, yeah, but one question:
Malware or 14years hacker from Japan - has no certs too, but they can still hack and down your company.
Think twice about ignoratn HR's.
"Hey Shimomura! Your kung-fu the best!"
Subscribe to:
Posts (Atom)